This detection rule aims to identify execution of the 'esxcli' command, specifically with a 'network' flag, on ESXi servers. The 'esxcli' utility is a command-line interface that provides management capabilities for ESXi environments. Using the network flag can provide sensitive details about the network configuration, which is particularly useful for an attacker looking to exploit vulnerabilities in an ESXi installation. The detection watches for process creation events where the image name ends with '/esxcli' and the command line arguments include terms related to network actions such as 'get' or 'list'. This detection rule is set to trigger if all specified conditions in the selection criteria are met, indicating potentially suspicious network configuration inquiry behavior that aligns with attack patterns identified in the MITRE ATT&CK framework, specifically under T1033 (System Owner/User Discovery) and T1007 (System Service Discovery).