Splunk

ESXi System Information Discovery

Last updated 2 days ago on 2026-07-17

About

This detection identifies the use of ESXCLI system-level commands that retrieve configuration details. While used for legitimate administration, this behavior may also indicate adversary reconnaissance aimed at profiling the ESXi host's capabilities, build information, or system role in preparation for further compromise.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
False Positives
Administrators may use this command when troubleshooting. Tune as needed.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`esxi_syslog` Message="*system*" AND Message="*esxcli*" AND Message IN ("*get*","*list*") AND Message="*user=*" NOT Message="*filesystem*" | rex field=_raw "user=(?<user>\w+)\]\s+Dispatch\s+(?<command>[^\s]+)" | rex field=_raw "Z (?<dest>[\w\.]+)\s" | stats min(_time) as firstTime max(_time) as lastTime count by dest user command | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esxi_system_information_discovery_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).