title: Multiple suspicious Response Codes caused by Single Client
description: Detects possible exploitation activity or bugs in a web application
detection:
    selection:
        - log: web
          response:
              - 400
              - 401
              - 403
              - 500
    condition: selection | count() by clientip > 10
falsepositives:
    - Unstable application
    - Application that misuses the response codes
level: 60