diff --git a/rules/web/web_cve_2019_3398_confluence.yml b/rules/web/web_cve_2019_3398_confluence.yml
new file mode 100644
index 000000000..cc93af37d
--- /dev/null
+++ b/rules/web/web_cve_2019_3398_confluence.yml
@@ -0,0 +1,27 @@
+title: Confluence Exploitation CVE-2019-3398
+id: e9bc39ae-978a-4e49-91ab-5bd481fc668b
+status: experimental
+description: Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398 
+references:
+    - https://devcentral.f5.com/s/articles/confluence-arbitrary-file-write-via-path-traversal-cve-2019-3398-34181
+author: Florian Roth
+date: 2020/05/26
+tags:
+    - attack.initial_access
+    - attack.t1190
+logsource:
+    category: webserver
+detection:
+    selection1:
+        cs-method: 'POST'
+        c-uri|contains|all:
+            - '/upload.action'
+            - 'filename=../../../../'
+    condition: selection
+fields:
+    - c-ip
+    - c-dns
+falsepositives:
+    - Unknown
+level: critical
+