This analytic detection rule targets exploitation attempts against Citrix ADC identified by the vulnerability CVE-2023-3519, which is related to a SAML processing overflow issue that creates the potential for memory corruption and exploitation. The rule utilizes the Web data model in Splunk to monitor for POST requests sent to specific endpoints that may indicate an attack is being attempted. The endpoints of interest include various SAML-related authentication and logging endpoints. Given the high-risk nature of this vulnerability, an exploitation could permit malicious actors to execute arbitrary code, escalate privileges, or disrupt service functionalities. Consequently, it is vital for Security Operations Center (SOC) analysts to be vigilant and responsive to any alerts generated by this analytic. Analysts should implement this rule in environments where the Web data model is adequately populated by supported Technology Add-Ons, allowing for effective monitoring and potential threat neutralization.