This detection rule identifies attempts to exploit the Citrix Bleed vulnerability (CVE-2023-4966), which allows the unauthorized disclosure of session tokens via web requests. The rule specifically looks for HTTP requests that return a 200 OK status when targeting the /oauth/idp/.well-known/openid-configuration endpoint. The detection leverages user agent details, HTTP methods, and source and destination IP addresses to filter and identify potentially malicious requests. Exploitation of this vulnerability could enable attackers to impersonate valid users and gain access to sensitive information, making effective monitoring crucial for security operations centers (SOCs). Should an exploitation attempt be validated, it could lead to various critical security incidents including unauthorized access and data exfiltration.