This detection rule is designed to identify patterns of exploitation related to CVE-2022-22954, a known remote code execution vulnerability affecting VMware One. The rule examines web application firewall (WAF) logs for specific URI strings that may indicate attempts to access vulnerable endpoints. It leverages the Splunk search format to filter and extract relevant data, specifically focusing on URI paths that include potentially malicious markers related to device types, UDid parameters, and specific error codes during OAuth verification processes. The detection criteria include looking for the usage of FreeMarker template utilities that could be abused in the context of this vulnerability. The resulting log entries are then summarized by time and host for easier analysis. Users looking to mitigate this risk should focus on securing the identified endpoints and monitoring web application logs for similar patterns of activity.