This rule is designed to detect potential initial access activities by identifying instances where an adversary uploads a malicious web shell or script to a web server through a file upload mechanism, such as a web form utilizing `multipart/form-data`. Following the upload, the rule specifically monitors for subsequent GET or POST requests accessing the uploaded files. It utilizes HTTP request body inspection to detect specific indicators associated with file uploads, including the presence of 'Content-Disposition: form-data' and 'filename='. These actions are frequently employed by attackers aiming to gain and maintain access to compromised web servers. The rule leverages a sequence detection approach, integrating data from both endpoint file events and network traffic to enhance the response to these threats. The rule is suitable for environments using Elastic infrastructure, and it mandates specific configurations to capture the necessary network traffic for effective monitoring, enhancing overall web server security against file upload attacks.