T1596.004 Splunk · SPL

Detect CDNs in Splunk

Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor's geographical region. Adversaries may search CDN data to gather actionable information including origin server infrastructure, exposed backend IPs, misconfigured storage buckets hosting sensitive content not covered by the same authentication controls as the primary website, and path structures revealing internal architecture. Information from CDN reconnaissance may reveal opportunities for active scanning, infrastructure compromise, or drive-by attacks targeting CDN-served content.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1596 Search Open Technical Databases
Sub-technique
T1596.004 CDNs
Canonical reference
https://attack.mitre.org/techniques/T1596/004/

SPL Detection Query

Splunk (SPL)
spl 
| tstats count AS request_count, dc(uri_path) AS unique_paths, values(status) AS statuses
    FROM datamodel=Web
    WHERE nodename=Web.Web
      (Web.status=404 OR Web.status=403)
    BY Web.src, Web.dest, Web.http_user_agent, _time span=5m
| rename Web.src AS src_ip, Web.dest AS dest_host, Web.http_user_agent AS user_agent
| where request_count > 40 AND unique_paths > 15
| eval detection_type="CDN_Path_Enumeration"
| eval recon_tool=case(
    match(user_agent, "(?i)(sqlmap|nikto|dirbuster|gobuster|ffuf|feroxbuster|wfuzz|masscan|nmap|zgrab|shodan|censys|nuclei|curl\/[0-9])"), "known_scanner",
    match(user_agent, "(?i)(python-requests|go-http-client|java\/|libwww-perl|wget\/)"), "scripted_client",
    len(user_agent) < 10 OR isnull(user_agent), "minimal_ua",
    true(), "unknown"
  )
| eval priority=case(
    recon_tool="known_scanner" AND request_count > 100, "high",
    recon_tool="known_scanner", "medium",
    recon_tool="scripted_client" AND unique_paths > 30, "medium",
    true(), "low"
  )
| table _time, src_ip, dest_host, user_agent, request_count, unique_paths, statuses, detection_type, recon_tool, priority
| sort - request_count
medium severity medium confidence

Detects CDN path enumeration and reconnaissance scanning using the Splunk Common Information Model (CIM) Web datamodel, which normalizes web server access logs, proxy logs, and CDN access logs from diverse sources. Identifies source IPs generating high volumes of 404/403 responses across many unique paths within a 5-minute window — the signature pattern of wordlist-based CDN content enumeration. Assigns a recon_tool category based on User-Agent analysis to distinguish known scanning tools (gobuster, ffuf, dirbuster, nuclei) from scripted clients and unknown agents. Requires the CIM Accelerated Web datamodel to be enabled and populated from web/proxy sourcetypes including stream:http, pan:traffic, access_combined, ms:azure:adfrontdoor:accesslog, or equivalent CDN log sources.

Data Sources

Network Traffic: Network Traffic ContentWeb: Web TrafficCDN Access Logs via CIM Web Datamodel

Required Sourcetypes

stream:httpaccess_combinedms:azure:adfrontdoor:accesslog

False Positives & Tuning

  • Automated SEO crawlers and web indexing services performing routine site discovery that generates high 404 rates
  • Penetration testing engagements or red team exercises authorized against the organization's CDN infrastructure
  • Content migration scripts enumerating existing CDN paths to verify asset transfer completeness
  • Developer tooling and staging environment tests that probe CDN endpoints for cache invalidation verification
  • Anti-DDoS and bot management services performing CDN health probes that may appear as scanning activity
Download portable Sigma rule (.yml)

Other platforms for T1596.004

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CDN Provider Fingerprinting via Response Header Analysis

    Expected signal: Network connections to the target domain on port 443. DNS queries for the target domain and CDN subdomain variants visible in DNS logs. If monitoring DNS resolver logs, multiple CNAME lookups for cdn.*, static.*, assets.* subdomains will appear. No endpoint telemetry generated — this is passive HTTP/DNS reconnaissance.

  2. Test 2CDN Origin Server IP Discovery via Direct Connection Test

    Expected signal: Sysmon Event ID 3 (Network Connection) or equivalent: outbound TCP connection to the origin IP on port 80. DNS query for origin.example.com visible in DNS logs. The curl process creation (Sysmon Event ID 1) with command line including the target IP and Host header. If the origin server has access logging enabled, an inbound request will appear in origin server access logs without CDN headers.

  3. Test 3CDN-Hosted Storage Bucket Enumeration

    Expected signal: Network connections to Azure blob.core.windows.net, AWS s3.amazonaws.com, and GCS storage.googleapis.com on port 443. Azure Blob Storage access logs (StorageBlobLogs table) will record ListBlobs operations with CallerIpAddress and StatusCode (200 if public, 403 if not). CloudTrail logs will capture S3 ListObjectsV2 API calls for AWS environments. These requests are anonymous and do not require authentication.

  4. Test 4CDN Subdomain Takeover Opportunity Discovery

    Expected signal: DNS queries for each enumerated subdomain variant visible in DNS resolver logs. Sysmon Event ID 22 (DNS Query) for each lookup if Sysmon is deployed. HTTPS connections (Sysmon Event ID 3) to resolved CDN IP addresses. CDN access logs will show the probe requests — Azure Front Door logs will include X-Azure-Ref headers identifying the specific Front Door endpoint accessed, which helps correlate with legitimate vs. dangling configurations.

Last updated: 2026-03-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1596.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1596Search Open Technical Databases

Related Sub-techniques

T1596.001DNS/Passive DNST1596.002WHOIST1596.003Digital CertificatesT1596.005Scan Databases

Related Techniques

T1596Search Open Technical DatabasesT1596.001DNS/Passive DNST1596.002WHOIST1595.002Vulnerability ScanningT1595.003Wordlist ScanningT1583.001DomainsT1584.001Compromise Infrastructure: DomainsT1189Drive-by CompromiseT1593Search Open Websites/DomainsT1590.002DNS

Same Tactic: Reconnaissance

Popular Detections