diff --git a/splunk_alert.md b/splunk_alert.md
new file mode 100644
index 0000000..5073c4e
--- /dev/null
+++ b/splunk_alert.md
@@ -0,0 +1,23 @@
+```
+index=* RuleName=T*
+| eval hash_sha256= lower(hash_sha256),
+mitre_technique_id="T1543",
+mitre_technique="Create or Modify System Process",
+mitre_subtechnique_id="T1543.001",
+mitre_subtechnique="Launch Agent",
+mitre_category="Persistence",
+apt=mvappend("APT28", "APT29"),
+hunting_trigger="Look for unusual modifications to system processes.",
+mitre_link="https://attack.mitre.org/techniques/T1543/",
+creator="Cpl Iverson",
+upload_date="",
+last_modify_date="",
+mitre_version="v16",
+priority="High"
+| `process_create_whitelist` 
+| eval indextime = _indextime 
+| convert ctime(indextime) 
+| eval indextime = _indextime 
+| convert ctime(indextime) 
+| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id mitre_subtechnique_id mitre_subtechnique apt hunting_trigger mitre_link upload_date last_modify_date mitre_version priority
+```
\ No newline at end of file