This detection rule identifies suspicious process creations where the executing file has five or more spaces before its file extension. Such naming conventions are often used by attackers to obfuscate the true nature of the file, misleading users and security mechanisms. By targeting files that exhibit this behavior, the rule aims to flag potentially malicious executions that might otherwise go unnoticed due to their deceptive file names. The detection relies on Sysmon EventID 1 data and queries the Splunk data model for processes matching this criteria. Points of interest in the searches include the process path, user, and destination, with timestamps indicating the first and last execution times, enabling analysts to trace the activity over a timeline. Implementing the rule requires a comprehensive setup of EDR logs that are properly mapped to Splunk's Common Information Model (CIM) for effective analysis and response.