The SSH Key Generated via ssh-keygen detection rule identifies the unauthorized creation of SSH keys on Linux systems using the standard utility, ssh-keygen. While SSH keys are crucial for secure authentication, their misuse can enable threat actors to maintain persistence or move laterally within a network. This rule specifically monitors for file creation events related to SSH key generation in sensitive directories like '/home/*/.ssh/*', '/root/.ssh/*', and '/etc/ssh/*', excluding known_hosts files to reduce false positives. The rule utilizes an EQL (Elastic Query Language) query to capture such events within a specified time frame of the past nine months, focusing on the processes linked to the creation of SSH keys. The detection not only helps in identifying potentially malicious use cases but also assists in investigating account manipulation and lateral movement tactics as defined by the MITRE ATT&CK framework. This comprehensive approach aims to flag and mitigate potential security threats associated with unauthorized SSH key generation.