The detection rule 'Tomcat Session Deserialization Attempt' identifies potential exploitation of a specific vulnerability (CVE-2025-24813) in Apache Tomcat. This rule focuses on the second phase of the attack, where an attacker deserializes a malicious session file via a crafted JSESSIONID cookie and a HTTP GET request. Key indicators of such attempts include cookies starting with a dot and HTTP 500 responses, which suggest successful exploitation. The Splunk query allows for rich data analysis across relevant web logs to track and identify such suspicious activities effectively. Precise log configurations on web servers are essential for accurate detections, as they capture crucial request details like HTTP methods, status codes, and cookies. To mitigate false positives, a close examination of the context around requests that trigger HTTP 500 errors is necessary, particularly how they relate to the JSESSIONID cookie format.