This hunting rule detects potential credential abuse against Cisco SD-WAN vManage by identifying scenarios where multiple unique source IP addresses successfully authenticate as vmanage-admin via SSH publickey within a short time window. The Splunk search parses Cisco SD-WAN authentication logs to extract event_timestamp, destination, username, source IP, source port, key_type, and the SSH key. It filters for the user 'vmanage-admin', bins events into 2-minute windows, and computes the number of unique source IPs issuing a valid publickey authentication. If two or more distinct source IPs are observed in the same window, the rule flags the event set as suspicious. This aligns with CVE-2026-20127 guidance, which notes that compromised systems may show Accepted publickey for vmanage-admin from unauthorized IPs. Operators should validate flagged IPs against known SD-WAN Manager system IPs and investigate concurrent or unexpected sources. The analytic is labeled under Cisco SD-WAN Catalyst analytics and leverages the cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication_filter detection filter for alerting or hunting workflows.