This detection rule identifies attempts to exploit a path traversal vulnerability (CVE-2023-47246) in SysAid software by monitoring for the upload of malicious web archive files (WARs). These WAR files can serve as a method for threat actors, particularly groups such as FIN11 and Volt Typhoon, to deliver malicious payloads to the server. The detection logic captures HTTP POST requests to the SysAid file upload endpoint within the Tomcat server environment. The key indicators include checking the response status for successful uploads (HTTP status 200) of files with a '.war' extension. The results are then aggregated, allowing security teams to identify potentially harmful uploads systematically. The rule also incorporates DNS lookup and geolocation for tracing the source of malicious requests.