This detection rule aims to identify potential exploitation attempts against SharePoint vulnerability CVE-2019-0604, which can lead to remote code execution (RCE). The rule leverages web application firewall (WAF) logs and specifically looks for patterns associated with the exploitation of SharePoint's web controls. Key indicators include POST requests targeting specific SharePoint pages, notably those associated with item picker dialogs. It utilizes regex and field extraction to identify traffic that exhibits a specific format, namely a break point indicator in the content. By aggregating the results over a defined time interval, the rule can highlight suspected malicious activities and facilitate further investigation. Utilization of DNS lookup enriches the data by correlating client IP addresses with hostnames, which can provide insights into the origins of the attacks. Overall, this detection rule serves as a proactive measure to monitor and respond to potential exploitation attempts within SharePoint environments.