The ESXi SSH Brute Force detection rule targets unauthorized access attempts on VMware ESXi hosts by monitoring logs for multiple failed SSH login attempts from various source IPs within a five-minute interval. This rule employs regular expressions to extract relevant fields such as the username attempting to log in and the originating IP address of the failed attempts. The critical analytic checks for instances where the count of failures surpasses ten, indicating a potential brute-force attack. The detection is based on the syslog data forwarded from ESXi systems to a Splunk deployment, which must be appropriately configured with the VMware ESXi Technology Add-on for effective field extraction and CIM compatibility. Implementation of this rule aids in the proactive identification of intrusion attempts, allowing for timely remediation to enhance security on virtual infrastructure.