This detection rule is designed to identify exploitation attempts of an authentication bypass vulnerability (CVE-2023-46747) in the F5 BIG-IP Configuration utility (TMUI). The analytic focuses on monitoring specific URI patterns, particularly those that involve PATCH HTTP methods targeting the endpoint '*/mgmt/tm/auth/user/*' with a successful response status code of 200. Such behavior signifies an unauthorized attempt to exploit the vulnerability, which may lead to remote code execution or unauthorized access to sensitive systems and data. By leveraging the Splunk platform, security analysts can track these anomalies efficiently, ensuring a proactive response to potential security breaches.