T1591.003 Identify Business Tempo Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let OperationalPageKeywords = dynamic([
  "/contact", "/hours", "/schedule", "/business-hours", "/store-hours",
  "/shipping", "/delivery", "/procurement", "/purchasing", "/supply-chain",
  "/vendor", "/locations", "/about", "/operations", "/logistics",
  "/holiday", "/calendar", "/availability", "/dispatch"
]);
let BotUserAgents = dynamic([
  "python-requests", "scrapy", "curl/", "wget/", "libwww",
  "mechanize", "httplib", "go-http-client", "java/", "okhttp",
  "python-urllib", "aiohttp", "httpx", "requests", "axios",
  "playwright", "puppeteer", "selenium"
]);
let LegitCrawlers = dynamic([
  "Googlebot", "Bingbot", "Slurp", "DuckDuckBot", "Baiduspider",
  "YandexBot", "Sogou", "facebookexternalhit", "LinkedInBot",
  "Twitterbot", "Applebot", "AhrefsBot", "SemrushBot"
]);
CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceVendor in ("Palo Alto Networks", "Fortinet", "Cisco", "Zscaler", "Akamai", "Imperva", "F5", "Cloudflare")
| where RequestURL has_any (OperationalPageKeywords)
| where not (RequestClientApplication has_any (LegitCrawlers))
| where RequestClientApplication has_any (BotUserAgents)
    or isempty(RequestClientApplication)
    or not (RequestClientApplication has_any ("Mozilla", "Chrome", "Safari", "Edge", "Firefox"))
| extend IsEmptyUA = isempty(RequestClientApplication)
| extend IsBotUA = RequestClientApplication has_any (BotUserAgents)
| summarize
    RequestCount = count(),
    UniquePages = dcount(RequestURL),
    SampledURLs = make_set(RequestURL, 15),
    Earliest = min(TimeGenerated),
    Latest = max(TimeGenerated),
    DurationMinutes = datetime_diff('minute', max(TimeGenerated), min(TimeGenerated))
    by SourceIP, RequestClientApplication, DeviceName, IsEmptyUA, IsBotUA
| where RequestCount > 8 or UniquePages > 4
| extend PagesPerMinute = iff(DurationMinutes > 0, toreal(RequestCount) / toreal(DurationMinutes), toreal(RequestCount))
| sort by RequestCount desc

low severity low confidence

Data Sources

Network Traffic: Network Traffic Content Application Log: Application Log Content WAF / Web Proxy CommonSecurityLog

Required Tables

CommonSecurityLog

False Positives

Legitimate SEO auditing tools (Ahrefs, Semrush, Screaming Frog) run by the organization's own marketing team against their own web properties
Internal web monitoring or uptime services (Pingdom, UptimeRobot, StatusCake) that periodically fetch operational pages to verify availability
Academic or business intelligence web scrapers conducting market research unrelated to adversarial reconnaissance
Procurement and vendor management platforms (Coupa, SAP Ariba) that crawl supplier websites to gather operational data for supply chain management
Load testing and performance testing tools (JMeter, Locust, k6) running against web properties during authorized capacity testing

Splunk

spl

index=proxy OR index=waf OR index=firewall
  (sourcetype="pan:traffic" OR sourcetype="pan:url" OR sourcetype="cisco:asa" OR sourcetype="stream:http" OR sourcetype="imperva:waf" OR sourcetype=fortigate_traffic)
| eval uri_lower=lower(url)
| where match(uri_lower, "(/contact|/hours|/schedule|/business-hours|/store-hours|/shipping|/delivery|/procurement|/purchasing|/supply-chain|/vendor|/locations|/operations|/logistics|/holiday|/calendar|/availability|/dispatch)")
| eval ua_lower=lower(http_user_agent)
| eval is_bot_ua=if(match(ua_lower, "(python-requests|scrapy|curl/|wget/|libwww|mechanize|go-http-client|java/|okhttp|python-urllib|aiohttp|httpx|playwright|puppeteer|selenium|requests|axios)"), 1, 0)
| eval is_empty_ua=if(isnull(http_user_agent) OR http_user_agent="" OR http_user_agent="-", 1, 0)
| eval is_legit_crawler=if(match(http_user_agent, "(Googlebot|Bingbot|Slurp|DuckDuckBot|Baiduspider|YandexBot|Sogou|facebookexternalhit|LinkedInBot|Twitterbot|Applebot|AhrefsBot|SemrushBot)"), 1, 0)
| where is_legit_crawler=0
| where is_bot_ua=1 OR is_empty_ua=1
| stats
    count as request_count,
    dc(url) as unique_pages,
    values(url) as sampled_urls,
    earliest(_time) as first_seen,
    latest(_time) as last_seen,
    values(http_user_agent) as user_agents
    by src_ip, is_bot_ua, is_empty_ua
| where request_count > 8 OR unique_pages > 4
| eval duration_minutes=round((last_seen - first_seen) / 60, 1)
| eval pages_per_minute=if(duration_minutes > 0, round(request_count / duration_minutes, 2), request_count)
| sort - request_count

