Which SIEM platforms have a T1594 detection rule?

df00tech provides T1594 (Search Victim-Owned Websites) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Search Victim-Owned Websites (T1594)?

Detecting Search Victim-Owned Websites requires the following data sources: Microsoft Sentinel (W3C IIS Logs), Azure WAF Logs.

What severity and confidence is the T1594 detection?

The T1594 detection is rated medium severity with low confidence.

What are common false positives for T1594?

Common false positives for T1594 include: Legitimate search engine crawlers (Googlebot, Bingbot, DuckDuckBot) with high request volumes — filter by known crawler IP ranges and UA strings; Authorized penetration testing or red team engagements scheduled by the organization — cross-reference with change management records; Web archiving services such as archive.org (Internet Archive) performing scheduled snapshots.

T1594: Search Victim-Owned Websites — Detection (KQL, SPL, Sigma + 5 SIEMs)

Microsoft Sentinel / Defender

kusto

let timeWindow = 1h;
let requestThreshold = 100;
let errorThreshold = 20;
let suspiciousUAs = dynamic(["scrapy", "python-requests", "python-urllib", "wget", "nikto", "masscan", "nmap", "zgrab", "go-http-client", "libwww-perl", "java/", "curl/", "dirbuster", "gobuster", "feroxbuster", "wfuzz", "ffuf", "httprint", "sqlmap", "whatweb"]);
let reconPaths = dynamic(["/robots.txt", "/sitemap.xml", "/sitemap_index.xml", "/.well-known/security.txt", "/.git/", "/.env", "/wp-admin", "/admin", "/staff", "/team", "/employees", "/contact", "/about", "/management", "/leadership", "/directory"]);
W3CIISLog
| where TimeGenerated > ago(timeWindow)
| extend UALower = tolower(csUserAgent)
| extend IsReconUA = UALower has_any (suspiciousUAs)
| extend IsReconPath = csUriStem has_any (reconPaths)
| extend Is404 = (scStatus == 404)
| extend IsEmployeePage = csUriStem matches regex @"(?i)/(staff|team|employees|people|directory|contact|about|leadership|management|board)"
| where IsReconUA or IsReconPath or Is404 or IsEmployeePage
| summarize
    TotalRequests = count(),
    Count404 = countif(scStatus == 404),
    Count403 = countif(scStatus == 403),
    UniquePathsRequested = dcount(csUriStem),
    ReconPathHits = countif(IsReconPath),
    EmployeePageHits = countif(IsEmployeePage),
    SuspiciousUAUsed = countif(IsReconUA),
    UserAgents = make_set(csUserAgent, 5),
    AccessedPaths = make_set(csUriStem, 30),
    FirstRequest = min(TimeGenerated),
    LastRequest = max(TimeGenerated)
    by SourceIP = cIp, TargetSite = sSiteName
| extend ReconScore = 
    (case(Count404 > 50, 3, Count404 > 20, 2, Count404 > 5, 1, 0)) +
    (case(TotalRequests > 500, 3, TotalRequests > 200, 2, TotalRequests > 100, 1, 0)) +
    (case(ReconPathHits > 3, 2, ReconPathHits >= 1, 1, 0)) +
    (case(SuspiciousUAUsed > 0, 2, 0)) +
    (case(EmployeePageHits > 5, 2, EmployeePageHits >= 1, 1, 0))
| where ReconScore >= 3
| extend SessionDurationMinutes = datetime_diff('minute', LastRequest, FirstRequest)
| extend RequestsPerMinute = round(todouble(TotalRequests) / max_of(SessionDurationMinutes, 1), 1)
| project
    FirstRequest, LastRequest, SourceIP, TargetSite,
    TotalRequests, Count404, Count403, UniquePathsRequested,
    ReconPathHits, EmployeePageHits, SuspiciousUAUsed,
    SessionDurationMinutes, RequestsPerMinute,
    UserAgents, AccessedPaths, ReconScore
| sort by ReconScore desc, TotalRequests desc

