diff --git a/web/multiple_suspicious_response_codes_single_source.yml b/web/multiple_suspicious_response_codes_single_source.yml
new file mode 100644
index 000000000..deff3b3ac
--- /dev/null
+++ b/web/multiple_suspicious_response_codes_single_source.yml
@@ -0,0 +1,15 @@
+title: Multiple suspicious Response Codes caused by Single Client
+description: Detects possible exploitation activity or bugs in a web application
+detection:
+    selection:
+        - log: web
+          response:
+              - 400
+              - 401
+              - 403
+              - 500
+    condition: selection | count() by clientip > 10
+falsepositives:
+    - Unstable application
+    - Application that misuses the response codes
+level: 60