This detection rule is designed to identify potential brute force attacks targeting SSH (Secure Shell) services on Unix systems. The rule leverages data collected from endpoint logs and focuses on failed user authentication attempts where the SSH service is implicated. The logic utilizes Splunk's querying capabilities, firstly filtering for SSH-related logs containing failed attempts identified by the parameter 'res=failed' and the event type 'USER_AUTH'. It applies regular expressions to extract the process name and evaluates related fields such as source IP, user accounts, and user IDs by filtering out irrelevant entries. Subsequently, the rule aggregates event data over specified time windows, checking for more than three failed attempts within a 10-second span and conditions where multiple list counts or a sum of failed attempts occurs over a 10-minute window. If these conditions are met, it indicates suspicious activity, potentially highlighting a brute force attack. The lookup against DNS records enriches the events by mapping IP addresses to hostnames, which can provide additional context for investigations.