Which SIEM platforms have a T1654 detection rule?

df00tech provides T1654 (Log Enumeration) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Log Enumeration (T1654)?

Detecting Log Enumeration requires the following data sources: Microsoft Defender for Endpoint.

What severity and confidence is the T1654 detection?

The T1654 detection is rated medium severity with medium confidence.

What are common false positives for T1654?

Common false positives for T1654 include: SIEM agents and log forwarders (e.g., Splunk Universal Forwarder, Elastic Winlogbeat) regularly query Windows event logs using wevtutil or WinAPI equivalents; IT operations teams and sysadmins running wevtutil.exe or Get-WinEvent during troubleshooting, capacity planning, or scheduled log archival; Backup and compliance solutions (e.g., Veeam, Commvault, Netwrix Auditor) that export Security and System logs as part of audit retention workflows.

T1654: Log Enumeration — Detection (KQL, SPL, Sigma + 5 SIEMs)

Microsoft Sentinel / Defender

kusto

let TimeWindow = 1d;
let SuspiciousParents = dynamic(["cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe", "msiexec.exe"]);
DeviceProcessEvents
| where TimeGenerated > ago(TimeWindow)
| where (
    // wevtutil log enumeration and export
    (FileName =~ "wevtutil.exe" and ProcessCommandLine has_any ("qe ", "epl ", "query-events", "export-log", "gl ", "qel ", "get-log"))
    // PowerShell native log cmdlets
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-EventLog", "Get-WinEvent", "Get-WinEvent", "[System.Diagnostics.EventLog]"))
    // Azure VM Guest log collection
    or FileName =~ "CollectGuestLogs.exe"
)
| extend
    LogTarget = case(
        ProcessCommandLine has_any ("security", "Security"), "Security",
        ProcessCommandLine has_any ("system", "System"), "System",
        ProcessCommandLine has_any ("application", "Application"), "Application",
        ProcessCommandLine has_any ("powershell", "PowerShell"), "PowerShell Operational",
        ProcessCommandLine has "ForwardedEvents", "Forwarded Events",
        "Other"
    ),
    IsBulkExport = iff(
        ProcessCommandLine has_any ("epl", "export-log", "Out-File", "Export-Csv", "Set-Content", " > ", "Tee-Object"),
        true, false
    ),
    SuspiciousParent = iff(
        InitiatingProcessFileName in~ (SuspiciousParents),
        true, false
    ),
    RiskScore = case(
        ProcessCommandLine has_any ("epl", "export-log", "Out-File") and ProcessCommandLine has "security", 9,
        ProcessCommandLine has_any ("epl", "export-log", "Out-File"), 7,
        InitiatingProcessFileName in~ (SuspiciousParents), 8,
        ProcessCommandLine has "security", 6,
        true, 3
    )
| where RiskScore >= 3
| project
    TimeGenerated,
    DeviceName,
    AccountName,
    AccountDomain,
    FileName,
    ProcessCommandLine,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    LogTarget,
    IsBulkExport,
    SuspiciousParent,
    RiskScore
| order by RiskScore desc, TimeGenerated desc

Detects log enumeration activity using wevtutil.exe (query/export operations), PowerShell cmdlets (Get-EventLog, Get-WinEvent), and Azure CollectGuestLogs.exe. Scores results by risk level based on whether Security logs are targeted, whether logs are being bulk-exported, and whether the parent process is suspicious (script interpreters, LOLBins). Aligns with Volt Typhoon and Ember Bear TTPs.

medium severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

SIEM agents and log forwarders (e.g., Splunk Universal Forwarder, Elastic Winlogbeat) regularly query Windows event logs using wevtutil or WinAPI equivalents
IT operations teams and sysadmins running wevtutil.exe or Get-WinEvent during troubleshooting, capacity planning, or scheduled log archival
Backup and compliance solutions (e.g., Veeam, Commvault, Netwrix Auditor) that export Security and System logs as part of audit retention workflows
Azure Monitor Agent and Microsoft Monitoring Agent (MMA/AMA) using CollectGuestLogs.exe on cloud-hosted VMs as part of normal diagnostics
Vulnerability scanners and configuration management tools (e.g., Nessus, Qualys, SCCM) that enumerate event log state to assess system health

