This detection rule focuses on identifying possible misuse of root accounts on VMware ESXi hosts by monitoring logins to these accounts from multiple unique IP addresses within a short time frame. The implementation of this rule involves analyzing the ESXi Syslog entries for occurrences of the root user logging in, excluding localhost entries. The logic captures unique source IPs that have logged into the root account over 15-minute intervals and raises alerts when more than one unique IP is detected. This behavior may indicate compromised credentials, lateral movement by an attacker, or the sharing of root login details, which can lead to unauthorized access to the ESXi host. The output includes the first and last login times and the distinct source IP addresses involved.