This detection rule identifies attempts to exploit the F5 BIG-IP iControl REST API vulnerability, known as CVE-2022-1388, which allows unauthenticated remote code execution. The rule flags specific URI paths and POST HTTP methods that may indicate malicious interaction with the API, particularly looking for suspicious headers like `utilcmdargs` and a base64 encoded string in `X-F5-Auth-Token`. Detection is critical as successful exploitation can lead to unauthorized command execution, full system compromise, and potential data breaches. The search query is constructed to analyze web logs for abnormal activity targeting the F5 BIG-IP infrastructure. False positives may arise if normal traffic patterns resemble exploitation attempts, therefore, proper filtering is necessary to differentiate legitimate traffic from attack attempts. Implementing the rule requires ingestion of appropriate web logs into a monitoring system like Splunk, specifically under the Web Datamodel.