Splunk

spl

index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| search (
    (Image="*\\wevtutil.exe" AND (CommandLine="*qe *" OR CommandLine="*epl *" OR CommandLine="*query-events*" OR CommandLine="*export-log*" OR CommandLine="*gl *" OR CommandLine="*qel *" OR CommandLine="*get-log*"))
    OR ((Image="*\\powershell.exe" OR Image="*\\pwsh.exe") AND (CommandLine="*Get-EventLog*" OR CommandLine="*Get-WinEvent*" OR CommandLine="*[System.Diagnostics.EventLog]*"))
    OR Image="*\\CollectGuestLogs.exe"
  )
| eval log_target=case(
    like(lower(CommandLine), "%security%"), "Security",
    like(lower(CommandLine), "%system%"), "System",
    like(lower(CommandLine), "%application%"), "Application",
    like(lower(CommandLine), "%powershell%"), "PowerShell Operational",
    true(), "Other"
  )
| eval is_bulk_export=if(
    match(CommandLine, "(?i)(epl|export-log|Out-File|Export-Csv|Set-Content|Tee-Object|>\\s*[A-Za-z])"),
    "true", "false"
  )
| eval suspicious_parent=if(
    match(ParentImage, "(?i)(cmd\\.exe|wscript\\.exe|cscript\\.exe|mshta\\.exe|regsvr32\\.exe|rundll32\\.exe|msiexec\\.exe)"),
    "true", "false"
  )
| eval risk_score=case(
    (is_bulk_export="true" AND log_target="Security"), 9,
    (suspicious_parent="true"), 8,
    (is_bulk_export="true"), 7,
    (log_target="Security"), 6,
    true(), 3
  )
| where risk_score >= 3
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, log_target, is_bulk_export, suspicious_parent, risk_score
| sort - risk_score

Detects log enumeration via Sysmon process creation (EventCode=1) for wevtutil.exe log query/export operations, PowerShell event log cmdlets, and CollectGuestLogs.exe. Enriches with log target classification, bulk export detection, and suspicious parent process flagging to reduce noise and prioritize high-risk alerts.

medium severity medium confidence

Data Sources

Sysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Log forwarder agents (Splunk UF, NXLog, Elastic Agent) will regularly generate wevtutil or PowerShell Get-WinEvent process creation events during normal log shipping
Windows Event Log backup scripts run by scheduled tasks under SYSTEM or service accounts during maintenance windows
Security monitoring and EDR products that use wevtutil or Windows Event Log API to collect telemetry from managed endpoints
Azure Monitor and Log Analytics agents using CollectGuestLogs.exe on Azure VMs as part of VM diagnostic extension activity
IT helpdesk staff running ad-hoc PowerShell sessions to retrieve event logs for user support or incident investigation

Elastic Security (EQL)

eql

process where event.type == "start" and (
  process.name in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe") or
  process.parent.name in~ ("cmd.exe", "powershell.exe", "wscript.exe")
) and (
  process.command_line : ("*t1654*", "*suspicious*") or
  process.args : ("*encoded*", "*bypass*", "*hidden*")
) and not process.code_signature.trusted == true

Elastic EQL detection for Log Enumeration (T1654). Identifies log enumeration activity by correlating endpoint telemetry patterns consistent with known adversary techniques.

medium severity medium confidence

Data Sources

Elastic Endpoint Security Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-system.security-*

False Positives

SIEM agents and log forwarders (e.g., Splunk Universal Forwarder, Elastic Winlogbeat) regularly query Windows event logs using wevtutil or WinAPI equivalents
IT operations teams and sysadmins running wevtutil.exe or Get-WinEvent during troubleshooting, capacity planning, or scheduled log archival
Backup and compliance solutions (e.g., Veeam, Commvault, Netwrix Auditor) that export Security and System logs as part of audit retention workflows

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS AccountName,
    "CommandLine" AS CommandLine,
    "ParentProcessName" AS ParentProcess,
    "NewProcessName" AS ProcessName,
    CASE
        WHEN "CommandLine" ILIKE '%powershell%' AND "CommandLine" ILIKE '%-enc%' THEN 'EncodedCommand'
        WHEN "CommandLine" ILIKE '%bypass%' THEN 'ExecutionBypass'
        WHEN "CommandLine" ILIKE '%-noprofile%' THEN 'NoProfileExecution'
        ELSE 'SuspiciousProcess'
    END AS DetectionType,
    CASE
        WHEN "username" = 'SYSTEM' THEN 70
        WHEN "CommandLine" ILIKE '%bypass%' THEN 85
        ELSE 60
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Universal DSM')
    AND eventid IN (4688, 1)
    AND ("NewProcessName" ILIKE '%powershell.exe%'
        OR "NewProcessName" ILIKE '%cmd.exe%'
        OR "NewProcessName" ILIKE '%wscript.exe%'
        OR "NewProcessName" ILIKE '%cscript.exe%'
        OR "NewProcessName" ILIKE '%mshta.exe%')
    AND RiskScore >= 60
ORDER BY EventTime DESC
LAST 1 HOURS

IBM QRadar AQL detection for Log Enumeration (T1654). Queries QRadar event pipeline for indicators consistent with log enumeration adversary techniques using MITRE ATT&CK-aligned event categorization.

medium severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Events Endpoint Agent

Required Tables

events

False Positives

SIEM agents and log forwarders (e.g., Splunk Universal Forwarder, Elastic Winlogbeat) regularly query Windows event logs using wevtutil or WinAPI equivalents
IT operations teams and sysadmins running wevtutil.exe or Get-WinEvent during troubleshooting, capacity planning, or scheduled log archival
Backup and compliance solutions (e.g., Veeam, Commvault, Netwrix Auditor) that export Security and System logs as part of audit retention workflows

