This detection rule identifies instances when a user is granted the Administrator role on an ESXi host via syslog entries. The rule is particularly valuable as the assignment of administrator privileges can signify malicious activity if it occurs unexpectedly. Attackers, having gained access to ESXi hosts, can exploit such elevated privileges to escalate their access levels, maintain presence within the infrastructure, or disable critical security mechanisms. It employs a specific search syntax to capture the relevant log entries indicating privilege adjustments and can be part of a broader security strategy focusing on monitoring virtualization platforms. The requirement for correct log forwarding from VMware ESXi to Splunk is crucial for the timely and accurate identification of such events, and initial tuning for false positives is advised.