This rule detects Cisco IOS-XE guestshell lifecycle activity by correlating log events across HA_EM, VMAN, IM, and AAA facilities for IOS-XE devices. It searches for guest shell related messages such as "guestshell enable" and "guestshell destroy" alongside VMAN/IM/IOX activation and destruction indicators (e.g., "Successfully activated virtual service 'guestshell'" and related destruction messages). The detection aggregates results into 30-minute bins per destination host, capturing the first and last timestamps and the set of observed event types and messages. A true detection is generated when there is evidence of both an activation (enable command or VMAN/IM activation) and a destruction event (destroy command or VMAN destruction) within the same window, signaling a complete guestshell lifecycle on a device. The search then annotates the destination and event types (e.g., guestshell_enable_command, vman_guestshell_activated, im_iox_guestshell_activated, guestshell_destroy_command, vman_guestshell_destroying, vman_guestshell_destroyed) and surfaces this as an intermediate finding indicating a Cisco IOS-XE device with guestshell enabled and subsequently destroyed. The rule is designed for Splunk deployments with the Cisco IOS Add-on ingesting syslog data (source type cisco:ios) and requires enabling EEM catchall command logging to capture guestshell enable/destroy events as HA_EM/LOG events. It references relevant advisories (CISA AA25-239A; Talos Salt Typhoon) and lists Salt Typhoon as the analytic story. Known false positives are not reported at this time.