spl/splunk_alert.md

```
`indextime` `sysmon` <SEARCH>
| eval hash_sha256= lower(hash_sha256),
hunting_trigger="",
mitre_category="Defense_Evasion",
mitre_technique="Obfuscated Files or Information",
mitre_technique_id="T1027",
mitre_subtechnique="", 
mitre_subtechnique_id="",
apt="",
mitre_link="https://attack.mitre.org/techniques/T1027/",
creator="Cpl Iverson",
upload_date="FIRSTDATE",
last_modify_date="CURRENTDATE",
mitre_version="v16",
priority=""
| `process_create_whitelist` 
| eval indextime = _indextime 
| convert ctime(indextime) 
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index`
```

# Permissions
    - Display For: App
    - Read: Everyone
    - Write: admin

# Schedule
    - Schedule: Run on Cron Schedule
    - */15 * * * *
    - Time Range: Since date time
    - Schedule Priority: Default
    - Schedule Window: Auto

# Macros
    - jarvis_index: 	index=jarvis
    - indextime: _index_earliest=-15m@m AND _index_latest=now