The analytic named "Cisco IOS XE Implant Access" is designed to detect potential exploitation of a specific vulnerability (CVE-2023-20198) in the Web User Interface of Cisco IOS XE software. This detection focuses on suspicious account creation events, particularly those that involve accessing logout confirmation pages via specific URL patterns. By using the Web datamodel, it analyzes HTTP POST requests that succeed (HTTP status 200) and checks for activity linked to unauthorized administrative access, with the intent to identify the deployment of a non-persistent implant configuration file. Successful exploitation of this vulnerability can grant attackers full control over affected devices, putting the integrity and security of the network at risk. The detection mechanism is built around specific occurrences of suspicious HTTP activity, and the rule requires a suitable Technology Add-On for data model population in Splunk. False positives can occur and should be carefully managed by filtering out detections to known Cisco IOS XE devices.