diff --git a/salt/idh/Plays/IDH_SSH.yaml b/salt/idh/Plays/IDH_SSH.yaml
new file mode 100644
index 000000000..1d4e7ece4
--- /dev/null
+++ b/salt/idh/Plays/IDH_SSH.yaml
@@ -0,0 +1,18 @@
+title: SO IDH - SSH Accessed
+status: experimental
+description: Detects when the SSH service on a SO IDH node has been probed.
+author: Security Onion Solutions
+logsource:
+  product: idh
+detection:
+  selection:
+    event.code:
+    - 4000
+    - 4001
+    - 4002
+  condition: selection
+falsepositives:
+  - None
+fields:
+  - source.ip
+level: critical
\ No newline at end of file