This detection rule identifies exploitation attempts against vulnerabilities CVE-2023-46805 and CVE-2024-21887 within Ivanti Connect Secure. It targets unauthorized access to system information by detecting specific GET requests aimed at the URI '/api/v1/totp/user-backup-code/../../system/system-information'. An authentication bypass technique is leveraged to exploit these vulnerabilities, allowing unauthorized access to sensitive system information. The rule utilizes a Web data model to monitor for HTTP responses with a status code of 200, signifying successful exploitation. Recognizing such activities is crucial as attackers could use obtained information to further compromise the system. The underlying implementation requires integration with the Web data model and appropriate Technology Add-Ons compatible with Suricata or similar technologies.