This analytic rule is designed to detect attempts to exploit the CVE-2023-35078 vulnerability found in Ivanti Endpoint Manager Mobile (EPMM) versions up to 11.4. This vulnerability allows unauthenticated remote access to certain APIs, potentially compromising users' data through unauthorized modifications or access. The detection is based on analyzing web server logs for HTTP requests made to the specific API endpoint "/mifs/aad/api/v2/authorized/users?*" that return a status code of 200. Such requests indicate that the exploitation attempt was successful, allowing the attacker to access restricted functionalities. By monitoring this traffic, organizations can respond rapidly to potential threats, minimizing the risk of data breaches and system compromises. The setup and implementation require integrating with a network security product (like Suricata) that can map to the appropriate web data model. False positives may arise, particularly when the status code is not filtered properly, leading to potential alerts from normal traffic, necessitating careful analysis by security operations teams.