Which SIEM platforms have a T1593 detection rule?

df00tech provides T1593 (Search Open Websites/Domains) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Search Open Websites/Domains (T1593)?

Detecting Search Open Websites/Domains requires the following data sources: Microsoft Sentinel (IIS Logs via W3CIISLog), Azure Application Gateway WAF.

What severity and confidence is the T1593 detection?

The T1593 detection is rated medium severity with low confidence.

What are common false positives for T1593?

Common false positives for T1593 include: Legitimate commercial web crawlers and search engine bots (Googlebot, Bingbot, DuckDuckGo) may match known user agent patterns — whitelist verified crawler IP ranges from respective ASNs; Security vendors running authorized external attack surface scans (Qualys, Tenable, Rapid7) will produce reconnaissance-like patterns — maintain an allowlist of authorized scanner IPs; Developers or internal teams using curl, Python requests, or httpx for legitimate API testing or load testing against production endpoints.

T1593: Search Open Websites/Domains — Detection (KQL, SPL, Sigma + 5 SIEMs)

Microsoft Sentinel / Defender

kusto

let KnownReconUserAgents = dynamic(["python-requests", "python-urllib", "go-http-client", "curl/", "wget/", "nuclei", "nikto", "dirbuster", "gobuster", "feroxbuster", "ffuf", "sqlmap", "scrapy", "zgrab", "masscan", "shodan", "censys", "binaryedge", "nmap", "burpsuite", "zap", "httpx", "katana", "subfinder", "amass", "theHarvester", "mechanize", "httplib2", "libwww-perl"]);
let SensitivePaths = dynamic(["/.git", "/.env", "/wp-admin", "/phpmyadmin", "/admin", "/robots.txt", "/sitemap.xml", "/.htaccess", "/web.config", "/backup", "/config", "/.well-known", "/xmlrpc.php", "/wp-login"]);
W3CIISLog
| where TimeGenerated > ago(1h)
| where isnotempty(cIP)
| extend UserAgentLower = tolower(csUserAgent)
| extend IsReconUA = iff(
    csUserAgent has_any (KnownReconUserAgents) or isempty(csUserAgent),
    true, false)
| extend IsSensitivePath = iff(
    csUriStem has_any (SensitivePaths),
    true, false)
| summarize
    TotalRequests = count(),
    UniqueURIs = dcount(csUriStem),
    UniquePaths = make_set(csUriStem, 30),
    ReconUARequests = countif(IsReconUA == true),
    SensitivePathHits = countif(IsSensitivePath == true),
    StatusCodes = make_set(scStatus),
    UserAgents = make_set(csUserAgent, 10),
    FirstRequest = min(TimeGenerated),
    LastRequest = max(TimeGenerated)
    by cIP, bin(TimeGenerated, 1h)
| where TotalRequests > 30 or ReconUARequests > 5 or SensitivePathHits > 3 or UniqueURIs > 25
| extend RiskScore = case(
    ReconUARequests > 20 and SensitivePathHits > 5, "High",
    ReconUARequests > 5 or SensitivePathHits > 3 or UniqueURIs > 50, "Medium",
    "Low")
| project
    TimeGenerated,
    SourceIP = cIP,
    TotalRequests,
    UniqueURIs,
    ReconUARequests,
    SensitivePathHits,
    SampledPaths = UniquePaths,
    UserAgents,
    StatusCodes,
    RiskScore,
    FirstRequest,
    LastRequest
| order by RiskScore asc, TotalRequests desc

Detects automated reconnaissance against public-facing web assets by correlating known OSINT and scanning tool user agents in IIS access logs with high-velocity enumeration patterns, sensitive path probing (/.git, /.env, /admin, /wp-admin), and anomalously high unique URI counts from single source IPs. Targets pre-compromise intelligence gathering consistent with T1593 sub-techniques (social media, search engine dorking, code repository searches) that manifest as automated scraping when adversaries pivot to directly probing your infrastructure.