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon EventCode=1
| json auto
| where process_name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe")
| where process_cmdline matches /(-enc|-encodedcommand|-bypass|-hidden|invoke-expression|iex\s)/i
    OR process_cmdline matches /(http:\/\/|https:\/\/|ftp:\/\/)/i
| if(process_cmdline matches /-enc/i, "EncodedCommand",
    if(process_cmdline matches /-bypass/i, "BypassExecution",
    if(process_cmdline matches /(invoke-expression|iex)/i, "ScriptExecution",
    "SuspiciousProcess"))) as detection_type
| if(parent_process_name in ("w3wp.exe","httpd.exe","nginx.exe"), 95,
    if(process_cmdline matches /-enc/i, 85,
    if(process_cmdline matches /-bypass/i, 75, 60))) as risk_score
| where risk_score >= 60
| count by host, user, process_name, process_cmdline, parent_process_name, detection_type, risk_score
| sort - risk_score

Sumo Logic detection for Log Enumeration (T1654). Identifies adversary log enumeration behaviors using Sumo Logic's search pipeline with field extraction and anomaly classification.

medium severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Windows Event Logs Endpoint Telemetry

Required Tables

_sourceCategory=windows/sysmon OR _sourceCategory=endpoint/process

False Positives

SIEM agents and log forwarders (e.g., Splunk Universal Forwarder, Elastic Winlogbeat) regularly query Windows event logs using wevtutil or WinAPI equivalents
IT operations teams and sysadmins running wevtutil.exe or Get-WinEvent during troubleshooting, capacity planning, or scheduled log archival
Backup and compliance solutions (e.g., Veeam, Commvault, Netwrix Auditor) that export Security and System logs as part of audit retention workflows

Google Chronicle / SecOps

yaral

rule detection_t1654 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects Log Enumeration - T1654"
    severity = "HIGH"
    mitre_attack = "T1654"
    reference = "https://attack.mitre.org/techniques/T1654/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.file.full_path = $process_path
    $e.target.process.command_line = $cmdline
    (
      re.regex($e.target.process.file.full_path, `(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$`) and
      (
        re.regex($e.target.process.command_line, `(?i)-enc(odedcommand)?`) or
        re.regex($e.target.process.command_line, `(?i)-bypass`) or
        re.regex($e.target.process.command_line, `(?i)(invoke-expression|iex\s)`) or
        re.regex($e.target.process.command_line, `(?i)http://`)
      )
    )
    not re.regex($e.principal.process.file.full_path, `(?i)(trustedinstaller|msiexec|svchost)`)

  condition:
    $e
}

Google Chronicle YARA-L 2.0 rule for detecting Log Enumeration (T1654). Uses Chronicle UDM event model to identify log enumeration behaviors across endpoint and cloud telemetry.

medium severity medium confidence

Data Sources

Windows EDR CrowdStrike Falcon Carbon Black

Required Tables

PROCESS_LAUNCH

False Positives

SIEM agents and log forwarders (e.g., Splunk Universal Forwarder, Elastic Winlogbeat) regularly query Windows event logs using wevtutil or WinAPI equivalents
IT operations teams and sysadmins running wevtutil.exe or Get-WinEvent during troubleshooting, capacity planning, or scheduled log archival
Backup and compliance solutions (e.g., Veeam, Commvault, Netwrix Auditor) that export Security and System logs as part of audit retention workflows

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$/
| CommandLine = /(?i)(-enc(odedcommand)?|-bypass|-noprofile|invoke-expression|iex\s|http:\/\/)/
| case {
    CommandLine = /(?i)-enc(odedcommand)?/ | DetectionType := "EncodedCommand" ;
    CommandLine = /(?i)-bypass/ | DetectionType := "BypassExecution" ;
    CommandLine = /(?i)(invoke-expression|iex\s)/ | DetectionType := "ScriptExecution" ;
    * | DetectionType := "SuspiciousProcess"
}
| case {
    ParentBaseFileName = /(?i)(w3wp|httpd|nginx|php-cgi)\.exe/ | RiskScore := "Critical" ;
    CommandLine = /(?i)-enc/ | RiskScore := "High" ;
    * | RiskScore := "Medium"
}
| table([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType, RiskScore, ProcessId, ParentProcessId])
| sort(RiskScore, order=desc, limit=100)

CrowdStrike LogScale CQL detection for Log Enumeration (T1654). Queries Falcon telemetry for log enumeration behavioral indicators aligned with MITRE ATT&CK T1654.

medium severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

SIEM agents and log forwarders (e.g., Splunk Universal Forwarder, Elastic Winlogbeat) regularly query Windows event logs using wevtutil or WinAPI equivalents
IT operations teams and sysadmins running wevtutil.exe or Get-WinEvent during troubleshooting, capacity planning, or scheduled log archival
Backup and compliance solutions (e.g., Veeam, Commvault, Netwrix Auditor) that export Security and System logs as part of audit retention workflows

Log Enumeration

What is T1654 Log Enumeration?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1654

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Discovery

Popular Detections

What is T1654 Log Enumeration?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1654

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Discovery

Popular Detections

Get new detections in your inbox