This detection rule monitors for excessive simultaneous connections to the CrushFTP server from the same IP address, identifying potential brute force attacks or automated intrusion attempts. Given the context of CVE-2025-31161, an authentication bypass vulnerability affecting specific versions of CrushFTP, this analytic is critical for ensuring server integrity. The rule leverages logs formatted to capture session details, extracting vital attributes like the originating IP address and user identity. By aggregating connection attempts and setting thresholds, the detection method aims to flag suspicious behavior indicative of a security incident. Fine-tuning the detection threshold is recommended based on an organization's typical traffic patterns to minimize false positives, especially in shared network setups such as NAT or proxies. Implementing the detection involves configuring CrushFTP logs to be sent to a Splunk environment with accurate sourcetype settings to assure data interpretation and threat identification efficacy.