Detects when more than one distinct SSH publickey fingerprint is observed authenticating the same user from the same source IP against a Cisco Catalyst SD-WAN control component. Normally, after legitimate key rotation or reboot, only the current key should be valid. The presence of multiple keys from a single source may indicate unauthorized key injection or persistence, potentially related to CVE-2026-20127 (cisco-sa-sdwan-rpa-EHchtZk). The rule aggregates keys per destination, user, and source, and flags cases with multiple distinct keys. Analysts should validate the flagged keys and source IPs against known SD-WAN Manager System IPs and investigate anomalous pairings. This detection relies on ingestion of Cisco SD-WAN authentication logs (e.g., /var/log/auth.log) and the provided Splunk search to extract fields and compute distinct SSH keys. If confirmed, remediation includes key rotation validation, reviewing recent SD-WAN key changes, and confirming the integrity of the control component.