This anomaly rule detects bursts of Cisco IOS-XE/NX-OS reconnaissance activity by monitoring syslog/log events that contain enumerative 'show' commands. Adversaries with initial access to network devices commonly perform rapid, repeated command executions to gather configuration details, network topology information, active sessions, and other service state to identify attack paths. The rule ingests Cisco IOS logs, parses message_text fields to extract user, source IP, and the executed command, and classifies commands into categories (show_conf, show_tacacs, show_cdp, show_file, dir_bootflash, show_clock, show_platform, terminal). It then aggregates events in 5-minute bins. If four or more unique command_type events are observed for the same destination device and user within a window, the rule raises an anomaly alert. Outputs include firstTime/lastTime, a list of command types and actual commands, and a cross-event perspective across user/src_ip/destination. The analytic storyline references Salt Typhoon. MITRE ATT&CK coverage includes T1082 (Discovery), T1016 (System Network Configuration Discovery), and T1590 (Gather Victim Identity/Information). The rule targets Splunk-based deployments and expects Cisco IOS-XE data to be ingested via the Cisco Splunk app with sourcetype cisco:ios; TACACS+ command accounting or EEM catchall syslog can provide visibility on command execution. Because legitimate network audits can trigger similar bursts, tuning the included command list and threshold is recommended to reduce false positives. References include CISA AA25-239A and Talos Salt Typhoon analysis. The detection supports drilldown searches for per-destination risk review and historical analysis, and it maps to an intermediate finding that highlights the initiating user and the set of recon commands executed on the destination device.