This analytic identifies potentially malicious activities related to the creation of privileged accounts on Cisco IOS devices followed by unauthorized command executions via HTTP requests. Attackers often exploit vulnerabilities by creating unauthorized privileged accounts and executing sensitive commands remotely without the need for interactive SSH sessions. Specifically, this correlation alerts on the detection of both "Cisco IOS Suspicious Privileged Account Creation" and "Privileged Command Execution via HTTP" events on the same network device, indicating a potential compromise where an attacker uses the newly created account for escalated command execution. The correlation uses results from two sources to ascertain the risk of malicious behavior over a 24-hour timeframe, ensuring timely detection of this behavior.