T1596.004 CDNs Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let EnumThreshold = 40;
let TimeWindow = 5m;
// Branch 1: High-rate 404 responses on Azure Front Door or CDN endpoints — path enumeration
let CdnPathEnum = AzureDiagnostics
| where TimeGenerated > ago(24h)
| where ResourceType in ("FRONTDOORS", "CDNPROFILES")
| where Category in ("FrontdoorAccessLog", "AzureCdnAccessLog")
| where httpStatusCode_d == 404
| summarize
    Count404 = count(),
    UniqueUrls = dcount(requestUri_s),
    SampleUrls = make_set(requestUri_s, 5),
    UserAgents = make_set(userAgent_s, 3)
  by clientIp_s, ResourceId, bin(TimeGenerated, TimeWindow)
| where Count404 > EnumThreshold and UniqueUrls > 15
| extend DetectionType = "CDN_Path_Enumeration"
| project TimeGenerated, clientIp_s, ResourceId, DetectionType, Count404, UniqueUrls, SampleUrls, UserAgents;
// Branch 2: Azure Blob Storage public enumeration — CDN-hosted content exposure
let BlobEnum = StorageBlobLogs
| where TimeGenerated > ago(24h)
| where OperationName == "ListBlobs"
| where StatusCode == 200
| summarize
    ListCount = count(),
    UniqueContainers = dcount(Uri),
    SampleUris = make_set(Uri, 5)
  by CallerIpAddress, AccountName, bin(TimeGenerated, TimeWindow)
| where ListCount > 5
| extend
    DetectionType = "CDN_Storage_Enumeration",
    clientIp_s = CallerIpAddress,
    ResourceId = AccountName
| project TimeGenerated, clientIp_s, ResourceId, DetectionType, ListCount, UniqueContainers, SampleUris;
// Branch 3: Azure CDN / Front Door WAF — blocked reconnaissance probes
let WafBlock = AzureDiagnostics
| where TimeGenerated > ago(24h)
| where ResourceType in ("FRONTDOORS", "APPLICATIONGATEWAYS")
| where Category in ("FrontdoorWebApplicationFirewallLog", "ApplicationGatewayFirewallLog")
| where action_s == "Block" or action_s == "Redirect"
| where ruleName_s has_any ("Scanners", "Crawlers", "ToolDetection", "GenericRFI", "PathTraversal")
| summarize
    BlockCount = count(),
    UniqueRules = dcount(ruleName_s),
    Rules = make_set(ruleName_s, 5)
  by clientIp_s, ResourceId, bin(TimeGenerated, TimeWindow)
| where BlockCount > 10
| extend DetectionType = "CDN_WAF_Recon_Block"
| project TimeGenerated, clientIp_s, ResourceId, DetectionType, BlockCount, UniqueRules, Rules;
// Combine all branches
CdnPathEnum
| union BlobEnum
| union WafBlock
| sort by TimeGenerated desc

medium severity medium confidence

Data Sources

Network Traffic: Network Traffic Content Azure Front Door Access Logs Azure CDN Access Logs Azure Blob Storage Logs Azure WAF Logs

Required Tables

AzureDiagnostics StorageBlobLogs

False Positives

Legitimate web crawlers and SEO bots (Googlebot, Bingbot, Ahrefs) generating high 404 rates on CDN endpoints while discovering site structure
Internal security scanning tools and vulnerability assessments authorized by the security team performing CDN configuration reviews
Load testing and performance testing platforms hitting CDN endpoints with synthetic traffic that generates 404s for non-existent test paths
Application monitoring agents (Pingdom, Datadog Synthetics, New Relic) probing CDN health check endpoints that return 404
CI/CD deployment pipelines enumerating Azure Blob Storage containers to verify asset deployment or perform cleanup tasks

Splunk

spl

| tstats count AS request_count, dc(uri_path) AS unique_paths, values(status) AS statuses
    FROM datamodel=Web
    WHERE nodename=Web.Web
      (Web.status=404 OR Web.status=403)
    BY Web.src, Web.dest, Web.http_user_agent, _time span=5m
| rename Web.src AS src_ip, Web.dest AS dest_host, Web.http_user_agent AS user_agent
| where request_count > 40 AND unique_paths > 15
| eval detection_type="CDN_Path_Enumeration"
| eval recon_tool=case(
    match(user_agent, "(?i)(sqlmap|nikto|dirbuster|gobuster|ffuf|feroxbuster|wfuzz|masscan|nmap|zgrab|shodan|censys|nuclei|curl\/[0-9])"), "known_scanner",
    match(user_agent, "(?i)(python-requests|go-http-client|java\/|libwww-perl|wget\/)"), "scripted_client",
    len(user_agent) < 10 OR isnull(user_agent), "minimal_ua",
    true(), "unknown"
  )
| eval priority=case(
    recon_tool="known_scanner" AND request_count > 100, "high",
    recon_tool="known_scanner", "medium",
    recon_tool="scripted_client" AND unique_paths > 30, "medium",
    true(), "low"
  )
| table _time, src_ip, dest_host, user_agent, request_count, unique_paths, statuses, detection_type, recon_tool, priority
| sort - request_count

medium severity medium confidence

Data Sources

Network Traffic: Network Traffic Content Web: Web Traffic CDN Access Logs via CIM Web Datamodel

