The ESXi VM Discovery detection rule is designed to catch instances of ESXCLI commands used to discover virtual machines on an ESXi host, which can be indicative of adversarial reconnaissance. While these commands are used legitimately by administrators for managing resources, their presence can also suggest that an adversary is mapping the virtual environment or preparing for further malicious activities, such as data theft. The search exploits VMware ESXi Syslog data, specifically looking for messages that include 'esxcli vm process' and the command 'list'. A series of regex extractions capture the user executing the command and the destination ESXi host. Results are aggregated to provide insights into the timing and frequency of the commands used, allowing security teams to discern between normal administrative activities and potential threats.