medium severity low confidence

Data Sources

Microsoft Sentinel (IIS Logs via W3CIISLog) Azure Application Gateway WAF

Required Tables

W3CIISLog

False Positives

Legitimate commercial web crawlers and search engine bots (Googlebot, Bingbot, DuckDuckGo) may match known user agent patterns — whitelist verified crawler IP ranges from respective ASNs
Security vendors running authorized external attack surface scans (Qualys, Tenable, Rapid7) will produce reconnaissance-like patterns — maintain an allowlist of authorized scanner IPs
Developers or internal teams using curl, Python requests, or httpx for legitimate API testing or load testing against production endpoints
Content delivery networks and uptime monitoring services (Pingdom, UptimeRobot, StatusCake) making frequent automated HEAD/GET requests
Partners or customers running automated integrations that access your web endpoints at high frequency

Splunk

spl

index=web (sourcetype="iis" OR sourcetype="apache:access" OR sourcetype="nginx:plus:access" OR sourcetype="access_combined" OR sourcetype="access_combined_wcookie")
| eval ua_lower=lower(http_user_agent)
| eval is_recon_ua=if(
    match(ua_lower, "(python-requests|python-urllib|go-http-client|nuclei|nikto|dirbuster|gobuster|feroxbuster|ffuf|sqlmap|scrapy|zgrab|masscan|shodan|censys|binaryedge|nmap|burpsuite|zaproxy|httpx|katana|subfinder|amass|theharvester|mechanize|libwww-perl|curl\/|wget\/)")
    OR isnull(http_user_agent) OR http_user_agent="-",
    1, 0)
| eval is_sensitive_path=if(
    match(uri_path, "(\/\.git|\/\.env|\/wp-admin|\/phpmyadmin|\/admin|\/robots\.txt|\/sitemap\.xml|\/\.htaccess|\/web\.config|\/backup|\/config|\/xmlrpc\.php|\/wp-login|\/\.well-known)"),
    1, 0)
| bin _time span=1h
| stats
    count as total_requests,
    dc(uri_path) as unique_uris,
    sum(is_recon_ua) as recon_ua_requests,
    sum(is_sensitive_path) as sensitive_path_hits,
    values(http_user_agent) as user_agents,
    values(status) as status_codes,
    values(uri_path) as sampled_paths,
    min(_time) as first_request,
    max(_time) as last_request
    by _time, src_ip
| where total_requests > 30 OR recon_ua_requests > 5 OR sensitive_path_hits > 3 OR unique_uris > 25
| eval risk_score=case(
    recon_ua_requests > 20 AND sensitive_path_hits > 5, "High",
    recon_ua_requests > 5 OR sensitive_path_hits > 3 OR unique_uris > 50, "Medium",
    1=1, "Low")
| table _time, src_ip, total_requests, unique_uris, recon_ua_requests, sensitive_path_hits, user_agents, status_codes, risk_score, first_request, last_request
| sort - risk_score total_requests

Correlates web server access logs (IIS, Apache, Nginx) against known reconnaissance tool user agent strings and sensitive path enumeration patterns. Groups requests by source IP in 1-hour windows and scores based on request volume, known OSINT tool fingerprints, and hits against sensitive disclosure endpoints. Surfaces automated pre-attack reconnaissance consistent with adversary OSINT collection prior to phishing or initial access.

medium severity low confidence

Data Sources

Web Server Logs (IIS/Apache/Nginx) Splunk Stream

Required Sourcetypes

iis access_combined nginx:plus:access

False Positives

Authorized security assessment firms conducting external vulnerability scans — coordinate with security team to maintain scanner IP allowlist
Search engine crawlers (Googlebot, Bingbot) with legitimate high-frequency enumeration patterns
Internal CI/CD pipelines or smoke test frameworks that perform automated HTTP checks against production endpoints
API monitoring tools (Postman, Insomnia automated runners) used by developers for production health checks

