This detection rule is designed to identify attempts to exploit a critical authentication bypass vulnerability (CVE-2022-31656) present in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. The vulnerability allows local domain users, with network access to the user interface, to gain unauthorized administrative access without proper authentication. The detection logic leverages a snowflake format query that searches through logs generated by a web application firewall (WAF) for API calls made to specific authentication endpoints related to the VMware applications. Specifically, it looks for URI paths containing the patterns indicating a callback for embedded authentication. This provides security teams insights into potential exploitation attempts and enhances their ability to respond to unauthorized access scenarios in their VMware environments.