Detect CDNs in Microsoft Sentinel
Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor's geographical region. Adversaries may search CDN data to gather actionable information including origin server infrastructure, exposed backend IPs, misconfigured storage buckets hosting sensitive content not covered by the same authentication controls as the primary website, and path structures revealing internal architecture. Information from CDN reconnaissance may reveal opportunities for active scanning, infrastructure compromise, or drive-by attacks targeting CDN-served content.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1596 Search Open Technical Databases
- Sub-technique
- T1596.004 CDNs
- Canonical reference
- https://attack.mitre.org/techniques/T1596/004/
KQL Detection Query
let EnumThreshold = 40;
let TimeWindow = 5m;
// Branch 1: High-rate 404 responses on Azure Front Door or CDN endpoints — path enumeration
let CdnPathEnum = AzureDiagnostics
| where TimeGenerated > ago(24h)
| where ResourceType in ("FRONTDOORS", "CDNPROFILES")
| where Category in ("FrontdoorAccessLog", "AzureCdnAccessLog")
| where httpStatusCode_d == 404
| summarize
Count404 = count(),
UniqueUrls = dcount(requestUri_s),
SampleUrls = make_set(requestUri_s, 5),
UserAgents = make_set(userAgent_s, 3)
by clientIp_s, ResourceId, bin(TimeGenerated, TimeWindow)
| where Count404 > EnumThreshold and UniqueUrls > 15
| extend DetectionType = "CDN_Path_Enumeration"
| project TimeGenerated, clientIp_s, ResourceId, DetectionType, Count404, UniqueUrls, SampleUrls, UserAgents;
// Branch 2: Azure Blob Storage public enumeration — CDN-hosted content exposure
let BlobEnum = StorageBlobLogs
| where TimeGenerated > ago(24h)
| where OperationName == "ListBlobs"
| where StatusCode == 200
| summarize
ListCount = count(),
UniqueContainers = dcount(Uri),
SampleUris = make_set(Uri, 5)
by CallerIpAddress, AccountName, bin(TimeGenerated, TimeWindow)
| where ListCount > 5
| extend
DetectionType = "CDN_Storage_Enumeration",
clientIp_s = CallerIpAddress,
ResourceId = AccountName
| project TimeGenerated, clientIp_s, ResourceId, DetectionType, ListCount, UniqueContainers, SampleUris;
// Branch 3: Azure CDN / Front Door WAF — blocked reconnaissance probes
let WafBlock = AzureDiagnostics
| where TimeGenerated > ago(24h)
| where ResourceType in ("FRONTDOORS", "APPLICATIONGATEWAYS")
| where Category in ("FrontdoorWebApplicationFirewallLog", "ApplicationGatewayFirewallLog")
| where action_s == "Block" or action_s == "Redirect"
| where ruleName_s has_any ("Scanners", "Crawlers", "ToolDetection", "GenericRFI", "PathTraversal")
| summarize
BlockCount = count(),
UniqueRules = dcount(ruleName_s),
Rules = make_set(ruleName_s, 5)
by clientIp_s, ResourceId, bin(TimeGenerated, TimeWindow)
| where BlockCount > 10
| extend DetectionType = "CDN_WAF_Recon_Block"
| project TimeGenerated, clientIp_s, ResourceId, DetectionType, BlockCount, UniqueRules, Rules;
// Combine all branches
CdnPathEnum
| union BlobEnum
| union WafBlock
| sort by TimeGenerated descDetects CDN reconnaissance using three detection branches against Azure infrastructure: (1) high-rate 404 responses on Azure Front Door or CDN endpoints indicating path/content enumeration, (2) Azure Blob Storage public ListBlobs operations suggesting enumeration of CDN-hosted storage containers, and (3) Azure WAF blocks triggered by known scanning/reconnaissance rule categories. Since T1596.004 is a PRE-attack technique occurring outside the victim's environment, these queries detect victim-side indicators of inbound reconnaissance activity rather than adversary tooling. Requires Azure Diagnostic Settings forwarding Front Door access logs, CDN access logs, WAF logs, and Storage Blob Logs to a Log Analytics workspace connected to Microsoft Sentinel.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate web crawlers and SEO bots (Googlebot, Bingbot, Ahrefs) generating high 404 rates on CDN endpoints while discovering site structure
- Internal security scanning tools and vulnerability assessments authorized by the security team performing CDN configuration reviews
- Load testing and performance testing platforms hitting CDN endpoints with synthetic traffic that generates 404s for non-existent test paths
- Application monitoring agents (Pingdom, Datadog Synthetics, New Relic) probing CDN health check endpoints that return 404
- CI/CD deployment pipelines enumerating Azure Blob Storage containers to verify asset deployment or perform cleanup tasks
Other platforms for T1596.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CDN Provider Fingerprinting via Response Header Analysis
Expected signal: Network connections to the target domain on port 443. DNS queries for the target domain and CDN subdomain variants visible in DNS logs. If monitoring DNS resolver logs, multiple CNAME lookups for cdn.*, static.*, assets.* subdomains will appear. No endpoint telemetry generated — this is passive HTTP/DNS reconnaissance.
- Test 2CDN Origin Server IP Discovery via Direct Connection Test
Expected signal: Sysmon Event ID 3 (Network Connection) or equivalent: outbound TCP connection to the origin IP on port 80. DNS query for origin.example.com visible in DNS logs. The curl process creation (Sysmon Event ID 1) with command line including the target IP and Host header. If the origin server has access logging enabled, an inbound request will appear in origin server access logs without CDN headers.
- Test 3CDN-Hosted Storage Bucket Enumeration
Expected signal: Network connections to Azure blob.core.windows.net, AWS s3.amazonaws.com, and GCS storage.googleapis.com on port 443. Azure Blob Storage access logs (StorageBlobLogs table) will record ListBlobs operations with CallerIpAddress and StatusCode (200 if public, 403 if not). CloudTrail logs will capture S3 ListObjectsV2 API calls for AWS environments. These requests are anonymous and do not require authentication.
- Test 4CDN Subdomain Takeover Opportunity Discovery
Expected signal: DNS queries for each enumerated subdomain variant visible in DNS resolver logs. Sysmon Event ID 22 (DNS Query) for each lookup if Sysmon is deployed. HTTPS connections (Sysmon Event ID 3) to resolved CDN IP addresses. CDN access logs will show the probe requests — Azure Front Door logs will include X-Azure-Ref headers identifying the specific Front Door endpoint accessed, which helps correlate with legitimate vs. dangling configurations.
References (9)
- https://attack.mitre.org/techniques/T1596/004/
- https://www.digitalshadows.com/blog-and-research/content-delivery-networks-cdns-can-leave-you-exposed-how-you-might-be-affected-and-what-you-can-do-about-it/
- https://learn.microsoft.com/en-us/azure/frontdoor/front-door-diagnostics
- https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage-reference
- https://learn.microsoft.com/en-us/azure/cdn/cdn-azure-diagnostic-logs
- https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server
- https://github.com/EdOverflow/can-i-take-over-xyz
- https://0xpatrik.com/subdomain-takeover-basics/
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html
Unlock Pro Content
Get the full detection package for T1596.004 including response playbook, investigation guide, and atomic red team tests.