Apply Potential Windows Enumeration Detected
and when an event matches any of the following BB: Windows Endpoint Events
and when the event matches Event ID is any of 4688
and when the event matches Command (custom) any of [whoami or tasklist or system info]
and NOT when the source OP is on of the following IP addresses || Example