This detection rule identifies instances when the ESXi Shell is enabled on VMware hosts, which may indicate unauthorized access or potentially malicious activity. The enabling of ESXi Shell outside designated maintenance windows raises security concerns, as it allows local command execution that could be exploited by attackers to maintain persistent access to the system. The rule utilizes VMWare ESXi Syslog data to search for relevant log messages indicating that the ESXi Shell has been enabled. It extracts pertinent information such as the user who enabled the shell and the destination host, providing a comprehensive overview of occurrences. Administrators should ensure that syslog configuration is set to forward logs to a Splunk deployment for effective monitoring and the detection is designed to minimize false positives with some exceptions.