Splunk

Cisco IOS XE Remote Access Probe Burst

Last updated 2 days ago on 2026-07-17

About

This analytic detects bursts of ping, SSH, and Telnet commands issued from Cisco IOS or NX-OS devices. The Salt Typhoon notes describe repeated SSH, Telnet-to-port-22, and ping activity across multiple IP addresses in a short time window.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a(external, opens in a new tab or window)https://blog.talosintelligence.com/salt-typhoon-analysis/(external, opens in a new tab or window)
False Positives
Network reachability testing, migration validation, and troubleshooting can generate repeated ping, SSH, or Telnet commands.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`cisco_ios` facility IN ("AAA", "HA_EM") mnemonic IN ("AAA_ACCOUNTING_MESSAGE", "LOG") message_text IN ("*ssh *", "*telnet *", "*ping *") | rex field=message_text "^\w+:(?<aaa_src>[^:@]+)(?:@[^:]*)?:(?<aaa_user>[^:]*):(?<aaa_command>.*?)(?:\s+\((?<aaa_result>SUCCESS|FAILURE)\))?$" | rex field=message_text "^(?:[^:]+:\s+)?(?:catchall:\s+)?(?<eem_command>.+?)\s*$" | eval command=lower(trim(coalesce(aaa_command, eem_command, ""))) | where match(command, "^(ssh|telnet|ping)\s+") | rex field=command "(?i)^(?:ssh(?:\s+-l\s+\S+)?|telnet|ping)\s+(?<target_ip>\d{1,3}(?:\.\d{1,3}){3})" | eval command_type=case(match(command, "^ssh\s+"), "ssh", match(command, "^telnet\s+"), "telnet", match(command, "^ping\s+"), "ping") | eval user=coalesce(aaa_user, user, "unknown") | eval src_ip=coalesce(aaa_src, src_ip, "unknown") | eval dest=coalesce(host, dvc, dest, "unknown") | bin _time span=10m | stats count as command_count min(_time) as firstTime max(_time) as lastTime dc(target_ip) as distinct_targets values(target_ip) as target_ips values(command_type) as command_types values(command) as commands by _time dest user src_ip | where command_count >= 8 OR distinct_targets >= 5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_ios_xe_remote_access_probe_burst_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).