The rule detects unauthorized creation of new administrator accounts on the Ivanti Virtual Traffic Manager (vTM), identified as a potential exploit of vulnerability CVE-2024-7593. This vulnerability allows unauthorized attackers to bypass the authentication mechanisms of the admin panel, enabling them to create admin accounts without valid credentials. The detection logic focuses on entries in Ivanti vTM audit logs, specifically monitoring events where new users are added to the admin group without accompanying authentication information. The search query leverages the ivanti_vtm_audit sourcetype to identify suspicious events by filtering for operations that add a user with the MODGROUP set to 'admin', while ensuring that the IP address field is absent, indicative of unauthorized access attempts. This rule serves to enhance security controls by flagging instances of potential exploitation for further review and investigation.