Splunk

Cisco IOS XE Guestshell Activation and Destroy

Last updated 2 days ago on 2026-07-17

About

This analytic detects Cisco IOS-XE guestshell enable activity followed by activation and destroy lifecycle logs. The detection focuses on HA_EM command logging for "guestshell enable" and "guestshell destroy", VMAN activation and destroy messages, and IM/IOX guestshell activation logs observed on some IOS-XE images.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a(external, opens in a new tab or window)https://blog.talosintelligence.com/salt-typhoon-analysis/(external, opens in a new tab or window)
False Positives
No false positives have been identified at this time.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`cisco_ios` facility IN ("HA_EM", "VMAN", "IM", "AAA") mnemonic IN ("LOG", "ACTIVATION_STATE", "IOX_INST_INFO", "INSTALL_STATE", "AAA_ACCOUNTING_MESSAGE") message_text IN ( "*guestshell enable*", "*guestshell destroy*", "*Successfully activated virtual service 'guestshell*", "*IOX SERVICE guestshell*", "*Destroying virtual service 'guestshell*", "*Successfully destroyed virtual service 'guestshell*" ) | eval dest=coalesce(host, dvc, dest, "unknown") | eval event_type=case( like(message_text, "%guestshell enable%"), "guestshell_enable_command", like(message_text, "%guestshell destroy%"), "guestshell_destroy_command", like(message_text, "%Successfully activated virtual service 'guestshell%"), "vman_guestshell_activated", like(message_text, "%IOX SERVICE guestshell%"), "im_iox_guestshell_activated", like(message_text, "%Destroying virtual service 'guestshell%"), "vman_guestshell_destroying", like(message_text, "%Successfully destroyed virtual service 'guestshell%"), "vman_guestshell_destroyed", true(), "other" ) | bin _time span=30m | stats count min(_time) as firstTime max(_time) as lastTime values(event_type) as event_types values(message_text) as message by _time dest | where ( mvfind(event_types, "vman_guestshell_activated") >= 0 OR mvfind(event_types, "im_iox_guestshell_activated") >= 0 OR mvfind(event_types, "guestshell_enable_command") >= 0 ) AND ( mvfind(event_types, "vman_guestshell_destroying") >= 0 OR mvfind(event_types, "vman_guestshell_destroyed") >= 0 OR mvfind(event_types, "guestshell_destroy_command") >= 0 ) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_ios_xe_guestshell_activation_and_destroy_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).