This detection rule identifies attempts to SSH into system accounts with a default user ID (UID) ranging from 1 to 999 on Unix-like systems. These user IDs are typically associated with system daemons rather than human users, allowing for privilege separation and security posture. The rule utilizes Splunk's data collection capabilities to analyze user activity, focusing on conditions where the user ID matches the default range while being cautious of UIDs like 0 (the root user) and those spanning four digits or more. It tracks SSH execution within the evaluated contexts and enriches the findings by incorporating geographical information based on the source IP. This type of monitoring is imperative since unauthorized SSH access via default system accounts represents a potential security vulnerability.