This detection rule identifies attempts to exploit the JetBrains TeamCity Authentication Bypass vulnerability (CVE-2024-27198). This vulnerability allows unauthorized users to create new administrator accounts or generate access tokens without proper authentication by sending malformed POST requests to the endpoints `/app/rest/users` and `/app/rest/users/id:1/tokens`. Such activities could potentially provide attackers with full administrative access to a TeamCity server, compromising projects, builds, agents, and artifacts. To combat this, the rule utilizes the Web datamodel alongside CIM-compliant log sources—specifically targeting logs from Nginx and TeamCity. Given the critical nature of this attack vector, accurate detection is crucial to prevent unauthorized access and escalated privileges.