Detect IP Addresses in Microsoft Sentinel
Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted. Adversaries gather this information via direct collection actions (active scanning, phishing for information) or through online data sets such as WHOIS, ARIN, RIPE, passive DNS repositories, and IP intelligence platforms like Shodan or Censys.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1590 Gather Victim Network Information
- Sub-technique
- T1590.005 IP Addresses
- Canonical reference
- https://attack.mitre.org/techniques/T1590/005/
KQL Detection Query
let IPIntelServices = dynamic([
"shodan.io", "censys.io", "ipinfo.io", "ipapi.co", "ip-api.com",
"ipwhois.io", "bgp.he.net", "arin.net", "ripe.net", "apnic.net",
"lacnic.net", "afrinic.net", "spyse.com", "fofa.info", "zoomeye.org",
"dnsdumpster.com", "hackertarget.com", "viewdns.info", "ipvoid.com",
"whatismyipaddress.com", "ip2location.com", "maxmind.com", "greynoise.io",
"binaryedge.io", "onyphe.io"
]);
let OSINTTools = dynamic([
"nmap", "masscan", "zmap", "theharvester", "recon-ng", "maltego",
"shodan", "censys", "spiderfoot", "amass", "subfinder"
]);
// Branch 1: Outbound connections from managed endpoints to IP intelligence platforms
let EndpointIPIntel = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType in ("ConnectionSuccess", "ConnectionAttempt")
| where RemoteUrl has_any (IPIntelServices)
or RemoteIPType == "Public" and (RemoteUrl has "whois" or RemoteUrl has "ipinfo" or RemoteUrl has "bgp")
| extend DetectionBranch = "EndpointIPIntelLookup"
| project Timestamp, DeviceName, AccountName, RemoteUrl, RemoteIP, RemotePort,
InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch;
// Branch 2: OSINT tool execution on managed endpoints (insider threat / compromised endpoint)
let OSINTToolExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (OSINTTools)
or ProcessCommandLine has_any (OSINTTools)
or ProcessCommandLine has_any ("nmap -sn", "nmap -p", "masscan --rate", "zmap -p",
"theharvester -d", "amass enum", "subfinder -d",
"shodan search", "censys search", "spiderfoot -s")
| extend DetectionBranch = "OSINTToolOnEndpoint"
| project Timestamp = Timestamp, DeviceName, AccountName,
RemoteUrl = "", RemoteIP = "", RemotePort = int(0),
InitiatingProcessFileName, InitiatingProcessCommandLine = ProcessCommandLine,
DetectionBranch;
union EndpointIPIntel, OSINTToolExec
| sort by Timestamp descDetects two observable behaviors associated with IP address reconnaissance against an organization. Branch 1 monitors outbound connections from managed endpoints to known IP intelligence and WHOIS platforms (Shodan, Censys, ARIN, RIPE, ipinfo.io, etc.) using DeviceNetworkEvents — this catches insider threat scenarios or compromised endpoints being used as reconnaissance pivot points. Branch 2 monitors process execution of common OSINT tools (nmap, masscan, zmap, theHarvester, amass, Shodan CLI) on managed endpoints using DeviceProcessEvents. Since T1590.005 is a PRE-attack technique that primarily occurs outside the victim network, confidence is set to low — these queries target secondary indicators of reconnaissance activity, not the adversary's direct external actions.
Data Sources
Required Tables
False Positives & Tuning
- Security analysts and threat intelligence teams routinely query Shodan, Censys, ARIN, and RIPE to assess the organization's external attack surface — this is expected and should be allowlisted by user/device
- Network engineers using nmap or masscan for authorized internal network discovery and asset inventory
- Penetration testers performing authorized external assessments will use all of these tools and services legitimately
- IT and DevOps staff querying ipinfo.io or similar APIs in automation scripts to geolocate user traffic or validate IP addresses
Other platforms for T1590.005
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Shodan CLI IP Range Query
Expected signal: DNS query for shodan.io (Sysmon Event ID 22 on Windows / auditd on Linux). Outbound HTTPS connection to shodan.io:443 (Sysmon Event ID 3 / auditd network log). On Linux: auditd EXECVE record for pip and shodan commands. Proxy log entry with cs_host=shodan.io and cs_username if authenticated proxy is in use.
- Test 2ARIN WHOIS IP Block Lookup via curl
Expected signal: DNS resolution of whois.arin.net (Sysmon Event ID 22 / DNS logs). Outbound HTTPS connection to whois.arin.net:443 (Sysmon Event ID 3 / firewall log). HTTP GET request visible in proxy logs with URI path /rest/ip/<target_ip>. On Windows: DeviceNetworkEvents record with RemoteUrl containing 'arin.net'.
- Test 3nmap Ping Sweep of IP Range
Expected signal: Process creation event for nmap with command line containing '-sn' and the target IP range (Sysmon Event ID 1 / auditd EXECVE). File creation event for /tmp/df00tech-nmap-test.xml (Sysmon Event ID 11). ICMP packets visible in network capture or firewall logs (no TCP/UDP — this is ping-only). On Windows: DeviceProcessEvents with FileName='nmap.exe' and ProcessCommandLine containing '-sn'.
- Test 4theHarvester IP and Subdomain Enumeration
Expected signal: Process creation for theHarvester with arguments '-d example.com -b dnsdumpster,bing' (Sysmon Event ID 1 / auditd). Outbound DNS queries and HTTPS connections to dnsdumpster.com and bing.com (Sysmon Event IDs 3, 22). File creation events for /tmp/df00tech-harvester-test.html and /tmp/df00tech-harvester-test.xml. Proxy logs showing connections to dnsdumpster.com with user-agent containing 'theHarvester' or Python requests.
- Test 5BGP.he.net ASN IP Range Discovery
Expected signal: DNS query for bgp.he.net (Sysmon Event ID 22). Outbound HTTPS connection to bgp.he.net:443 (Sysmon Event ID 3 / firewall log). HTTP GET for /AS<number> visible in proxy logs with the target ASN in the URI path. DeviceNetworkEvents record with RemoteUrl containing 'bgp.he.net'.
References (14)
- https://attack.mitre.org/techniques/T1590/005/
- https://www.circl.lu/services/passive-dns/
- https://dnsdumpster.com/
- https://who.is/
- https://www.arin.net/resources/registry/whois/
- https://www.ripe.net/manage-ips-and-asns/
- https://www.shodan.io/
- https://censys.io/
- https://bgp.he.net/
- https://github.com/laramies/theHarvester
- https://nmap.org/docs.html
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-network
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1590.005/T1590.005.md
Unlock Pro Content
Get the full detection package for T1590.005 including response playbook, investigation guide, and atomic red team tests.