T1590.005 IBM QRadar · QRadar

Detect IP Addresses in IBM QRadar

Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted. Adversaries gather this information via direct collection actions (active scanning, phishing for information) or through online data sets such as WHOIS, ARIN, RIPE, passive DNS repositories, and IP intelligence platforms like Shodan or Censys.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1590 Gather Victim Network Information
Sub-technique
T1590.005 IP Addresses
Canonical reference
https://attack.mitre.org/techniques/T1590/005/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  sourceip,
  destinationip,
  username,
  URL AS request_url,
  "CommandLine" AS process_commandline,
  QIDNAME(qid) AS event_name,
  CASE
    WHEN URL IS NOT NULL AND URL != '' THEN 'IPIntelWebRequest'
    ELSE 'OSINTToolExecution'
  END AS detection_branch
FROM events
WHERE
  URL ILIKE '%shodan.io%' OR URL ILIKE '%censys.io%' OR URL ILIKE '%ipinfo.io%' OR
  URL ILIKE '%ipapi.co%' OR URL ILIKE '%ip-api.com%' OR URL ILIKE '%bgp.he.net%' OR
  URL ILIKE '%arin.net%' OR URL ILIKE '%ripe.net%' OR URL ILIKE '%apnic.net%' OR
  URL ILIKE '%lacnic.net%' OR URL ILIKE '%afrinic.net%' OR URL ILIKE '%spyse.com%' OR
  URL ILIKE '%fofa.info%' OR URL ILIKE '%zoomeye.org%' OR URL ILIKE '%dnsdumpster.com%' OR
  URL ILIKE '%hackertarget.com%' OR URL ILIKE '%viewdns.info%' OR URL ILIKE '%ipvoid.com%' OR
  URL ILIKE '%binaryedge.io%' OR URL ILIKE '%greynoise.io%' OR URL ILIKE '%onyphe.io%' OR
  "CommandLine" ILIKE '%nmap%' OR "CommandLine" ILIKE '%masscan%' OR
  "CommandLine" ILIKE '%zmap -p%' OR "CommandLine" ILIKE '%theharvester%' OR
  "CommandLine" ILIKE '%amass enum%' OR "CommandLine" ILIKE '%subfinder -d%' OR
  "CommandLine" ILIKE '%shodan search%' OR "CommandLine" ILIKE '%censys search%' OR
  "CommandLine" ILIKE '%spiderfoot%' OR "CommandLine" ILIKE '%recon-ng%'
ORDER BY devicetime DESC
LAST 24 HOURS
medium severity medium confidence

AQL query targeting QRadar's normalised URL field — populated by proxy and web gateway DSMs including Blue Coat, Squid, Palo Alto, and Zscaler — alongside the CommandLine custom event property populated by the Microsoft Sysmon DSM (EventCode 1, Process Create). The URL branch detects outbound HTTP requests to IP intelligence and OSINT lookup platforms; the CommandLine branch detects network reconnaissance tool invocation. The detection_branch CASE expression labels each alert variant for analyst triage. Note: the CommandLine custom event property must be configured in the Sysmon DSM's property expression mappings for the process branch to produce results.

Data Sources

Blue Coat ProxySG / Web Gateway (DSM)Squid Proxy (DSM)Palo Alto Networks Firewall (DSM)Zscaler Internet Access (DSM)Microsoft Windows Security Event Log (DSM)Microsoft Sysmon (DSM with CommandLine custom property configured)

Required Tables

events

False Positives & Tuning

  • Analysts querying Shodan, Censys, ARIN, or RIPE via browser or CLI from SOC workstations will produce URL hits — allowlist by sourceip for known analyst IP ranges or add a username exclusion list for the threat intelligence team.
  • The CommandLine custom event property must be validated in the Sysmon DSM before relying on process-based detections; if the property is not mapped, the OSINT tool branch silently produces zero results — verify property mapping in the QRadar Admin DSM editor.
  • Vulnerability management scanners (Qualys, Tenable, Rapid7) performing lightweight host discovery that call ip-api.com or MaxMind APIs for geolocation enrichment will generate repeated URL matches — suppress by sourceip for the scanner's dedicated host.
  • Automated SOAR playbooks or enrichment scripts querying ipinfo.io or ip-api.com APIs via HTTP for alert triage will produce URL hits with high frequency — filter by destinationip if the API endpoint resolves to a known stable IP or by username for the SOAR service account.
Download portable Sigma rule (.yml)

Other platforms for T1590.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Shodan CLI IP Range Query

    Expected signal: DNS query for shodan.io (Sysmon Event ID 22 on Windows / auditd on Linux). Outbound HTTPS connection to shodan.io:443 (Sysmon Event ID 3 / auditd network log). On Linux: auditd EXECVE record for pip and shodan commands. Proxy log entry with cs_host=shodan.io and cs_username if authenticated proxy is in use.

  2. Test 2ARIN WHOIS IP Block Lookup via curl

    Expected signal: DNS resolution of whois.arin.net (Sysmon Event ID 22 / DNS logs). Outbound HTTPS connection to whois.arin.net:443 (Sysmon Event ID 3 / firewall log). HTTP GET request visible in proxy logs with URI path /rest/ip/<target_ip>. On Windows: DeviceNetworkEvents record with RemoteUrl containing 'arin.net'.

  3. Test 3nmap Ping Sweep of IP Range

    Expected signal: Process creation event for nmap with command line containing '-sn' and the target IP range (Sysmon Event ID 1 / auditd EXECVE). File creation event for /tmp/df00tech-nmap-test.xml (Sysmon Event ID 11). ICMP packets visible in network capture or firewall logs (no TCP/UDP — this is ping-only). On Windows: DeviceProcessEvents with FileName='nmap.exe' and ProcessCommandLine containing '-sn'.

  4. Test 4theHarvester IP and Subdomain Enumeration

    Expected signal: Process creation for theHarvester with arguments '-d example.com -b dnsdumpster,bing' (Sysmon Event ID 1 / auditd). Outbound DNS queries and HTTPS connections to dnsdumpster.com and bing.com (Sysmon Event IDs 3, 22). File creation events for /tmp/df00tech-harvester-test.html and /tmp/df00tech-harvester-test.xml. Proxy logs showing connections to dnsdumpster.com with user-agent containing 'theHarvester' or Python requests.

  5. Test 5BGP.he.net ASN IP Range Discovery

    Expected signal: DNS query for bgp.he.net (Sysmon Event ID 22). Outbound HTTPS connection to bgp.he.net:443 (Sysmon Event ID 3 / firewall log). HTTP GET for /AS<number> visible in proxy logs with the target ASN in the URI path. DeviceNetworkEvents record with RemoteUrl containing 'bgp.he.net'.

Last updated: 2026-04-14 Research depth: deep
References (14)

Unlock Pro Content

Get the full detection package for T1590.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1590Gather Victim Network Information

Related Sub-techniques

T1590.001Domain PropertiesT1590.002DNST1590.003Network Trust DependenciesT1590.004Network TopologyT1590.006Network Security Appliances

Related Techniques

T1590Gather Victim Network InformationT1590.002DNST1595Active ScanningT1595.001Scanning IP BlocksT1596.002WHOIST1596.001DNS/Passive DNST1593Search Open Websites/DomainsT1596.003Digital CertificatesT1133External Remote ServicesT1583Acquire Infrastructure

Same Tactic: Reconnaissance

Popular Detections