T1591.003 Splunk · SPL

Detect Identify Business Tempo in Splunk

Adversaries may gather information about the victim's business tempo that can be used during targeting. Business tempo information includes operational hours, days of the week, purchase and procurement schedules, and hardware/software shipment timings. Adversaries exploit this intelligence to optimize attack timing (e.g., launching intrusions during off-hours when SOC staffing is reduced), target supply chain shipments, or craft convincing spearphishing pretexts referencing internal operational cadences. While the reconnaissance activity itself typically occurs outside the victim environment — via public websites, social media, direct phishing — detectable artifacts emerge when: (1) organization-owned web properties are systematically scraped for operational content, (2) OSINT enumeration tools run on managed endpoints, or (3) phishing lures referencing business tempo arrive in organizational email. Detection confidence is inherently low due to the external and passive nature of this technique.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1591 Gather Victim Org Information
Sub-technique
T1591.003 Identify Business Tempo
Canonical reference
https://attack.mitre.org/techniques/T1591/003/

SPL Detection Query

Splunk (SPL)
spl 
index=proxy OR index=waf OR index=firewall
  (sourcetype="pan:traffic" OR sourcetype="pan:url" OR sourcetype="cisco:asa" OR sourcetype="stream:http" OR sourcetype="imperva:waf" OR sourcetype=fortigate_traffic)
| eval uri_lower=lower(url)
| where match(uri_lower, "(/contact|/hours|/schedule|/business-hours|/store-hours|/shipping|/delivery|/procurement|/purchasing|/supply-chain|/vendor|/locations|/operations|/logistics|/holiday|/calendar|/availability|/dispatch)")
| eval ua_lower=lower(http_user_agent)
| eval is_bot_ua=if(match(ua_lower, "(python-requests|scrapy|curl/|wget/|libwww|mechanize|go-http-client|java/|okhttp|python-urllib|aiohttp|httpx|playwright|puppeteer|selenium|requests|axios)"), 1, 0)
| eval is_empty_ua=if(isnull(http_user_agent) OR http_user_agent="" OR http_user_agent="-", 1, 0)
| eval is_legit_crawler=if(match(http_user_agent, "(Googlebot|Bingbot|Slurp|DuckDuckBot|Baiduspider|YandexBot|Sogou|facebookexternalhit|LinkedInBot|Twitterbot|Applebot|AhrefsBot|SemrushBot)"), 1, 0)
| where is_legit_crawler=0
| where is_bot_ua=1 OR is_empty_ua=1
| stats
    count as request_count,
    dc(url) as unique_pages,
    values(url) as sampled_urls,
    earliest(_time) as first_seen,
    latest(_time) as last_seen,
    values(http_user_agent) as user_agents
    by src_ip, is_bot_ua, is_empty_ua
| where request_count > 8 OR unique_pages > 4
| eval duration_minutes=round((last_seen - first_seen) / 60, 1)
| eval pages_per_minute=if(duration_minutes > 0, round(request_count / duration_minutes, 2), request_count)
| sort - request_count
low severity low confidence

Detects automated scraping of organization operational web pages using Splunk proxy, WAF, or firewall logs. Evaluates HTTP user agents for known automation libraries and empty/missing agent strings. Aggregates by source IP to identify sustained enumeration campaigns. Excludes known legitimate search engine and social media crawlers. Requires web proxy (stream:http), WAF (imperva:waf), or next-gen firewall (pan:url, fortigate_traffic) logs with URI and user agent fields.

Data Sources

Network Traffic: Network Traffic ContentApplication Log: Application Log ContentWeb Proxy / WAF Logs

Required Sourcetypes

pan:urlstream:httpimperva:waffortigate_traffic

False Positives & Tuning

  • Legitimate SEO auditing tools run by the organization's own marketing or web team
  • Internal monitoring and uptime services periodically fetching operational pages
  • Authorized penetration testing or red team exercises scraping the organization's own web presence
  • Vendor or partner integration tools (procurement platforms, logistics APIs) that crawl operational pages for data synchronization
  • Content delivery network health checks and edge caching crawlers with non-standard user agents
Download portable Sigma rule (.yml)

Other platforms for T1591.003

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Web Scraping of Organizational Operational Pages with Python Requests

    Expected signal: WAF/proxy logs (CommonSecurityLog or stream:http): HTTP GET requests to each enumerated path from the test host IP with User-Agent 'python-requests/2.31.0'. If the organization uses an outbound proxy, requests will appear in proxy logs. If executed against an internal test server, Apache/Nginx access logs will show the scraping pattern.

  2. Test 2theHarvester OSINT Enumeration for Business Information

    Expected signal: Sysmon Event ID 1 (if Sysmon installed): Process Create with Image containing 'theharvester' or 'python3' and CommandLine containing '-d example.com'. DeviceProcessEvents in MDE: FileName=python3, ProcessCommandLine containing 'theharvester'. If outbound proxy is in use, DNS queries to bing.com, linkedin.com, yahoo.com from the host.

  3. Test 3Slow-and-Low Scraping Simulation with curl

    Expected signal: WAF/proxy access logs: 8 sequential HTTP GET requests to operational path patterns over approximately 80 seconds, all from the same source IP. User-Agent 'Mozilla/5.0 (compatible; CustomBot/1.0)' — partially spoofed browser string that still exposes the bot identifier. CommonSecurityLog will show spread-over-time pattern.

  4. Test 4Phishing Email Pretext Simulating Business Tempo Elicitation

    Expected signal: File creation event (Sysmon Event ID 11 / DeviceFileEvents): creation of /tmp/df00tech-tempo-phish-draft.txt. This test does not generate network telemetry. In production, actual phishing emails would appear in email gateway logs (O365 MessageTrace, Proofpoint, Mimecast) with subject lines matching the business tempo keyword patterns in the hunting query.

Last updated: 2026-03-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1591.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1591Gather Victim Org Information

Related Sub-techniques

T1591.001Determine Physical LocationsT1591.002Business RelationshipsT1591.004Identify Roles

Related Techniques

T1591Gather Victim Org InformationT1591.001Determine Physical LocationsT1591.002Business RelationshipsT1591.004Identify RolesT1594Search Victim-Owned WebsitesT1593.001Social MediaT1598Phishing for InformationT1598.003Spearphishing LinkT1195Supply Chain CompromiseT1199Trusted Relationship

Same Tactic: Reconnaissance

Popular Detections