This analytic detects the creation of a Cisco IOS-XE tunnel interface that specifies a tunnel source, tunnel destination, and an IP address within the 10.10.12.0/24 network. The Salt Typhoon notes identify this tunnel configuration pattern as suspicious. The detection relies on Cisco IOS logs ingested with a Splunk sourcetype of cisco:ios and uses a multi-step, field-extraction approach to require the presence of four related CLI events: interface Tunnel*, tunnel source, tunnel destination, and an IP address in the 10.10.12.* range. The search parses the log data to extract entered commands, normalizes them, and categorizes each extract as an event_type (interface_tunnel, tunnel_source, tunnel_destination, tunnel_ip_address). It then aggregates results by destination and time window, emitting an alert only when all four event_types are observed for the same device, indicating a new tunnel interface configuration with the specified source/destination and IP. Known false positives: none identified at this time. References include the CISA AA25-239A advisory and Talos Salt Typhoon analysis. MITRE ATT&CK mappings included with the rule are T1572 and T1090. The rule is designed for Splunk deployments (Enterprise, ES, and Cloud) using the Cisco IOS Add-on for data ingestion. Likely operational context targets network devices and monitoring for suspicious tunnel/interface configuration activity.