LoFP / limited false positives in most environments after initial setup, however tune as needed.

`esxi_syslog` Message="*esxcli system permission set*" AND Message="*role Admin*" 
| rex field=_raw "\]: \[(?<user>\w+)\]:(?<command>.+)" 
| rex field=_raw "--id (?<target_user>\w+)" 
| rex field=_raw "Z (?<dest>[\w\.]+)\s" 
| stats min(_time) as firstTime max(_time) as lastTime count by dest user command target_user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `esxi_user_granted_admin_role_filter`