low severity low confidence

Data Sources

Network Traffic: Network Traffic Content Application Log: Application Log Content Web Proxy / WAF Logs

Required Sourcetypes

pan:url stream:http imperva:waf fortigate_traffic

False Positives

Legitimate SEO auditing tools run by the organization's own marketing or web team
Internal monitoring and uptime services periodically fetching operational pages
Authorized penetration testing or red team exercises scraping the organization's own web presence
Vendor or partner integration tools (procurement platforms, logistics APIs) that crawl operational pages for data synchronization
Content delivery network health checks and edge caching crawlers with non-standard user agents

Elastic Security (EQL)

eql

process where event.type == "start"
  and (process.name : ("theHarvester*", "maltego*", "recon-ng*", "spiderfoot*", "osrframework*")
   or process.command_line : ("*linkedin*", "*whois*", "*shodan*", "*hunter.io*"))

low severity low confidence

Data Sources

Elastic Endpoint Security Process events

Required Tables

logs-endpoint.events.process.*

False Positives

Security awareness teams researching employee exposure for training purposes
Authorized OSINT assessments by internal red teams or security consultants
HR or marketing teams performing routine competitive intelligence research
Recruiters using LinkedIn and similar platforms for talent research

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS HostIP, username,
  "Image" AS ProcessImage, "CommandLine",
  CASE
    WHEN "Image" ILIKE '%nmap%' OR "Image" ILIKE '%masscan%' THEN 80
    WHEN "Image" ILIKE '%shodan%' OR "Image" ILIKE '%theharvester%' THEN 75
    WHEN "Image" ILIKE '%recon-ng%' OR "Image" ILIKE '%maltego%' THEN 70
    WHEN "CommandLine" ILIKE '%whois%' OR "CommandLine" ILIKE '%dnsenum%' THEN 60
    ELSE 40
  END AS RiskScore,
  CASE
    WHEN "Image" ILIKE '%nmap%' THEN 'Network Scanner'
    WHEN "Image" ILIKE '%theharvester%' THEN 'OSINT Harvester'
    WHEN "Image" ILIKE '%maltego%' THEN 'Link Analysis Tool'
    ELSE 'Reconnaissance Tool'
  END AS ToolCategory
FROM events
WHERE eventid = 1
  AND (
    "Image" ILIKE '%nmap%' OR "Image" ILIKE '%masscan%' OR "Image" ILIKE '%nikto%'
    OR "Image" ILIKE '%shodan%' OR "Image" ILIKE '%theharvester%' OR "Image" ILIKE '%recon-ng%'
    OR "Image" ILIKE '%maltego%' OR "Image" ILIKE '%spiderfoot%' OR "CommandLine" ILIKE '%dnsenum%'
    OR "CommandLine" ILIKE '%whois %' OR "CommandLine" ILIKE '%-sV %'
  )
  AND LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
ORDER BY RiskScore DESC
LAST 24 HOURS

low severity low confidence

Data Sources

Sysmon Event ID 1 DNS logs Network flow data

Required Tables

events

False Positives

Security awareness teams conducting authorized employee exposure research
Authorized red team OSINT assessments
HR or marketing teams performing competitive intelligence research
Recruiters using professional networks for talent research

