text code block:`esxi_syslog` Message="*esxcli system auditrecords*" Message IN ("*remote*","*local*") NOT Message = "*[shell*" | rex field=_raw "Z (?<dest>[\w\.]+)\s" | rex field=_raw "[\w+]\]: (?<full_command>.*)" | rex field=full_command "\[(?<user>.*)]:\s(?<command>.*)" | stats min(_time) as firstTime max(_time) as lastTime count by dest user command | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esxi_audit_tampering_filter`
View this rule on Splunk
This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).