text code block:`cisco_sd_wan_syslog` "Accepted publickey" | rex field=_raw "^(?<event_timestamp>\S+)\s+(?<dest>\S+)\s+<auth\.info>\s+sshd\[\d+\]:\s+Accepted publickey for (?<user>\S+) from (?<src>\S+) port (?<src_port>\d+) ssh2:\s+(?<key_type>\S+)\s+(?<ssh_key>\S+)" | stats dc(ssh_key) as distinct_keys values(ssh_key) as ssh_keys count by dest user src | where distinct_keys > 1 | `cisco_sd_wan_multiple_ssh_key_authentication_from_same_source_filter`
View this rule on Splunk
This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).