The 'Detect New Login Attempts to Routers' analytic identifies unauthorized login attempts targeting routers by monitoring authentication logs within the ES Assets and Identity Framework. This rule focuses on assets categorized explicitly as routers, filtering for connection attempts that have not been observed in the past 30 days. The analysis compiles data from the Authentication data model and utilizes Splunk's tstats command to examine login attempts by user and destination within the router category. Given the critical role routers play in network integrity, detecting new and potentially unauthorized access is essential. Such access could lead to network disruptions, data interception, and broader security compromises if attackers gain control over network traffic. To effectively implement this rule, it's crucial that the authentication logs are correctly categorized and populated with relevant data. However, users must be cautious as genuine router connections could be misidentified as new attempts, leading to false positives. Overall, this rule aids in fortifying network defenses by providing insights into unusual router access patterns.