``` `indextime` `sysmon` | eval hash_sha256= lower(hash_sha256), hunting_trigger="", mitre_category="Defense_Evasion", mitre_technique="Obfuscated Files or Information", mitre_technique_id="T1027", mitre_subtechnique="", mitre_subtechnique_id="", apt="", mitre_link="https://attack.mitre.org/techniques/T", creator="Cpl Iverson", last_tested="", upload_date="2024-01-01", last_modify_date="2025-01-09", mitre_version="v16", priority="" | `process_create_whitelist` | eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority | collect `jarvis_index` ``` # Permissions - Display For: App - Read: Everyone - Write: admin # Schedule - Schedule: Run on Cron Schedule - */15 * * * * - Time Range: Since date time - Schedule Priority: Default - Schedule Window: Auto # Macros - jarvis_index: index=jarvis - indextime: _index_earliest=-15m@m AND _index_latest=now ## Network Whitelist ``` table _time indextime event_description host_fqdn user_name process_path process_id process_parent_id process_command_line process_guid src_ip dst_ip dst_port src_host_name dst_host_name ``` ## WMI Whitelist ``` | table _time indextime host_fqdn user_name wmi_consumer_name wmi_consumer_destination ``` ## File Create ``` | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger ```