Technical summary: This rule surfaces matches from the AWS WAF Managed Known Bad Inputs rule group. It functions as a passthrough/alerting rule rather than an outright block, capturing both blocking (BLOCK) and non-terminating (COUNT) matches to enable forensic and exposure assessment. It covers indicators associated with known attack patterns such as Log4Shell (CVE-2021-44228), Java deserialization RCE, localhost header abuse, PROPFIND method usage, and exploitable paths. The rule supports correlation with additional telemetry (threat intel feeds, related endpoints) and follow-up verification of exploitation attempts in subsequent logs when an ALLOW outcome occurs. The included tests demonstrate Detections across multiple scenarios: terminatingRule blocks for known bad inputs, non-terminating COUNT patterns for visibility, and false positives when rule groups differ or traffic is normal. Runbook steps guide analysts to scan WAF logs around the alert window, cross-check client IPs against threat intel, and validate whether exploitation occurred by reviewing downstream logs. This rule aligns with initial access and command/script execution techniques, helping detect reconnaissance and exploitation attempts targeting web-facing infrastructure.