The detection rule targets inbound SSH connections to the `sshd_operns` service on network devices monitored by Cisco Secure Firewall. Historically, advanced persistent threat (APT) actors have leveraged vulnerabilities by enabling `sshd_operns` and exposing it on atypical ports, maintaining stealthy remote access to compromised systems. This analytic utilizes Snort signature 65368, which serves as a key identifier for such connections. When correlated with other indicators, these events may reveal persistent access mechanisms set up by threat actors. The rule's implementation is based on Cisco Secure Firewall Threat Defense Intrusion Events, requiring specific configuration adaptations to fit within a given Splunk environment where it operates. It includes macros to streamline event data analysis and offers post-filtering to mitigate false positive rates. Overall, this rule enhances the ability to detect suspicious SSH activities indicative of unauthorized access attempts or ongoing exploits within the network infrastructure.