text code block:`cisco_sd_wan_syslog` "Accepted publickey" | rex field=_raw "^(?<event_timestamp>\S+)\s+(?<dest>\S+)\s+<auth\.info>\s+sshd\[\d+\]:\s+Accepted publickey for (?<user>\S+) from (?<src>\S+) port (?<src_port>\d+) ssh2:\s+(?<key_type>\S+)\s+(?<ssh_key>\S+)" | where user="vmanage-admin" | bin event_timestamp span=2m | stats dc(src) as unique_src_ips values(src) as src_ips values(user) as users count as auth_count by event_timestamp dest | where unique_src_ips >= 2 | sort 0 - unique_src_ips | `cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication_filter`
View this rule on Splunk
This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).