This detection rule focuses on identifying malicious HTTP requests directed at privileged command execution paths on Cisco routers, specifically monitoring access to the endpoint `/level/15/exec/-/*`. These requests can indicate potential exploitation attempts or post-compromise activity on Cisco Secure Firewalls. The rule employs Snort signature 65370 to recognize relevant intrusion events in the logs generated by the Cisco Secure Firewall Threat Defense system. By leveraging this signature along with additional indicators, analysts can effectively detect unauthorized access or commands being executed in a privileged context, which is critical for maintaining network security. The rule has been tested and confirmed to work without known false positives, and it utilizes Splunk queries to analyze events logged by Cisco Secure Firewall. The installation and use of this rule requires appropriate configurations and logging functions enabled in the Splunk environment, specifically tailored for Cisco Threat Defense logs.