From 5217422b89626d71744d8999be6dc2ce47b016b3 Mon Sep 17 00:00:00 2001
From: junk <junk@noreply.localhost>
Date: Tue, 3 Dec 2024 14:29:27 -0500
Subject: [PATCH] Update splunk_alert.md

---
 splunk_alert.md | 29 +++++++++++++++++------------
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/splunk_alert.md b/splunk_alert.md
index bbeda68..9e7fcc9 100644
--- a/splunk_alert.md
+++ b/splunk_alert.md
@@ -1,23 +1,24 @@
 ```
-index=* RuleName=T*
+`indextime` `sysmon` RuleName="technique_id=T1027,technique_name=Obfuscated Files or Information"
 | eval hash_sha256= lower(hash_sha256),
-mitre_technique_id="T1543",
-mitre_technique="Create or Modify System Process",
-mitre_subtechnique_id="T1543.001",
-mitre_subtechnique="Launch Agent",
-mitre_category="Persistence",
-apt=mvappend("APT28", ""),
-hunting_trigger="Look for unusual modifications to system processes.",
-mitre_link="https://attack.mitre.org/techniques/T1543/",
+hunting_trigger="",
+mitre_category="Defense_Evasion",
+mitre_technique="Obfuscated Files or Information",
+mitre_technique_id="T1027",
+mitre_subtechnique="", 
+mitre_subtechnique_id="",
+apt="",
+mitre_link="https://attack.mitre.org/techniques/T1027/",
 creator="Cpl Iverson",
-upload_date="",
-last_modify_date="",
+upload_date="2024/12/03",
+last_modify_date="2024/12/03",
 mitre_version="v16",
-priority="High"
+priority=""
 | `process_create_whitelist` 
 | eval indextime = _indextime 
 | convert ctime(indextime) 
 | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id mitre_subtechnique_id mitre_subtechnique apt hunting_trigger mitre_link upload_date last_modify_date mitre_version priority
+| collect `jarvis_index`
 ```
 
 # Permissions
@@ -32,3 +33,7 @@ priority="High"
     - Schedule Priority: Default
     - Schedule Window: Auto
 
+# Macros
+    - jarvis_index: 	index=jarvis
+    - indextime: _index_earliest=-15m@m AND _index_latest=now
+