Detects Cisco IOS-XE WebUI authentication events that target a non-standard local port (21111) in IOSd, capturing both login successes and failures. The rule relies on Cisco IOS logs (Sourcetype cisco:ios) with the SEC_LOGIN facility and relevant mnemonics (QUIET_MODE_ON, LOGIN_SUCCESS, LOGIN_FAILED) and filters for localport 21111. It extracts the user, source IP, local port, reason, and ACL from the raw message, then aggregates by destination, user, source IP, and reason to report first and last seen times. This serves as a strong indicator of WebUI exploitation or lateral movement via the IOS-XE Linux shell path, since normal WebUI access should not use this non-standard port. Implementation guidance includes ingesting Cisco IOS logs via the Cisco IOS Add-on for Splunk and enabling login on-failure logging. False positives are expected to be low because 21111 is atypical for legitimate WebUI logins. References include CISA AA25-239A and Talos Salt Typhoon analyses. The rule maps to MITRE techniques T1190 (Exploit Public-Facing Application) and T1078 (Valid Accounts). The detection is categorized under Network assets and supports drilldown by destination with related risk context and analytic storytelling around Salt Typhoon, aiding incident response and containment.