Splunk

Cisco IOS XE Tunnel Interface Configuration

Last updated 2 days ago on 2026-07-17

About

This analytic detects creation of a Cisco IOS-XE tunnel interface with tunnel source, tunnel destination, and an IP address in the 10.10.12.0 network. The Salt Typhoon notes identify this tunnel configuration pattern as suspicious.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a(external, opens in a new tab or window)https://blog.talosintelligence.com/salt-typhoon-analysis/(external, opens in a new tab or window)
False Positives
No false positives have been identified at this time.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`cisco_ios` facility IN ("HA_EM", "PARSER") mnemonic IN ("LOG", "CFGLOG_LOGGEDCMD") message_text IN ("*interface Tunnel*", "*tunnel source*", "*tunnel destination*", "*ip address 10.10.12.*") | rex field=message_text "^(?:[^:]+:\s+)?(?:catchall:\s+)?(?<eem_command>.+?)\s*$" | rex field=message_text "<enteredCommand><cli>(?<parser_command>.*?)</cli>" | rex field=message_text "<user>(?<parser_user>[^<]+)</user>" | rex field=message_text "<srcIP>(?<parser_src_ip>[^<]+)</srcIP>" | eval command=lower(trim(coalesce(parser_command, eem_command, ""))) | eval event_type=case( match(command, "^interface\s+tunnel"), "interface_tunnel", match(command, "^tunnel\s+source"), "tunnel_source", match(command, "^tunnel\s+destination"), "tunnel_destination", match(command, "^ip\s+address\s+10\.10\.12\."), "tunnel_ip_address", true(), null()) | where isnotnull(event_type) | eval user=coalesce(parser_user, user, "unknown") | eval src_ip=coalesce(parser_src_ip, src_ip, "unknown") | eval dest=coalesce(host, dvc, dest, "unknown") | bin _time span=15m | stats count min(_time) as firstTime max(_time) as lastTime values(event_type) as event_types values(user) as user values(src_ip) as src_ip values(command) as commands by _time dest | where mvfind(event_types, "interface_tunnel") >= 0 AND mvfind(event_types, "tunnel_source") >= 0 AND mvfind(event_types, "tunnel_destination") >= 0 AND mvfind(event_types, "tunnel_ip_address") >= 0 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_ios_xe_tunnel_interface_configuration_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).