This analytic detects exploitation attempts targeting Cisco Catalyst SD-WAN Manager by processing Cisco SD-WAN Service Proxy Access Logs. It correlates a short sequence of requests that aligns with publicly reported exploitation patterns for CVE-2026-20122 (Arbitrary File Overwrite) and CVE-2026-20128 (Information Disclosure): authentication/config collection via .dca, an upload action via uploadAck, and payload-style access through .gz paths. The rule parses HTTP metadata (method, URI, response code, user agent) and derives a per-source-destination sequence of steps. Events are binned in 1-minute windows; a true positive is flagged when at least three distinct steps (auth, upload, payload) occur for the same src/dest within the window. When matched, the rule emits an alert describing exploitation activity from the source to the destination, with guidance for incident response and risk context. The detection relies on ingestion of Cisco SD-WAN service-proxy access logs (serviceproxy-access.log) located at /var/log/nms/containers/service-proxy/. The included search normalizes fields, filters for targeted URI patterns, and surfaces drilldown and risk analytics to aid investigation. This rule is designed for Splunk environments using the SD-WAN logs and is aligned with the referenced Cisco advisories and public PoCs.