This detection rule is designed to identify potential probing attempts related to CVE-2023-3519, a critical unauthenticated remote code execution (RCE) vulnerability impacting specific versions of NetScaler ADC and NetScaler Gateway. The rule leverages Splunk to monitor web application firewall logs for multiple HTTP GET or POST requests directed at the URI path containing '/gwtest/formssso' within a one-minute window. Such request patterns may indicate an attacker's effort to ascertain whether the targeted device is susceptible to this CVE. The logic framework filters and aggregates data to highlight unusual spikes in request counts from the same source IP, which could signify reconnaissance activities. The use of event statistics to enforce a threshold of more than four requests per minute aims to minimize false positives while focusing on potentially malicious interactions with the vulnerable endpoint.