This detection rule identifies attempts to exploit a local file upload vulnerability in the Tomcat Manager application, allowing attackers to upload malicious Java Archive (JAR) files. The rule utilizes Splunk's querying capabilities to monitor web data from the Tomcat Manager's upload endpoint. It captures POST requests that result in a status of 200 for the upload of any `.war` files, indicating a successful upload. The output includes relevant fields like the timestamp, host, user, source IP, request method, and DNS resolution for the source IP, enhancing visibility into potential malicious activity. This rule leverages the known attack techniques from the MITRE ATT&CK framework, specifically focusing on command-and-control transfers as well as lateral movement through tool transfers, allowing organizations to effectively mitigate risks associated with such vulnerabilities.