Required Sourcetypes

stream:http access_combined ms:azure:adfrontdoor:accesslog

False Positives

Automated SEO crawlers and web indexing services performing routine site discovery that generates high 404 rates
Penetration testing engagements or red team exercises authorized against the organization's CDN infrastructure
Content migration scripts enumerating existing CDN paths to verify asset transfer completeness
Developer tooling and staging environment tests that probe CDN endpoints for cache invalidation verification
Anti-DDoS and bot management services performing CDN health probes that may appear as scanning activity

Elastic Security (EQL)

eql

// T1596.004 — CDN Enumeration
any where event.dataset : "azure.frontdoor_access_log"
  and http.response.status_code == 404
  and url.path : ("/wp-*", "/admin/*", "/api/*", "/.env*", "/.git/*", "/backup*")

medium severity medium confidence

Data Sources

Network Traffic Firewall Logs

Required Tables

logs-network_traffic.* logs-endpoint.events.network-*

False Positives

Legitimate web crawlers and SEO bots (Googlebot, Bingbot, Ahrefs) generating high 404 rates on CDN endpoints while discovering site structure
Internal security scanning tools and vulnerability assessments authorized by the security team performing CDN configuration reviews
Load testing and performance testing platforms hitting CDN endpoints with synthetic traffic that generates 404s for non-existent test paths
Application monitoring agents (Pingdom, Datadog Synthetics, New Relic) probing CDN health check endpoints that return 404

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
    LOGSOURCENAME(logsourceid) AS "LogSource",
    LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
    "username", "sourceip", "destinationip",
    "eventid", "deviceaction", "message",
    CASE
        WHEN "responsecode" = '404' AND (LOWER("requesturl") ILIKE '%/wp-%' OR LOWER("requesturl") ILIKE '%/admin/%' OR LOWER("requesturl") ILIKE '%.env%') THEN 8
        ELSE 4
      END AS "RiskScore"
  FROM events
  WHERE ("responsecode" = '404' AND (LOWER("requesturl") ILIKE '%/wp-%' OR LOWER("requesturl") ILIKE '%/admin/%' OR LOWER("requesturl") ILIKE '%.env%'))
    AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
  ORDER BY "RiskScore" DESC, "EventTime" DESC
  LAST 24 HOURS

medium severity medium confidence

Data Sources

QRadar SIEM Windows Security Events Network Firewall Logs Syslog

Required Tables

events

False Positives

Legitimate web crawlers and SEO bots (Googlebot, Bingbot, Ahrefs) generating high 404 rates on CDN endpoints while discovering site structure
Internal security scanning tools and vulnerability assessments authorized by the security team performing CDN configuration reviews
Load testing and performance testing platforms hitting CDN endpoints with synthetic traffic that generates 404s for non-existent test paths
Application monitoring agents (Pingdom, Datadog Synthetics, New Relic) probing CDN health check endpoints that return 404

Sumo Logic CSE

sql

_sourceCategory=*firewall* OR _sourceCategory=*network*
| json auto
| where !(src_ip matches "10.*") and !(src_ip matches "192.168.*")
| count by src_ip, dest_ip, dest_port
| sort by _count desc

medium severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Log Sources via Sumo Logic Collector

Required Tables

network/firewall security/network

False Positives

Legitimate web crawlers and SEO bots (Googlebot, Bingbot, Ahrefs) generating high 404 rates on CDN endpoints while discovering site structure
Internal security scanning tools and vulnerability assessments authorized by the security team performing CDN configuration reviews
Load testing and performance testing platforms hitting CDN endpoints with synthetic traffic that generates 404s for non-existent test paths
Application monitoring agents (Pingdom, Datadog Synthetics, New Relic) probing CDN health check endpoints that return 404

Google Chronicle / SecOps

yaral

rule t1596_004_cdns {
  meta:
    author = "df00tech"
    description = "Detects CDNs (T1596.004)"
    mitre_attack_tactic = "TA0043"
    mitre_attack_technique = "T1596.004"
    confidence = "medium"
    severity = "medium"
  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.principal.ip != ""
  condition:
    $e
}

medium severity medium confidence

Data Sources

Google Chronicle SIEM Chronicle UDM

Required Tables

NETWORK_CONNECTION NETWORK_FLOW

False Positives

Legitimate web crawlers and SEO bots (Googlebot, Bingbot, Ahrefs) generating high 404 rates on CDN endpoints while discovering site structure
Internal security scanning tools and vulnerability assessments authorized by the security team performing CDN configuration reviews
Load testing and performance testing platforms hitting CDN endpoints with synthetic traffic that generates 404s for non-existent test paths
Application monitoring agents (Pingdom, Datadog Synthetics, New Relic) probing CDN health check endpoints that return 404

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ["NetworkConnectIP4", "NetworkConnectIP6"]
| not RemoteAddressIP4 = /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
| groupBy([RemoteAddressIP4], function=count(as=TotalConns))
| TotalConns > 100
| TechniqueLabel := "T1596.004 - Reconnaissance"
| table([@timestamp, RemoteAddressIP4, TotalConns, TechniqueLabel])

medium severity medium confidence

Data Sources

CrowdStrike Falcon CrowdStrike LogScale

Required Tables

NetworkConnectIP4 ProcessRollup2

False Positives

Legitimate web crawlers and SEO bots (Googlebot, Bingbot, Ahrefs) generating high 404 rates on CDN endpoints while discovering site structure
Internal security scanning tools and vulnerability assessments authorized by the security team performing CDN configuration reviews
Load testing and performance testing platforms hitting CDN endpoints with synthetic traffic that generates 404s for non-existent test paths
Application monitoring agents (Pingdom, Datadog Synthetics, New Relic) probing CDN health check endpoints that return 404

CDNs

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Reconnaissance

Popular Detections