The OpenCanary rule for detecting SSH new connection attempts monitors for any connection attempts made to the SSH service on an OpenCanary node. OpenCanary is a low-interaction honeypot designed to detect when attackers try to access sensitive services. This specific rule looks for log entries categorized under the logtype 4000, which are generated by the OpenCanary logger when an SSH service receives a connection attempt. The alert is classified as high-level severity to ensure that potential intrusions are identified promptly, as such connection attempts can signify initial access or lateral movement by threat actors. The rule is labeled 'experimental' and may evolve as further analysis is conducted. The authors of this detection rule are Security Onion Solutions, who have provided detailed references in the documentation to help users configure and understand the OpenCanary capabilities better.