T1591.002 Business Relationships Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1591.002 — Business Relationships Reconnaissance Detection
// Branch 1: OSINT tools executing on managed endpoints that harvest business relationship data
let OSINTToolNames = dynamic([
    "theharvester", "recon-ng", "spiderfoot", "maltego", "dmitry",
    "datasploit", "linkedint", "crosslinked", "linkedin2username",
    "osrframework", "metagoofil", "foca", "inspy"
]);
let OSINTToolExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (OSINTToolNames)
    or ProcessCommandLine has_any (OSINTToolNames)
    or (FileName in~ ("python.exe", "python3", "python3.exe")
        and ProcessCommandLine has_any ("theharvester", "recon-ng", "spiderfoot", "crosslinked", "linkedin2username", "inspy"))
    or (FileName =~ "java.exe" and ProcessCommandLine has "maltego")
| extend DetectionBranch = "OSINT_Tool_Execution"
| extend ToolIdentified = case(
    ProcessCommandLine has "theharvester", "theHarvester",
    ProcessCommandLine has "recon-ng", "Recon-ng",
    ProcessCommandLine has "spiderfoot", "SpiderFoot",
    ProcessCommandLine has "maltego", "Maltego",
    ProcessCommandLine has "crosslinked", "CrossLinked",
    ProcessCommandLine has "linkedin2username", "linkedin2username",
    ProcessCommandLine has "inspy", "InSpy",
    FileName, FileName
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          DetectionBranch, ToolIdentified;
// Branch 2: High-volume automated access to partner/relationship pages on org-controlled web properties
let PartnerPageKeywords = dynamic([
    "/partners", "/partner-", "/partnerships", "/vendors", "/vendor-",
    "/suppliers", "/supply-chain", "/alliances", "/ecosystem",
    "/integrations", "/channel-partners", "/resellers", "/distributors",
    "/clients", "/customers", "/case-studies", "/about/team"
]);
let WebScraping = CommonSecurityLog
| where TimeGenerated > ago(24h)
| where isnotempty(SourceIP)
| where RequestURL has_any (PartnerPageKeywords)
| where not(ipv4_is_private(SourceIP))
| summarize
    RequestCount = count(),
    UniqueURLs = dcount(RequestURL),
    SampledURLs = make_set(RequestURL, 5),
    UserAgents = make_set(RequestClientApplication, 3),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
  by SourceIP, bin(TimeGenerated, 10m)
| where RequestCount > 30 or UniqueURLs > 10
| extend DetectionBranch = "Partner_Page_Scraping"
| extend Timestamp = TimeGenerated
| project Timestamp, SourceIP, RequestCount, UniqueURLs,
          SampledURLs, UserAgents, DetectionBranch;
// Output OSINT tool detections (highest fidelity)
OSINTToolExecution
| sort by Timestamp desc

medium severity low confidence

Data Sources

Process: Process Creation Network Traffic: Network Traffic Content Application Log: Application Log Content Microsoft Defender for Endpoint WAF / Proxy Logs via CommonSecurityLog

Required Tables

DeviceProcessEvents CommonSecurityLog

False Positives

Security researchers or red team operators running authorized OSINT assessments on managed endpoints without pre-authorizing the tool names
Legitimate SEO crawlers (Googlebot, Bingbot, SemRush, Ahrefs) generating high-volume access to partner/client pages — these will dominate WAF logs and must be allow-listed by user-agent and known IP range
Internal marketing or business development staff using tools like Hunter.io browser extensions or LinkedIn Sales Navigator integrations that trigger OSINT tool heuristics
Automated monitoring or uptime-check services that repeatedly fetch partner listing pages as part of website availability monitoring
IT asset management or third-party risk management platforms (BitSight, SecurityScorecard, RiskRecon) that legitimately scrape public partner/vendor pages for continuous monitoring

