> For the complete documentation index, see [llms.txt](https://manuals.blusapphire.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://manuals.blusapphire.io/blugenie/artifacts/tactical-artifacts-by-category/eventlog-query.md).

# EventLog Query

- [Query for Process execution from unusual directories](https://manuals.blusapphire.io/blugenie/artifacts/tactical-artifacts-by-category/eventlog-query/query-for-process-execution-from-unusual-directories.md): AID2201222048.yaml
- [Query suspicious programs processed by the Task Scheduler using the Event Log](https://manuals.blusapphire.io/blugenie/artifacts/tactical-artifacts-by-category/eventlog-query/query-suspicious-programs-processed-by-the-task-scheduler-using-the-event-log.md): AID2201251952.YAML
- [Query for unusual instances of rundll32.exe via the Event Log](https://manuals.blusapphire.io/blugenie/artifacts/tactical-artifacts-by-category/eventlog-query/query-for-unusual-instances-of-rundll32.exe-via-the-event-log.md)
- [Query for Unusual Instances of rundll32.exe making outbound network connections using SysMon Data](https://manuals.blusapphire.io/blugenie/artifacts/tactical-artifacts-by-category/eventlog-query/query-for-unusual-instances-of-rundll32.exe-making-outbound-network-connections-using-sysmon-data.md): AID2201251645.YAML
- [Query Suspicious Powershell Command Line Executions](https://manuals.blusapphire.io/blugenie/artifacts/tactical-artifacts-by-category/eventlog-query/query-suspicious-powershell-command-line-executions.md): AID2201251845.YAML
- [Query the Windows System Log for 104, 517, 1102](https://manuals.blusapphire.io/blugenie/artifacts/tactical-artifacts-by-category/eventlog-query/query-the-windows-system-log-for-104-517-1102.md): AID2201232238.YAML
