The rule detects potential exploitation attempts of an authentication bypass vulnerability in ConnectWise ScreenConnect, a widely used remote desktop tool. The vulnerability exists in versions prior to 23.9.8, allowing adversaries to exploit the SetupWizard.aspx interface to create unauthorized administrative accounts. Detection is facilitated through monitoring HTTP POST and GET requests targeting the SetupWizard.aspx endpoint, specifically looking for the presence of the __VIEWSTATE parameter, which is commonly exploited in web-based attacks. The logic employs Splunk to filter the necessary access logs and aggregate relevant fields, facilitating quick identification of attack patterns associated with unauthorized user creation. Key information logged includes the time of the access, host details, source and destination IPs, HTTP method utilized, and any form data submitted.