Splunk

spl

| multisearch
  [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (CommandLine="*theharvester*" OR CommandLine="*recon-ng*" OR CommandLine="*spiderfoot*"
     OR CommandLine="*maltego*" OR CommandLine="*crosslinked*" OR CommandLine="*linkedin2username*"
     OR CommandLine="*inspy*" OR CommandLine="*dmitry*" OR CommandLine="*datasploit*"
     OR CommandLine="*metagoofil*" OR CommandLine="*osrframework*")
    | eval DetectionBranch="OSINT_Tool_Execution"
    | eval ToolIdentified=case(
        match(lower(CommandLine), "theharvester"), "theHarvester",
        match(lower(CommandLine), "recon-ng"), "Recon-ng",
        match(lower(CommandLine), "spiderfoot"), "SpiderFoot",
        match(lower(CommandLine), "maltego"), "Maltego",
        match(lower(CommandLine), "crosslinked"), "CrossLinked",
        match(lower(CommandLine), "linkedin2username"), "linkedin2username",
        match(lower(CommandLine), "inspy"), "InSpy",
        1==1, Image
      )
    | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionBranch, ToolIdentified
  ]
  [
    search index=web sourcetype="stream:http"
    (uri_path="*/partners*" OR uri_path="*/vendor*" OR uri_path="*/suppliers*"
     OR uri_path="*/alliances*" OR uri_path="*/ecosystem*" OR uri_path="*/integrations*"
     OR uri_path="*/channel-partners*" OR uri_path="*/resellers*" OR uri_path="*/distributors*"
     OR uri_path="*/case-studies*")
    NOT (src_ip="10.*" OR src_ip="172.16.*" OR src_ip="192.168.*")
    | bucket _time span=10m
    | stats count as RequestCount, dc(uri_path) as UniqueURLs,
            values(uri_path) as SampledURLs, values(http_user_agent) as UserAgents
      by src_ip, _time
    | where RequestCount > 30 OR UniqueURLs > 10
    | eval DetectionBranch="Partner_Page_Scraping"
    | eval ToolIdentified="Web Scraper"
    | table _time, src_ip, RequestCount, UniqueURLs, SampledURLs, UserAgents, DetectionBranch, ToolIdentified
  ]
| eval risk_score=case(
    DetectionBranch="OSINT_Tool_Execution", 70,
    DetectionBranch="Partner_Page_Scraping" AND RequestCount > 100, 60,
    DetectionBranch="Partner_Page_Scraping", 40,
    1==1, 30
  )
| sort - risk_score, - _time

medium severity low confidence

Data Sources

Process: Process Creation Network Traffic: Network Traffic Content Sysmon Event ID 1 HTTP Stream / Web Proxy Logs

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational stream:http

False Positives

Authorized red team or penetration testing engagements using OSINT tools on managed endpoints — verify against active engagement records and SOW scope
Web search engine crawlers (Googlebot, Bingbot) and legitimate commercial scanners (Shodan, Censys) accessing public partner pages at high volume — filter by known crawler IP ranges and user-agent strings
Third-party risk management platforms and security rating services making regular sweeps of your public web presence for vendor risk scoring
Sales intelligence tools and CRM integrations (LinkedIn Sales Navigator, ZoomInfo, Clearbit) that employees use daily generating OSINT-adjacent process names
Bug bounty reconnaissance by authorized researchers who have disclosed they are using automated tools within defined scope

Elastic Security (EQL)

eql

process where event.type == "start"
  and (process.name : ("theHarvester*", "maltego*", "recon-ng*", "spiderfoot*", "osrframework*")
   or process.command_line : ("*linkedin*", "*whois*", "*shodan*", "*hunter.io*"))

medium severity low confidence

Data Sources

Elastic Endpoint Security Process events

Required Tables

logs-endpoint.events.process.*

False Positives

Security awareness teams researching employee exposure for training purposes
Authorized OSINT assessments by internal red teams or security consultants
HR or marketing teams performing routine competitive intelligence research
Recruiters using LinkedIn and similar platforms for talent research

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS HostIP, username,
  "Image" AS ProcessImage, "CommandLine",
  CASE
    WHEN "Image" ILIKE '%nmap%' OR "Image" ILIKE '%masscan%' THEN 80
    WHEN "Image" ILIKE '%shodan%' OR "Image" ILIKE '%theharvester%' THEN 75
    WHEN "Image" ILIKE '%recon-ng%' OR "Image" ILIKE '%maltego%' THEN 70
    WHEN "CommandLine" ILIKE '%whois%' OR "CommandLine" ILIKE '%dnsenum%' THEN 60
    ELSE 40
  END AS RiskScore,
  CASE
    WHEN "Image" ILIKE '%nmap%' THEN 'Network Scanner'
    WHEN "Image" ILIKE '%theharvester%' THEN 'OSINT Harvester'
    WHEN "Image" ILIKE '%maltego%' THEN 'Link Analysis Tool'
    ELSE 'Reconnaissance Tool'
  END AS ToolCategory
FROM events
WHERE eventid = 1
  AND (
    "Image" ILIKE '%nmap%' OR "Image" ILIKE '%masscan%' OR "Image" ILIKE '%nikto%'
    OR "Image" ILIKE '%shodan%' OR "Image" ILIKE '%theharvester%' OR "Image" ILIKE '%recon-ng%'
    OR "Image" ILIKE '%maltego%' OR "Image" ILIKE '%spiderfoot%' OR "CommandLine" ILIKE '%dnsenum%'
    OR "CommandLine" ILIKE '%whois %' OR "CommandLine" ILIKE '%-sV %'
  )
  AND LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
ORDER BY RiskScore DESC
LAST 24 HOURS

medium severity low confidence

Data Sources

Sysmon Event ID 1 DNS logs Network flow data

Required Tables

events

False Positives

Security awareness teams conducting authorized employee exposure research
Authorized red team OSINT assessments
HR or marketing teams performing competitive intelligence research
Recruiters using professional networks for talent research