Detects automated reconnaissance against victim-owned web properties by correlating IIS web server access logs for high-volume requests, directory enumeration patterns (404 spikes), access to reconnaissance-specific paths (robots.txt, sitemap.xml, .git, .env), employee/contact directory harvesting, and known scraping tool user agents. Assigns a composite ReconScore to prioritize high-confidence alerts.

medium severity low confidence

Data Sources

Microsoft Sentinel (W3C IIS Logs) Azure WAF Logs

Required Tables

W3CIISLog

False Positives

Legitimate search engine crawlers (Googlebot, Bingbot, DuckDuckBot) with high request volumes — filter by known crawler IP ranges and UA strings
Authorized penetration testing or red team engagements scheduled by the organization — cross-reference with change management records
Web archiving services such as archive.org (Internet Archive) performing scheduled snapshots
SEO audit tools used by the marketing team (Screaming Frog, Ahrefs, SEMrush bots)
Load testing tools (Apache JMeter, k6, Locust) run by the engineering team generating high 404 rates

Splunk

spl

index=* (sourcetype="access_combined" OR sourcetype="access_combined_wcookie" OR sourcetype="iis" OR sourcetype="ms:iis:auto" OR sourcetype="stream:http")
| eval ua_lower=lower(coalesce(http_user_agent, cs_User_Agent, useragent))
| eval uri=coalesce(uri_path, cs_uri_stem, url)
| eval status_code=coalesce(status, sc_status)
| eval src=coalesce(src_ip, c_ip, clientip)
| eval is_recon_ua=if(match(ua_lower, "(scrapy|python-requests|python-urllib|wget\/|nikto|masscan|nmap|zgrab|go-http-client|libwww-perl|dirbuster|gobuster|feroxbuster|wfuzz|ffuf|sqlmap|whatweb)"), 1, 0)
| eval is_recon_path=if(match(uri, "(?i)(robots\.txt|sitemap.*\.xml|\.well-known|/\.git|/\.env|/wp-admin|/phpmyadmin)"), 1, 0)
| eval is_employee_page=if(match(uri, "(?i)/(staff|team|employees|people|directory|contact|about|leadership|management|board)"), 1, 0)
| eval is_404=if(status_code="404" OR status_code=404, 1, 0)
| eval is_403=if(status_code="403" OR status_code=403, 1, 0)
| where is_recon_ua=1 OR is_recon_path=1 OR is_404=1 OR is_employee_page=1
| bin _time span=10m
| stats
    count as total_requests,
    sum(is_404) as count_404,
    sum(is_403) as count_403,
    dc(uri) as unique_paths,
    sum(is_recon_path) as recon_path_hits,
    sum(is_employee_page) as employee_page_hits,
    sum(is_recon_ua) as suspicious_ua_hits,
    values(ua_lower) as user_agents,
    values(uri) as accessed_paths
    by _time, src, host
| eval recon_score=0
| eval recon_score=recon_score + case(count_404 > 50, 3, count_404 > 20, 2, count_404 > 5, 1, true(), 0)
| eval recon_score=recon_score + case(total_requests > 500, 3, total_requests > 200, 2, total_requests > 100, 1, true(), 0)
| eval recon_score=recon_score + case(recon_path_hits > 3, 2, recon_path_hits >= 1, 1, true(), 0)
| eval recon_score=recon_score + if(suspicious_ua_hits > 0, 2, 0)
| eval recon_score=recon_score + case(employee_page_hits > 5, 2, employee_page_hits >= 1, 1, true(), 0)
| where recon_score >= 3
| sort -recon_score, -total_requests
| table _time, src, host, total_requests, count_404, count_403, unique_paths, recon_path_hits, employee_page_hits, suspicious_ua_hits, recon_score, user_agents, accessed_paths

