An anomaly detection rule that flags rapid tampering with Cisco IOS-XE VTY access-class settings. It ingests Cisco IOS logs and looks for patterns tied to HTTP service activity, VTY line configuration, and access-class changes. The rule parses the CLI commands, the executing user, and the source IP, then classifies events into http_config, line_vty, remove_access_class, and add_access_class. It aggregates by device in 1-minute windows and requires the presence of all three relevant actions (line_vty, remove_access_class, and add_access_class) within the same minute. When these conditions are met, it reports firstTime/lastTime, destination device, observed commands, and implicated user and source IP. This behavior mirrors Salt Typhoon patterns where HTTP configuration activity is followed by rapid VTY access-class modifications within roughly 60 seconds. The rule maps to MITRE techniques related to Impairing Defenses (T1562) and use of Remote Services (T1021) by modifying VTY access controls to enable or persist unauthorized access. The analytic storyline references Salt Typhoon and is intended to surface coordinated, time-sensitive changes to remote management access policies. It assumes Cisco Catalyst Splunk Add-on usage to ingest Cisco IOS syslog with config-command logging enabled (sourcetype cisco_ios).