Elastic Security (EQL)

eql

// T1593 — Search Open Websites
any where event.dataset : ("iis.access", "apache_http_server.access")
  and (user_agent.original : ("python-requests*", "go-http-client*", "curl/*", "nuclei*",
    "nikto*", "dirbuster*", "gobuster*", "scrapy*", "masscan*")
  or url.path : ("/.git/*", "/.env", "/wp-admin/*", "/robots.txt", "/sitemap.xml",
    "/.htaccess", "/web.config", "/backup/*", "/config/*"))

Elastic EQL detection for Search Open Websites/Domains (T1593). Translates the Microsoft Sentinel KQL logic to Elastic Common Schema (ECS) field mappings for use in Elastic SIEM. Targets the same behavioral indicators across process creation, network, and authentication event types.

medium severity low confidence

Data Sources

Web Server Logs IIS Logs

Required Tables

logs-apache_http_server.* logs-iis.access-*

False Positives

Legitimate commercial web crawlers and search engine bots (Googlebot, Bingbot, DuckDuckGo) may match known user agent patterns — whitelist verified crawler IP ranges from respective ASNs
Security vendors running authorized external attack surface scans (Qualys, Tenable, Rapid7) will produce reconnaissance-like patterns — maintain an allowlist of authorized scanner IPs
Developers or internal teams using curl, Python requests, or httpx for legitimate API testing or load testing against production endpoints
Content delivery networks and uptime monitoring services (Pingdom, UptimeRobot, StatusCake) making frequent automated HEAD/GET requests

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
    LOGSOURCENAME(logsourceid) AS "LogSource",
    LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
    "username", "sourceip", "destinationip",
    "eventid", "deviceaction", "message",
    CASE
        WHEN LOWER("useragent") ILIKE '%python-requests%' OR LOWER("useragent") ILIKE '%nuclei%' OR LOWER("requesturl") ILIKE '%.git%' OR LOWER("requesturl") ILIKE '%.env%' THEN 8
        ELSE 4
      END AS "RiskScore"
  FROM events
  WHERE (LOWER("useragent") ILIKE '%python-requests%' OR LOWER("useragent") ILIKE '%nuclei%' OR LOWER("requesturl") ILIKE '%.git%' OR LOWER("requesturl") ILIKE '%.env%')
    AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
  ORDER BY "RiskScore" DESC, "EventTime" DESC
  LAST 24 HOURS

QRadar AQL detection for Search Open Websites/Domains (T1593). SQL-like syntax queries the QRadar events store, correlating log source telemetry with risk scoring to surface reconnaissance and attack patterns. Filters out noise from internal SIM and rule engine log sources.

medium severity low confidence

Data Sources

QRadar SIEM Windows Security Events Network Firewall Logs Syslog

Required Tables

events

False Positives

Legitimate commercial web crawlers and search engine bots (Googlebot, Bingbot, DuckDuckGo) may match known user agent patterns — whitelist verified crawler IP ranges from respective ASNs
Security vendors running authorized external attack surface scans (Qualys, Tenable, Rapid7) will produce reconnaissance-like patterns — maintain an allowlist of authorized scanner IPs
Developers or internal teams using curl, Python requests, or httpx for legitimate API testing or load testing against production endpoints
Content delivery networks and uptime monitoring services (Pingdom, UptimeRobot, StatusCake) making frequent automated HEAD/GET requests

Sumo Logic CSE

sql

_sourceCategory=*web* OR _sourceCategory=*iis* OR _sourceCategory=*apache*
| parse regex "(?<client_ip>\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) - (?<user>[^ ]+) .* \"(?<method>[A-Z]+) (?<uri>[^ ]+).*\" (?<status>\\d+)"
| count by client_ip, uri
| sort by _count desc