Detects website reconnaissance patterns from web access logs by identifying high 404 rates (directory enumeration), access to sensitive paths (robots.txt, sitemap.xml, .git), employee/contact page harvesting, and known scraping tool user agents. Uses a composite scoring model across 10-minute windows to surface high-confidence recon activity.

medium severity low confidence

Data Sources

Web Access Logs (Apache/Nginx/IIS) Splunk Stream HTTP

Required Sourcetypes

access_combined iis stream:http

False Positives

Legitimate search engine crawlers (Googlebot, Bingbot) generating high request volumes against public-facing pages
Authorized security scanning or bug bounty researchers operating within disclosed scope
Web performance monitoring tools (Pingdom, New Relic Synthetics, Datadog) performing health checks
Content Delivery Network (CDN) origin pull requests that appear as high-volume single-source traffic
Marketing analytics bots and SEO auditing tools used by internal teams

Elastic Security (EQL)

eql

// T1594 — Search Victim-Owned Websites
any where event.dataset : ("iis.access", "apache_http_server.access")
  and (user_agent.original : (
    "scrapy*", "python-requests*", "wget*", "nikto*", "masscan*",
    "nmap*", "zgrab*", "go-http-client*", "libwww-perl*"
  ) or url.path : (
    "/robots.txt", "/sitemap.xml", "/.git/*", "/.env", "/wp-admin/*",
    "/admin/*", "/staff*", "/team*", "/employees*", "/contact*",
    "/about*", "/management*", "/leadership*", "/directory*"
  ))

Elastic EQL detection for Search Victim-Owned Websites (T1594). Translates the Microsoft Sentinel KQL logic to Elastic Common Schema (ECS) field mappings for use in Elastic SIEM. Targets the same behavioral indicators across process creation, network, and authentication event types.

medium severity low confidence

Data Sources

Web Server Logs IIS Logs

Required Tables

logs-apache_http_server.* logs-iis.access-*

False Positives

Legitimate search engine crawlers (Googlebot, Bingbot, DuckDuckBot) with high request volumes — filter by known crawler IP ranges and UA strings
Authorized penetration testing or red team engagements scheduled by the organization — cross-reference with change management records
Web archiving services such as archive.org (Internet Archive) performing scheduled snapshots
SEO audit tools used by the marketing team (Screaming Frog, Ahrefs, SEMrush bots)

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
    LOGSOURCENAME(logsourceid) AS "LogSource",
    LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
    "username", "sourceip", "destinationip",
    "eventid", "deviceaction", "message",
    CASE
        WHEN LOWER("useragent") ILIKE '%scrapy%' OR LOWER("useragent") ILIKE '%python-requests%' OR LOWER("requesturl") ILIKE '%/staff%' OR LOWER("requesturl") ILIKE '%/team%' OR LOWER("requesturl") ILIKE '%/employees%' THEN 8
        ELSE 4
      END AS "RiskScore"
  FROM events
  WHERE (LOWER("useragent") ILIKE '%scrapy%' OR LOWER("useragent") ILIKE '%python-requests%' OR LOWER("requesturl") ILIKE '%/staff%' OR LOWER("requesturl") ILIKE '%/team%' OR LOWER("requesturl") ILIKE '%/employees%')
    AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
  ORDER BY "RiskScore" DESC, "EventTime" DESC
  LAST 24 HOURS

QRadar AQL detection for Search Victim-Owned Websites (T1594). SQL-like syntax queries the QRadar events store, correlating log source telemetry with risk scoring to surface reconnaissance and attack patterns. Filters out noise from internal SIM and rule engine log sources.

medium severity low confidence

Data Sources

QRadar SIEM Windows Security Events Network Firewall Logs Syslog

Required Tables

events

False Positives

Legitimate search engine crawlers (Googlebot, Bingbot, DuckDuckBot) with high request volumes — filter by known crawler IP ranges and UA strings
Authorized penetration testing or red team engagements scheduled by the organization — cross-reference with change management records
Web archiving services such as archive.org (Internet Archive) performing scheduled snapshots
SEO audit tools used by the marketing team (Screaming Frog, Ahrefs, SEMrush bots)

