The rule detects potential exploitation attempts of the ProxyToken vulnerability (CVE-2021-33766) in Microsoft Exchange Server, which enables unauthorized configuration actions on mailboxes of arbitrary users by unauthenticated attackers. It focuses on incoming web requests that carry certain indicators of a ProxyToken compromise, primarily through examining web application firewall (WAF) logs for specific patterns. The detection logic utilized in this rule is executed via Splunk, utilizing functions such as `get_web_data` and `get_web_data_waf`, to filter web requests based on the presence of the keyword "SecurityToken" along with relevant terms like "msexchecpcanary" or references to "ecp". The results are then compiled into a comprehensive table that includes various fields such as timestamp, host, user, source IP, HTTP method, URI, and other pertinent details. The analysis is further refined by binning results over 1-second intervals and leveraging geo-location data based on the source IP, which can provide insights into the geographical distribution of the requests.