This detection rule identifies suspicious SSH traffic originating from the Internet to internal networks, focusing on events that could indicate unauthorized access attempts. SSH (Secure Shell) is primarily used for secure remote management by system administrators. However, when exposed directly to the Internet, SSH services can attract malicious actors exploiting vulnerabilities, making them a target for initial access or as a command and control mechanism. The rule examines network events where the destination port is set to 22 or involves SSH traffic recorded by the Zeek Intrusion Detection System. To minimize false positives, the rule excludes known private address ranges and specific IPs presumed safe within the internal network. The rule is categorized under medium severity and has a risk score of 47, which alerts when SSH access patterns deviate from recognized configurations. This detection mechanism is vital in fortifying network security against unauthorized remote access and potential breaches.