Sumo Logic CSE

sql

_sourceCategory=*web* OR _sourceCategory=*iis* OR _sourceCategory=*apache*
| parse regex "(?<client_ip>\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) - (?<user>[^ ]+) .* \"(?<method>[A-Z]+) (?<uri>[^ ]+).*\" (?<status>\\d+)"
| count by client_ip, uri
| sort by _count desc

Sumo Logic detection for Search Victim-Owned Websites (T1594). Uses _sourceCategory path filtering for flexible log routing compatibility, with JSON field extraction and statistical aggregation to surface search victim-owned websites patterns. Designed for the Sumo Logic Cloud SIEM platform.

medium severity low confidence

Data Sources

Sumo Logic Cloud SIEM Log Sources via Sumo Logic Collector

Required Tables

web/access iis/access

False Positives

Legitimate search engine crawlers (Googlebot, Bingbot, DuckDuckBot) with high request volumes — filter by known crawler IP ranges and UA strings
Authorized penetration testing or red team engagements scheduled by the organization — cross-reference with change management records
Web archiving services such as archive.org (Internet Archive) performing scheduled snapshots
SEO audit tools used by the marketing team (Screaming Frog, Ahrefs, SEMrush bots)

Google Chronicle / SecOps

yaral

rule t1594_search_victim-owned_websites {
  meta:
    author = "df00tech"
    description = "Detects Search Victim-Owned Websites (T1594)"
    mitre_attack_tactic = "TA0043"
    mitre_attack_technique = "T1594"
    confidence = "low"
    severity = "medium"
  events:
    $e.metadata.event_type = "NETWORK_HTTP"
    $e.principal.ip != ""
  condition:
    $e
}

Google Chronicle YARA-L 2.0 detection rule for Search Victim-Owned Websites (T1594). Uses Unified Data Model (UDM) event field mappings to detect the same behavioral patterns as the KQL rule, with Chronicle's temporal matching and entity correlation capabilities.

medium severity low confidence

Data Sources

Google Chronicle SIEM Chronicle UDM

Required Tables

NETWORK_HTTP NETWORK_CONNECTION

False Positives

Legitimate search engine crawlers (Googlebot, Bingbot, DuckDuckBot) with high request volumes — filter by known crawler IP ranges and UA strings
Authorized penetration testing or red team engagements scheduled by the organization — cross-reference with change management records
Web archiving services such as archive.org (Internet Archive) performing scheduled snapshots
SEO audit tools used by the marketing team (Screaming Frog, Ahrefs, SEMrush bots)

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /python|curl|wget|nmap|masscan/i
| TechniqueLabel := "T1594 - Reconnaissance"
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, TechniqueLabel])

CrowdStrike LogScale (Falcon) CQL detection for Search Victim-Owned Websites (T1594). Uses CrowdStrike event simpleName taxonomy with regex-based field filtering, groupBy aggregation, and case-based risk classification. Designed for the Falcon platform's LogScale query language.

medium severity low confidence

Data Sources

CrowdStrike Falcon CrowdStrike LogScale

Required Tables

HttpRequest ProcessRollup2

False Positives

Legitimate search engine crawlers (Googlebot, Bingbot, DuckDuckBot) with high request volumes — filter by known crawler IP ranges and UA strings
Authorized penetration testing or red team engagements scheduled by the organization — cross-reference with change management records
Web archiving services such as archive.org (Internet Archive) performing scheduled snapshots
SEO audit tools used by the marketing team (Screaming Frog, Ahrefs, SEMrush bots)

Search Victim-Owned Websites

What is T1594 Search Victim-Owned Websites?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1594

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Reconnaissance

Popular Detections

What is T1594 Search Victim-Owned Websites?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1594

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Reconnaissance

Popular Detections

Get new detections in your inbox