Detect Identify Business Tempo in Sumo Logic CSE
Adversaries may gather information about the victim's business tempo that can be used during targeting. Business tempo information includes operational hours, days of the week, purchase and procurement schedules, and hardware/software shipment timings. Adversaries exploit this intelligence to optimize attack timing (e.g., launching intrusions during off-hours when SOC staffing is reduced), target supply chain shipments, or craft convincing spearphishing pretexts referencing internal operational cadences. While the reconnaissance activity itself typically occurs outside the victim environment — via public websites, social media, direct phishing — detectable artifacts emerge when: (1) organization-owned web properties are systematically scraped for operational content, (2) OSINT enumeration tools run on managed endpoints, or (3) phishing lures referencing business tempo arrive in organizational email. Detection confidence is inherently low due to the external and passive nature of this technique.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1591 Gather Victim Org Information
- Sub-technique
- T1591.003 Identify Business Tempo
- Canonical reference
- https://attack.mitre.org/techniques/T1591/003/
Sumo Detection Query
_sourceCategory=*sysmon* OR _sourceCategory=*endpoint*
| json auto
| where EventCode = 1
| eval ImageLower = lower(Image)
| eval CmdLower = lower(CommandLine)
| where matches(ImageLower, "nmap|masscan|nikto|shodan|theharvester|recon-ng|maltego|spiderfoot|dnsenum|arp-scan|zmap")
or matches(CmdLower, "\-sV |\-O |\-sC |\-p\s+\d|dnsenum|whois |hunter\.io")
| eval ToolCategory = if(matches(ImageLower, "nmap|masscan|zmap"), "Port Scanner",
if(matches(ImageLower, "theharvester|spiderfoot"), "OSINT Tool",
if(matches(ImageLower, "nikto"), "Web Scanner", "Recon Tool")))
| eval RiskScore = if(ToolCategory = "Port Scanner", 75,
if(ToolCategory = "OSINT Tool", 70, 60))
| stats count, values(CommandLine) AS Commands by _sourceHost, User, ToolCategory, RiskScore
| sort by RiskScore descSumo Logic detection for Identify Business Tempo. Detects systematic web scraping of organization-owned operational pages (business hours, shipping schedules, contact pages, procurement information) via WAF and proxy logs in CommonSecurityLog. Identi
Data Sources
Required Tables
False Positives & Tuning
- Authorized OSINT assessments by internal red teams
- HR and talent acquisition teams using professional networking tools
- Marketing teams conducting authorized competitive intelligence research
- Security awareness programs researching employee exposure footprint
Other platforms for T1591.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Web Scraping of Organizational Operational Pages with Python Requests
Expected signal: WAF/proxy logs (CommonSecurityLog or stream:http): HTTP GET requests to each enumerated path from the test host IP with User-Agent 'python-requests/2.31.0'. If the organization uses an outbound proxy, requests will appear in proxy logs. If executed against an internal test server, Apache/Nginx access logs will show the scraping pattern.
- Test 2theHarvester OSINT Enumeration for Business Information
Expected signal: Sysmon Event ID 1 (if Sysmon installed): Process Create with Image containing 'theharvester' or 'python3' and CommandLine containing '-d example.com'. DeviceProcessEvents in MDE: FileName=python3, ProcessCommandLine containing 'theharvester'. If outbound proxy is in use, DNS queries to bing.com, linkedin.com, yahoo.com from the host.
- Test 3Slow-and-Low Scraping Simulation with curl
Expected signal: WAF/proxy access logs: 8 sequential HTTP GET requests to operational path patterns over approximately 80 seconds, all from the same source IP. User-Agent 'Mozilla/5.0 (compatible; CustomBot/1.0)' — partially spoofed browser string that still exposes the bot identifier. CommonSecurityLog will show spread-over-time pattern.
- Test 4Phishing Email Pretext Simulating Business Tempo Elicitation
Expected signal: File creation event (Sysmon Event ID 11 / DeviceFileEvents): creation of /tmp/df00tech-tempo-phish-draft.txt. This test does not generate network telemetry. In production, actual phishing emails would appear in email gateway logs (O365 MessageTrace, Proofpoint, Mimecast) with subject lines matching the business tempo keyword patterns in the hunting query.
References (9)
- https://attack.mitre.org/techniques/T1591/003/
- https://attack.mitre.org/techniques/T1591/
- https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
- https://attack.mitre.org/techniques/T1598/
- https://attack.mitre.org/techniques/T1594/
- https://attack.mitre.org/techniques/T1195/
- https://learn.microsoft.com/en-us/azure/sentinel/connect-common-event-format
- https://github.com/laramies/theHarvester
- https://www.greynoise.io/blog/understanding-internet-background-noise
Unlock Pro Content
Get the full detection package for T1591.003 including response playbook, investigation guide, and atomic red team tests.