The rule titled "Remote SSH Login Enabled via systemsetup Command" is designed to detect unauthorized use of the 'systemsetup' command on macOS systems to enable remote SSH access. This command allows administrators to modify system settings, including enabling or disabling SSH logins, which can be exploited by malicious actors to gain unauthorized access and conduct lateral movement within a network. The rule utilizes KQL (Kibana Query Language) to identify processes related to 'systemsetup' executed with the argument '-setremotelogin on', while excluding legitimate administrative actions originating from specific known tools such as Jamf. The rule operates by analyzing process events captured in the specified log indices and is dependent on the integration with Elastic Defend for data collection. Investigative guidance is provided for triaging alerts, including steps for validating the legitimacy of the command invocation and assessing the user context to mitigate false positives. It stresses the importance of excluding benign administrative processes and outlines an incident response approach to promptly address unauthorized SSH access attempts.