Detect IP Addresses in Sumo Logic CSE
Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted. Adversaries gather this information via direct collection actions (active scanning, phishing for information) or through online data sets such as WHOIS, ARIN, RIPE, passive DNS repositories, and IP intelligence platforms like Shodan or Censys.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1590 Gather Victim Network Information
- Sub-technique
- T1590.005 IP Addresses
- Canonical reference
- https://attack.mitre.org/techniques/T1590/005/
Sumo Detection Query
(_sourceCategory=*proxy* OR _sourceCategory=*web/gateway* OR _sourceCategory=*endpoint/windows* OR _sourceCategory=*sysmon*)
| where (http_hostname in ("shodan.io", "censys.io", "ipinfo.io", "ipapi.co",
"ip-api.com", "ipwhois.io", "bgp.he.net", "arin.net", "ripe.net",
"apnic.net", "lacnic.net", "afrinic.net", "spyse.com", "fofa.info",
"zoomeye.org", "dnsdumpster.com", "hackertarget.com", "viewdns.info",
"ipvoid.com", "whatismyipaddress.com", "ip2location.com", "maxmind.com",
"greynoise.io", "binaryedge.io", "onyphe.io"))
OR (baseImage matches "*nmap*" OR baseImage matches "*masscan*" OR baseImage matches "*zmap*"
OR baseImage matches "*theharvester*" OR baseImage matches "*amass*"
OR baseImage matches "*subfinder*" OR baseImage matches "*spiderfoot*"
OR baseImage matches "*recon-ng*")
OR (commandLine matches "*shodan search*" OR commandLine matches "*censys search*"
OR commandLine matches "*nmap -sn*" OR commandLine matches "*masscan --rate*"
OR commandLine matches "*theharvester -d*" OR commandLine matches "*amass enum*"
OR commandLine matches "*subfinder -d*")
| if(!isEmpty(http_hostname), "IPIntelWebRequest", "OSINTToolExecution") as detection_branch
| fields _messagetime, srcDevice_hostname, dstDevice_hostname, user_username,
http_hostname, http_url, baseImage, commandLine, detection_branch
| sort by _messagetime descSumo Logic Cloud SIEM Enterprise (CSE) query spanning proxy and Windows endpoint log source categories. Uses CSE normalised schema fields: http_hostname and http_url detect outbound HTTP requests to known IP intelligence and OSINT platforms; baseImage and commandLine detect network reconnaissance tool execution on managed hosts. Both branches are evaluated in a single query with a computed detection_branch label. The query relies on Sumo Logic CSE normalisation mapping proxy access logs (Blue Coat, Squid, Palo Alto, Zscaler) to the http_hostname field and Sysmon EventCode 1 logs to the baseImage and commandLine fields.
Data Sources
Required Tables
False Positives & Tuning
- Security engineers or pentesters running theHarvester, Amass, or Subfinder for authorised external recon against the organisation's own domains will trigger the OSINTToolExecution branch — cross-reference with the security engagement calendar and suppress by srcDevice_hostname for the authorised testing asset.
- MaxMind GeoIP lookups embedded in web application frameworks, CDN edge nodes, or cloud services generate outbound connections to maxmind.com for request geolocation — these are expected and high-volume; filter by srcDevice_hostname or user_username for known application service accounts.
- Browser-based navigation to arin.net, ripe.net, or bgp.he.net by any user for BGP route lookups or IP ownership research will produce http_hostname hits — tune by correlating with the baseImage field to restrict to non-browser parent processes, or add user_username exclusions for network engineering teams.
- Automated infrastructure-as-code validation pipelines (Terraform, Ansible, Pulumi) that run nmap for connectivity checks during environment provisioning will match baseImage patterns — filter by commandLine prefix for known provisioning tool parent process names.
Other platforms for T1590.005
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Shodan CLI IP Range Query
Expected signal: DNS query for shodan.io (Sysmon Event ID 22 on Windows / auditd on Linux). Outbound HTTPS connection to shodan.io:443 (Sysmon Event ID 3 / auditd network log). On Linux: auditd EXECVE record for pip and shodan commands. Proxy log entry with cs_host=shodan.io and cs_username if authenticated proxy is in use.
- Test 2ARIN WHOIS IP Block Lookup via curl
Expected signal: DNS resolution of whois.arin.net (Sysmon Event ID 22 / DNS logs). Outbound HTTPS connection to whois.arin.net:443 (Sysmon Event ID 3 / firewall log). HTTP GET request visible in proxy logs with URI path /rest/ip/<target_ip>. On Windows: DeviceNetworkEvents record with RemoteUrl containing 'arin.net'.
- Test 3nmap Ping Sweep of IP Range
Expected signal: Process creation event for nmap with command line containing '-sn' and the target IP range (Sysmon Event ID 1 / auditd EXECVE). File creation event for /tmp/df00tech-nmap-test.xml (Sysmon Event ID 11). ICMP packets visible in network capture or firewall logs (no TCP/UDP — this is ping-only). On Windows: DeviceProcessEvents with FileName='nmap.exe' and ProcessCommandLine containing '-sn'.
- Test 4theHarvester IP and Subdomain Enumeration
Expected signal: Process creation for theHarvester with arguments '-d example.com -b dnsdumpster,bing' (Sysmon Event ID 1 / auditd). Outbound DNS queries and HTTPS connections to dnsdumpster.com and bing.com (Sysmon Event IDs 3, 22). File creation events for /tmp/df00tech-harvester-test.html and /tmp/df00tech-harvester-test.xml. Proxy logs showing connections to dnsdumpster.com with user-agent containing 'theHarvester' or Python requests.
- Test 5BGP.he.net ASN IP Range Discovery
Expected signal: DNS query for bgp.he.net (Sysmon Event ID 22). Outbound HTTPS connection to bgp.he.net:443 (Sysmon Event ID 3 / firewall log). HTTP GET for /AS<number> visible in proxy logs with the target ASN in the URI path. DeviceNetworkEvents record with RemoteUrl containing 'bgp.he.net'.
References (14)
- https://attack.mitre.org/techniques/T1590/005/
- https://www.circl.lu/services/passive-dns/
- https://dnsdumpster.com/
- https://who.is/
- https://www.arin.net/resources/registry/whois/
- https://www.ripe.net/manage-ips-and-asns/
- https://www.shodan.io/
- https://censys.io/
- https://bgp.he.net/
- https://github.com/laramies/theHarvester
- https://nmap.org/docs.html
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-network
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1590.005/T1590.005.md
Unlock Pro Content
Get the full detection package for T1590.005 including response playbook, investigation guide, and atomic red team tests.