T1591.003 Microsoft Sentinel · KQL

Detect Identify Business Tempo in Microsoft Sentinel

Adversaries may gather information about the victim's business tempo that can be used during targeting. Business tempo information includes operational hours, days of the week, purchase and procurement schedules, and hardware/software shipment timings. Adversaries exploit this intelligence to optimize attack timing (e.g., launching intrusions during off-hours when SOC staffing is reduced), target supply chain shipments, or craft convincing spearphishing pretexts referencing internal operational cadences. While the reconnaissance activity itself typically occurs outside the victim environment — via public websites, social media, direct phishing — detectable artifacts emerge when: (1) organization-owned web properties are systematically scraped for operational content, (2) OSINT enumeration tools run on managed endpoints, or (3) phishing lures referencing business tempo arrive in organizational email. Detection confidence is inherently low due to the external and passive nature of this technique.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1591 Gather Victim Org Information
Sub-technique
T1591.003 Identify Business Tempo
Canonical reference
https://attack.mitre.org/techniques/T1591/003/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let OperationalPageKeywords = dynamic([
  "/contact", "/hours", "/schedule", "/business-hours", "/store-hours",
  "/shipping", "/delivery", "/procurement", "/purchasing", "/supply-chain",
  "/vendor", "/locations", "/about", "/operations", "/logistics",
  "/holiday", "/calendar", "/availability", "/dispatch"
]);
let BotUserAgents = dynamic([
  "python-requests", "scrapy", "curl/", "wget/", "libwww",
  "mechanize", "httplib", "go-http-client", "java/", "okhttp",
  "python-urllib", "aiohttp", "httpx", "requests", "axios",
  "playwright", "puppeteer", "selenium"
]);
let LegitCrawlers = dynamic([
  "Googlebot", "Bingbot", "Slurp", "DuckDuckBot", "Baiduspider",
  "YandexBot", "Sogou", "facebookexternalhit", "LinkedInBot",
  "Twitterbot", "Applebot", "AhrefsBot", "SemrushBot"
]);
CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceVendor in ("Palo Alto Networks", "Fortinet", "Cisco", "Zscaler", "Akamai", "Imperva", "F5", "Cloudflare")
| where RequestURL has_any (OperationalPageKeywords)
| where not (RequestClientApplication has_any (LegitCrawlers))
| where RequestClientApplication has_any (BotUserAgents)
    or isempty(RequestClientApplication)
    or not (RequestClientApplication has_any ("Mozilla", "Chrome", "Safari", "Edge", "Firefox"))
| extend IsEmptyUA = isempty(RequestClientApplication)
| extend IsBotUA = RequestClientApplication has_any (BotUserAgents)
| summarize
    RequestCount = count(),
    UniquePages = dcount(RequestURL),
    SampledURLs = make_set(RequestURL, 15),
    Earliest = min(TimeGenerated),
    Latest = max(TimeGenerated),
    DurationMinutes = datetime_diff('minute', max(TimeGenerated), min(TimeGenerated))
    by SourceIP, RequestClientApplication, DeviceName, IsEmptyUA, IsBotUA
| where RequestCount > 8 or UniquePages > 4
| extend PagesPerMinute = iff(DurationMinutes > 0, toreal(RequestCount) / toreal(DurationMinutes), toreal(RequestCount))
| sort by RequestCount desc
low severity low confidence

Detects systematic web scraping of organization-owned operational pages (business hours, shipping schedules, contact pages, procurement information) via WAF and proxy logs in CommonSecurityLog. Identifies non-browser user agents, missing user agents, and automated HTTP clients targeting pages that expose business tempo. Aggregates by source IP to surface persistent scrapers. Excludes known legitimate search engine crawlers. Requires WAF or proxy integration forwarding to Microsoft Sentinel via CommonSecurityLog connector (Palo Alto, Fortinet, Zscaler, Akamai, Imperva, Cloudflare, F5).

Data Sources

Network Traffic: Network Traffic ContentApplication Log: Application Log ContentWAF / Web Proxy CommonSecurityLog

Required Tables

CommonSecurityLog

False Positives & Tuning

  • Legitimate SEO auditing tools (Ahrefs, Semrush, Screaming Frog) run by the organization's own marketing team against their own web properties
  • Internal web monitoring or uptime services (Pingdom, UptimeRobot, StatusCake) that periodically fetch operational pages to verify availability
  • Academic or business intelligence web scrapers conducting market research unrelated to adversarial reconnaissance
  • Procurement and vendor management platforms (Coupa, SAP Ariba) that crawl supplier websites to gather operational data for supply chain management
  • Load testing and performance testing tools (JMeter, Locust, k6) running against web properties during authorized capacity testing
Download portable Sigma rule (.yml)

Other platforms for T1591.003

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Web Scraping of Organizational Operational Pages with Python Requests

    Expected signal: WAF/proxy logs (CommonSecurityLog or stream:http): HTTP GET requests to each enumerated path from the test host IP with User-Agent 'python-requests/2.31.0'. If the organization uses an outbound proxy, requests will appear in proxy logs. If executed against an internal test server, Apache/Nginx access logs will show the scraping pattern.

  2. Test 2theHarvester OSINT Enumeration for Business Information

    Expected signal: Sysmon Event ID 1 (if Sysmon installed): Process Create with Image containing 'theharvester' or 'python3' and CommandLine containing '-d example.com'. DeviceProcessEvents in MDE: FileName=python3, ProcessCommandLine containing 'theharvester'. If outbound proxy is in use, DNS queries to bing.com, linkedin.com, yahoo.com from the host.

  3. Test 3Slow-and-Low Scraping Simulation with curl

    Expected signal: WAF/proxy access logs: 8 sequential HTTP GET requests to operational path patterns over approximately 80 seconds, all from the same source IP. User-Agent 'Mozilla/5.0 (compatible; CustomBot/1.0)' — partially spoofed browser string that still exposes the bot identifier. CommonSecurityLog will show spread-over-time pattern.

  4. Test 4Phishing Email Pretext Simulating Business Tempo Elicitation

    Expected signal: File creation event (Sysmon Event ID 11 / DeviceFileEvents): creation of /tmp/df00tech-tempo-phish-draft.txt. This test does not generate network telemetry. In production, actual phishing emails would appear in email gateway logs (O365 MessageTrace, Proofpoint, Mimecast) with subject lines matching the business tempo keyword patterns in the hunting query.

Last updated: 2026-03-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1591.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1591Gather Victim Org Information

Related Sub-techniques

T1591.001Determine Physical LocationsT1591.002Business RelationshipsT1591.004Identify Roles

Related Techniques

T1591Gather Victim Org InformationT1591.001Determine Physical LocationsT1591.002Business RelationshipsT1591.004Identify RolesT1594Search Victim-Owned WebsitesT1593.001Social MediaT1598Phishing for InformationT1598.003Spearphishing LinkT1195Supply Chain CompromiseT1199Trusted Relationship

Same Tactic: Reconnaissance

Popular Detections