This analytic provides detection for the CVE-2024-27198 vulnerability impacting JetBrains TeamCity on-premises servers. The rule is designed to identify attempts to exploit this vulnerability, which enables attackers to bypass authentication mechanisms. It utilizes Suricata logs to track specific HTTP POST requests made to crucial endpoints such as `/app/rest/users` and `/app/rest/users/id:1/tokens`. Detection is based on monitoring traffic patterns within the specified URIs and methods, specifically looking for POST requests with a 200 HTTP status code that match these endpoints. Successful exploitation can grant unauthorized administrative access to the TeamCity server, posing a significant risk to the integrity and security of development resources and environments. The detection rule is implemented in a production environment and is expected to yield minimal false positives due to its specificity in searching for indicative URI paths and HTTP methods tied directly to the authentication bypass flaw described in CVE-2024-27198.