This detection rule identifies potential exploitation attempts against Ivanti Connect Secure systems by monitoring for access to a specific API endpoint associated with CVE-2023-46805 and CVE-2024-21887 vulnerabilities. It specifically looks for HTTP GET requests directed at the '/api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark' endpoint that receive a 403 Forbidden response, while the body of the response is empty. This behavior may indicate that an attacker is attempting to exploit the vulnerabilities present in the Ivanti software. A confirmed case of this detection could signal unauthorized access attempts that may lead to data breaches or system control by malicious actors.