Splunk

Cisco IOS XE VTY Access Class Tampering

Last updated 2 days ago on 2026-07-17

About

This analytic detects rapid modification of Cisco IOS-XE VTY access-class settings. The Salt Typhoon notes describe configure HTTP activity followed by line vty changes and removal/re-application of an access-class within 60 seconds.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a(external, opens in a new tab or window)https://blog.talosintelligence.com/salt-typhoon-analysis/(external, opens in a new tab or window)
False Positives
VTY ACL changes occur during legitimate management access updates. Filter approved maintenance windows and known administrators.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`cisco_ios` facility IN ("HA_EM", "PARSER") mnemonic IN ("LOG", "CFGLOG_LOGGEDCMD") message_text IN ( "*access-class*", "*configure http*", "*line vty*" ) | rex field=message_text "^(?:[^:]+:\s+)?(?:catchall:\s+)?(?<eem_command>.+?)\s*$" | rex field=message_text "<enteredCommand><cli>(?<parser_command>.*?)</cli>" | rex field=message_text "<user>(?<parser_user>[^<]+)</user>" | rex field=message_text "<srcIP>(?<parser_src_ip>[^<]+)</srcIP>" | eval command=lower(trim(coalesce(parser_command, eem_command, ""))) | eval event_type=case( like(command, "configure http%") OR like(command, "ip http secure-server%"), "http_config", like(command, "line vty%"), "line_vty", like(command, "no access-class%"), "remove_access_class", like(command, "access-class%"), "add_access_class", true(), null()) | where isnotnull(event_type) | eval user=coalesce(parser_user, user, "unknown") | eval src_ip=coalesce(parser_src_ip, src_ip, "unknown") | eval dest=coalesce(host, dvc, dest, "unknown") | bin _time span=1m | stats count min(_time) as firstTime max(_time) as lastTime values(event_type) as event_types values(user) as user values(src_ip) as src_ip values(command) as commands by _time dest | where mvfind(event_types, "line_vty") >= 0 AND mvfind(event_types, "remove_access_class") >= 0 AND mvfind(event_types, "add_access_class") >= 0 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_ios_xe_vty_access_class_tampering_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).