This detection rule aims to identify unauthorized access attempts to Cisco Smart Install protocol via monitoring TCP traffic to port 4786. Cisco Smart Install is a feature that automates the image management and configuration of Cisco switches, but it became a target for exploitation due to vulnerabilities such as CVE-2018-0171, which can allow attackers to execute arbitrary code or lead to denial of service attacks. Notably, a Russian state-sponsored group known as 'Static Tundra' has been observed actively exploiting this vulnerability against unpatched devices. By analyzing network traffic directed to this port, organizations can pinpoint attempts at remote exploitation or unauthorized use of the Smart Install feature, enabling effective incident response and threat mitigation. The rule leverages Splunk's capabilities to collect and analyze traffic data, allowing admins to monitor both internal and external traffic patterns for potential threats as well as making informed decisions about network security policies regarding the use of Smart Install.