This anomaly rule detects bursts of ping, SSH, and Telnet commands issued from Cisco IOS-XE/NX-OS devices to multiple targets within a short time window. It consumes Cisco IOS syslog messages (AAA accounting and related logs) to extract the source device, user, and command text, normalizes commands to identify SSH/Telnet/ping usage, and resolves target IPs. Results are aggregated in 10‑minute windows by time, destination, and source, recording command_count, distinct_targets, and the commands observed. A burst is flagged when command_count >= 8 or distinct_targets >= 5, signaling Salt Typhoon–like remote-access probing. Output includes intermediate findings (dest, user, command_count, distinct_targets) and threat objects (target_ips, commands) for downstream investigation. MITRE mappings include T1018 (Remote System Discovery), T1021.004 (SSH), and T1046 (Network Service Scanning). The rule is tailored for Splunk environments (Splunk Enterprise, Splunk ES, Splunk Cloud) and provides drilldown searches for per-destination risk and time-bounded telemetry, plus a true-positive test dataset using Salt Typhoon Cisco logs. A false-positive caveat notes that routine network checks or maintenance tasks can generate similar patterns.