This rule is designed to detect attempts to exploit the Spring4Shell vulnerability (CVE-2022-22963), which can allow attackers to gain remote code execution through web shells deployed on vulnerable systems. By monitoring web traffic for specific HTTP GET requests that include indicators of web shell payloads—such as "tomcatwar.jsp," "poc.jsp," and "shell.jsp"—the analytic aims to identify potentially malicious activities. Should such requests be detected, it is important to investigate further, as they indicate an intruder’s attempts to compromise the environment, potentially leading to unauthorized access and privilege escalation. The detection leverages the Nginx Access data source, using the Web datamodel for traffic analysis. The analytic also includes a workflow for drilldown searches for detailed investigation of risk events related to specific destinations involved in the request.