Sumo Logic detection for Search Open Websites/Domains (T1593). Uses _sourceCategory path filtering for flexible log routing compatibility, with JSON field extraction and statistical aggregation to surface search open websites/domains patterns. Designed for the Sumo Logic Cloud SIEM platform.

medium severity low confidence

Data Sources

Sumo Logic Cloud SIEM Log Sources via Sumo Logic Collector

Required Tables

web/access iis/access

False Positives

Legitimate commercial web crawlers and search engine bots (Googlebot, Bingbot, DuckDuckGo) may match known user agent patterns — whitelist verified crawler IP ranges from respective ASNs
Security vendors running authorized external attack surface scans (Qualys, Tenable, Rapid7) will produce reconnaissance-like patterns — maintain an allowlist of authorized scanner IPs
Developers or internal teams using curl, Python requests, or httpx for legitimate API testing or load testing against production endpoints
Content delivery networks and uptime monitoring services (Pingdom, UptimeRobot, StatusCake) making frequent automated HEAD/GET requests

Google Chronicle / SecOps

yaral

rule t1593_search_open_websites_domains {
  meta:
    author = "df00tech"
    description = "Detects Search Open Websites/Domains (T1593)"
    mitre_attack_tactic = "TA0043"
    mitre_attack_technique = "T1593"
    confidence = "low"
    severity = "medium"
  events:
    $e.metadata.event_type = "NETWORK_HTTP"
    $e.principal.ip != ""
  condition:
    $e
}

Google Chronicle YARA-L 2.0 detection rule for Search Open Websites/Domains (T1593). Uses Unified Data Model (UDM) event field mappings to detect the same behavioral patterns as the KQL rule, with Chronicle's temporal matching and entity correlation capabilities.

medium severity low confidence

Data Sources

Google Chronicle SIEM Chronicle UDM

Required Tables

NETWORK_HTTP NETWORK_CONNECTION

False Positives

Legitimate commercial web crawlers and search engine bots (Googlebot, Bingbot, DuckDuckGo) may match known user agent patterns — whitelist verified crawler IP ranges from respective ASNs
Security vendors running authorized external attack surface scans (Qualys, Tenable, Rapid7) will produce reconnaissance-like patterns — maintain an allowlist of authorized scanner IPs
Developers or internal teams using curl, Python requests, or httpx for legitimate API testing or load testing against production endpoints
Content delivery networks and uptime monitoring services (Pingdom, UptimeRobot, StatusCake) making frequent automated HEAD/GET requests

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /python|curl|wget|nmap|masscan/i
| TechniqueLabel := "T1593 - Reconnaissance"
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, TechniqueLabel])

CrowdStrike LogScale (Falcon) CQL detection for Search Open Websites/Domains (T1593). Uses CrowdStrike event simpleName taxonomy with regex-based field filtering, groupBy aggregation, and case-based risk classification. Designed for the Falcon platform's LogScale query language.

medium severity low confidence

Data Sources

CrowdStrike Falcon CrowdStrike LogScale

Required Tables

HttpRequest ProcessRollup2

False Positives

Legitimate commercial web crawlers and search engine bots (Googlebot, Bingbot, DuckDuckGo) may match known user agent patterns — whitelist verified crawler IP ranges from respective ASNs
Security vendors running authorized external attack surface scans (Qualys, Tenable, Rapid7) will produce reconnaissance-like patterns — maintain an allowlist of authorized scanner IPs
Developers or internal teams using curl, Python requests, or httpx for legitimate API testing or load testing against production endpoints
Content delivery networks and uptime monitoring services (Pingdom, UptimeRobot, StatusCake) making frequent automated HEAD/GET requests

Search Open Websites/Domains

What is T1593 Search Open Websites/Domains?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1593

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (3)

Related Techniques

Same Tactic: Reconnaissance

Popular Detections

What is T1593 Search Open Websites/Domains?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1593

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (3)

Related Techniques

Same Tactic: Reconnaissance

Popular Detections

Get new detections in your inbox