This detection rule identifies when SSH access is enabled on VMware ESXi hosts, a potential indicator of malicious activity. SSH (Secure Shell) can provide attackers with persistent remote access following credential compromise or exploitation of vulnerabilities, hence its monitoring is critical. The rule utilizes VMWare ESXi syslog data, specifically searching for log messages indicating that SSH has been enabled. When this occurs, the detection logs the first and last time this event occurred alongside the destination host information. The effectiveness of the detection hinges on the proper configuration of syslog output from ESXi systems to a Splunk environment, where the requisite Splunk Technology Add-on for VMware ESXi Logs must be enabled for correct log ingestion and field extraction. Although false positives can occur, they are generally limited in well-administered environments where SSH is not widely employed for troubleshooting.