This detection rule is designed to identify attempted Remote Code Execution (RCE) attacks on web applications hosted behind Google Cloud Platform (GCP) Cloud Armor. Specifically, it detects HTTP requests that trigger known vulnerability signatures related to the React2Shell exploitation technique. The rule monitors GCP HTTP Load Balancer logs for signatures identified as 'google-mrs-v202512-id000001-rce' and 'google-mrs-v202512-id000002-rce', which are indicative of genuine exploitation attempts against applications leveraging React.js components. The primary goal of this rule is to facilitate a proactive security posture by alerting security teams of potential malicious activity in real-time as these vulnerabilities can lead to severe impacts if exploited successfully. The alerting occurs at a high severity level to ensure that security personnel can promptly address and investigate any suspicious activity detected by the rule.