This detection rule aims to identify anomalies related to the creation, deletion, or modification of local user accounts on VMware ESXi hosts. Such changes are critical security indicators, as they may signal unauthorized access or attempts by intruders to maintain persistent control over the host environment. The rule utilizes syslog data generated by ESXi, specifically focusing on messages that include certain `esxcli` commands tied to account management. The detection logic involves parsing these syslog entries to gather information regarding the involved users and the timestamps of changes. Furthermore, it is crucial to properly configure syslog forwarding to a Splunk deployment, and enlist the VMware Technology Add-on for efficient data ingestion and proper field extraction.