This detection rule is designed to identify successful SSH authentications using a public key that has not been used in the previous 10 days. This method of authentication is common for secure access to systems. By utilizing the new_terms rule type, it tracks changes in ssh public key usage over time to detect potentially unauthorized access. A successful login event is defined using a structured query that filters for specific authentication attributes on Linux systems. This rule highlights the importance of monitoring infrequent authentication attempts which could signify suspicious activity. It is important to note that false positives can occur in scenarios where users typically authenticate infrequently. The rule is categorized under the Initial Access tactic of the MITRE ATT&CK framework, being particularly relevant for threat detection in endpoint environments.