This anomaly detects Cisco IOS-XE configuration changes performed by the WebUI WSMA HTTP process (SEP_webui_wsma_http). It targets changes logged by Cisco IOS devices and ingested via Splunk (sourcetype cisco:ios). The search anchors on lines containing "Configured programmatically by process SEP_webui_wsma_http" and extracts the involved process, user, and vty from the raw event. Dest is normalized from host/dvc/dest fields and the rule aggregates results by destination and user, reporting firstTime and lastTime alongside the detected process and vty values. The detection is grouped as an anomaly of network assets, surfacing intermediate findings such as: "User <user> performed Cisco IOS-XE WebUI programmatic configuration on <dest>". The analytic story is Salt Typhoon, and the rule references Cisco IOS logs ingestion via the Splunk Cisco IOS Add-on. It maps to MITRE ATT&CK techniques T1190 (Exploit Public-Facing Application) and T1078 (Valid Accounts) to contextualize unusual or unauthorized configuration activity. Known false positives are not identified at this time. This rule is suitable for environments monitoring network devices where WebUI-based, programmatic configuration changes should be rare or tightly controlled, and it enables drilldown views by destination or user to investigate potential abuse or misconfigurations.