This detection rule, authored by Michael Haag from Splunk, analyzes traffic to identify unauthorized attempts to access the Remote ShellServlet on Confluence web servers. It specifically targets known vulnerabilities (CVE-2023-22518 and CVE-2023-22515) associated with these servers to detect potentially malicious behavior such as exploitation of web shells. The rule filters web access logs from Nginx to locate URLs that match the pattern '*plugins/servlet/com.jsos.shell/*' that return a 200 HTTP status code, indicating a successful request. These actions can lead to serious security risks, including remote command execution through compromised servers. The analytic leverages both Splunk's data processing capabilities and community expertise to minimize false positives, although configuration settings in user environments may allow for legitimate uses of this servlet. Implementing this rule requires proper logging and data collection using Splunk tools or similar configurations to ensure robust detection capabilities.