This rule detects successful SSH authentications from users who have not logged in during the last 10 days, using the new_terms rule type. It targets Linux systems, specifically monitoring authentication logs to identify potentially malicious access attempts. Low-risk behavior is indicated by a risk score of 21, suggesting that this may represent an attacker trying to exploit valid accounts to gain unauthorized access. The detection is based on the premise that infrequent authentications may signal adversarial activity, particularly in scenarios where user access patterns are irregular. The rule is particularly relevant to IT environments and aims to bolster initial access defenses within Linux infrastructures.