text code block:`esxi_syslog` Message="*system settings encryption set*" NOT Message="*shell.*" Message IN ("* -s *", "* -e *","*--require-secure-boot*", "*require-exec-installed-only*", "execInstalledOnly") | rex field=_raw "Z (?<dest>[\w\.]*)\s.*\]: \[(?<user>\w+)\]:(?<command>.+)" | stats min(_time) as firstTime max(_time) as lastTime count by dest user command | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esxi_encryption_settings_modified_filter`
View this rule on Splunk
This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).