Sumo Logic CSE

sql

_sourceCategory=*sysmon* OR _sourceCategory=*endpoint*
| json auto
| where EventCode = 1
| eval ImageLower = lower(Image)
| eval CmdLower = lower(CommandLine)
| where matches(ImageLower, "nmap|masscan|nikto|shodan|theharvester|recon-ng|maltego|spiderfoot|dnsenum|arp-scan|zmap")
   or matches(CmdLower, "\-sV |\-O |\-sC |\-p\s+\d|dnsenum|whois |hunter\.io")
| eval ToolCategory = if(matches(ImageLower, "nmap|masscan|zmap"), "Port Scanner",
    if(matches(ImageLower, "theharvester|spiderfoot"), "OSINT Tool",
    if(matches(ImageLower, "nikto"), "Web Scanner", "Recon Tool")))
| eval RiskScore = if(ToolCategory = "Port Scanner", 75,
    if(ToolCategory = "OSINT Tool", 70, 60))
| stats count, values(CommandLine) AS Commands by _sourceHost, User, ToolCategory, RiskScore
| sort by RiskScore desc

medium severity low confidence

Data Sources

Sysmon Event ID 1 DNS logs

Required Tables

_sourceCategory=*sysmon*

False Positives

Authorized OSINT assessments by internal red teams
HR and talent acquisition teams using professional networking tools
Marketing teams conducting authorized competitive intelligence research
Security awareness programs researching employee exposure footprint

Google Chronicle / SecOps

yaral

rule T1591_002_recon_tool {
  meta:
    author = "Detection Engineering"
    description = "Detects execution of reconnaissance and OSINT tools"
    severity = "medium"
    confidence = "low"
    mitre_attack = "T1591.002"
    reference = "https://attack.mitre.org/techniques/T1591/002/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `(?i)(nmap|masscan|nikto|theharvester|recon-ng|maltego|spiderfoot|dnsenum|arp-scan|zmap)`) or
      re.regex($e.target.process.command_line, `(?i)(\-sV\s|\-O\s|\-sC\s|dnsenum|whois\s|hunter\.io|shodan)`)
    )

  condition:
    $e
}

medium severity low confidence

Data Sources

Google Chronicle SIEM Endpoint telemetry DNS logs

Required Tables

PROCESS_LAUNCH DNS

False Positives

Authorized OSINT assessments by internal red teams or security consultants
HR teams using professional networking platforms for talent acquisition
Marketing teams conducting authorized competitive intelligence research
Security awareness teams assessing employee digital footprint for training

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ("ProcessRollup2", "SyntheticProcessRollup2")
| ImageFileName = /(?i)(nmap|masscan|nikto|theharvester|recon-ng|maltego|spiderfoot|dnsenum|arp-scan|zmap)/
  OR CommandLine = /(?i)(\-sV\s|\-sC\s|dnsenum|whois\s|hunter\.io|shodan|\-O\s)/
| groupBy([aid, ComputerName, UserName, ImageFileName, CommandLine], function=[count(as=EventCount), min(timestamp, as=FirstSeen)])
| case {
    ImageFileName = /(?i)(nmap|masscan|zmap)/ => ToolCategory := "Port Scanner"; RiskScore := "High";
    ImageFileName = /(?i)(theharvester|spiderfoot)/ => ToolCategory := "OSINT Harvester"; RiskScore := "Medium";
    ImageFileName = /(?i)(nikto)/ => ToolCategory := "Web Scanner"; RiskScore := "High";
    * => ToolCategory := "Recon Tool"; RiskScore := "Medium";
  }
| table([ComputerName, UserName, ImageFileName, ToolCategory, CommandLine, EventCount, RiskScore, FirstSeen])
| sort(RiskScore)

medium severity low confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Process events

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

Internal red teams conducting authorized OSINT and social engineering assessments
HR and talent teams using professional platforms for legitimate recruiting activity
Marketing teams gathering authorized competitive intelligence data
Security programs assessing digital footprint exposure for awareness training

Business Relationships

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Reconnaissance

Popular Detections