The rule titled "Successful SSH Authentication from Unusual IP Address" detects successful SSH authentications from IP addresses that have not previously been authenticated within the last 10 days. This detection is crucial as it can highlight potential unauthorized access attempts made by attackers trying to exploit valid credentials. It operates by querying authentication events on Linux systems, specifically focusing on successful SSH logins. The rule uses the 'new_terms' rule type, enabling it to monitor the 'related.ip' field for unusual access patterns. A low risk score of 21 indicates a non-critical but noteworthy security alert. The rule employs data from logs indexed by Filebeat and requires the integration of Filebeat's System Module for effective implementation. Proper setup includes ensuring that Filebeat is configured correctly to monitor and forward relevant log entries to Elasticsearch or Logstash. Additionally, adherence to MITRE ATT&CK framework techniques is noted, under the Initial Access tactic, particularly the Valid Accounts technique, reinforcing its relevance in the wider context of cybersecurity practices.