Splunk

Cisco IOS XE WebUI Programmatic Configuration

Last updated 2 days ago on 2026-07-17

About

This analytic detects Cisco IOS-XE configuration changes performed by the WebUI WSMA process.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a(external, opens in a new tab or window)https://blog.talosintelligence.com/salt-typhoon-analysis/(external, opens in a new tab or window)
False Positives
No false positives have been identified at this time.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`cisco_ios` facility="SYS" mnemonic="CONFIG_P" message_text="*Configured programmatically by process SEP_webui_wsma_http*" | rex field=_raw "process\s(?<process>\S+)\sfrom.*as\s(?<user>\S+)\son\s(?<vty>\S+)" | eval dest=coalesce(host, dvc, dest, "unknown") | stats count min(_time) as firstTime max(_time) as lastTime values(process) as process values(vty) as vty by dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_ios_xe_webui_programmatic_configuration_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).