Sumo Logic CSE

sql

_sourceCategory=*sysmon* OR _sourceCategory=*endpoint*
| json auto
| where EventCode = 1
| eval ImageLower = lower(Image)
| eval CmdLower = lower(CommandLine)
| where matches(ImageLower, "nmap|masscan|nikto|shodan|theharvester|recon-ng|maltego|spiderfoot|dnsenum|arp-scan|zmap")
   or matches(CmdLower, "\-sV |\-O |\-sC |\-p\s+\d|dnsenum|whois |hunter\.io")
| eval ToolCategory = if(matches(ImageLower, "nmap|masscan|zmap"), "Port Scanner",
    if(matches(ImageLower, "theharvester|spiderfoot"), "OSINT Tool",
    if(matches(ImageLower, "nikto"), "Web Scanner", "Recon Tool")))
| eval RiskScore = if(ToolCategory = "Port Scanner", 75,
    if(ToolCategory = "OSINT Tool", 70, 60))
| stats count, values(CommandLine) AS Commands by _sourceHost, User, ToolCategory, RiskScore
| sort by RiskScore desc

low severity low confidence

Data Sources

Sysmon Event ID 1 DNS logs

Required Tables

_sourceCategory=*sysmon*

False Positives

Authorized OSINT assessments by internal red teams
HR and talent acquisition teams using professional networking tools
Marketing teams conducting authorized competitive intelligence research
Security awareness programs researching employee exposure footprint

Google Chronicle / SecOps

yaral

rule T1591_003_recon_tool {
  meta:
    author = "Detection Engineering"
    description = "Detects execution of reconnaissance and OSINT tools"
    severity = "low"
    confidence = "low"
    mitre_attack = "T1591.003"
    reference = "https://attack.mitre.org/techniques/T1591/003/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `(?i)(nmap|masscan|nikto|theharvester|recon-ng|maltego|spiderfoot|dnsenum|arp-scan|zmap)`) or
      re.regex($e.target.process.command_line, `(?i)(\-sV\s|\-O\s|\-sC\s|dnsenum|whois\s|hunter\.io|shodan)`)
    )

  condition:
    $e
}

low severity low confidence

Data Sources

Google Chronicle SIEM Endpoint telemetry DNS logs

Required Tables

PROCESS_LAUNCH DNS

False Positives

Authorized OSINT assessments by internal red teams or security consultants
HR teams using professional networking platforms for talent acquisition
Marketing teams conducting authorized competitive intelligence research
Security awareness teams assessing employee digital footprint for training

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ("ProcessRollup2", "SyntheticProcessRollup2")
| ImageFileName = /(?i)(nmap|masscan|nikto|theharvester|recon-ng|maltego|spiderfoot|dnsenum|arp-scan|zmap)/
  OR CommandLine = /(?i)(\-sV\s|\-sC\s|dnsenum|whois\s|hunter\.io|shodan|\-O\s)/
| groupBy([aid, ComputerName, UserName, ImageFileName, CommandLine], function=[count(as=EventCount), min(timestamp, as=FirstSeen)])
| case {
    ImageFileName = /(?i)(nmap|masscan|zmap)/ => ToolCategory := "Port Scanner"; RiskScore := "High";
    ImageFileName = /(?i)(theharvester|spiderfoot)/ => ToolCategory := "OSINT Harvester"; RiskScore := "Medium";
    ImageFileName = /(?i)(nikto)/ => ToolCategory := "Web Scanner"; RiskScore := "High";
    * => ToolCategory := "Recon Tool"; RiskScore := "Medium";
  }
| table([ComputerName, UserName, ImageFileName, ToolCategory, CommandLine, EventCount, RiskScore, FirstSeen])
| sort(RiskScore)

low severity low confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Process events

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

Internal red teams conducting authorized OSINT and social engineering assessments
HR and talent teams using professional platforms for legitimate recruiting activity
Marketing teams gathering authorized competitive intelligence data
Security programs assessing digital footprint exposure for awareness training

Identify Business Tempo

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Reconnaissance

Popular Detections