This detection rule targets potential command injection attempts exploiting two known vulnerabilities in Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887). It monitors for unauthorized POST requests to specific API endpoints indicative of command injection attempts. The rule leverages the Web datamodel from Suricata to identify such requests and checks for a ‘200 OK’ response, which indicates a successful exploit attempt. Given the critical nature of these vulnerabilities, successful exploitation could lead to remote command execution on the affected server, thereby compromising security and risking data breaches. To effectively implement the detection, appropriate log sources must be aligned with the specified URIs and methods to ensure reliable monitoring.