The Apache Software Foundation has patched a vulnerability identified as CVE-2017-9805. The vulnerability affects all versions of Apache Struts since 2008. In response to this we have created and released a parser to help identify systems exploited by the vulnerability. Upon this parser matching network traffic you'll see "apache struts CVE-2017-9805 attempt" appear in the 'Indicators of Compromise' meta-key and the command that was included in the exploit attempt will be present in the 'Action' meta-key. The parser, 'struts_exploit', is now available in RSA NetWitness Live.
Here's a sample attack that our researchers have seen in the wild: