This detection rule identifies potential tampering with audit records on VMware ESXi hosts by monitoring the usage of the 'esxcli system auditrecords' command. Such usage can be indicative of an attempt to evade detection or hinder forensic analysis, as it may prevent the recording of critical system-level audit events. The rule extracts relevant fields from the syslog data generated by the ESXi host to aggregate counts, occurrences, and the involved users and commands, facilitating the identification of suspicious activity related to audit tampering.