T1597.001 Threat Intel Vendors Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let ThreatIntelVendorDomains = dynamic([
  "recordedfuture.com", "api.recordedfuture.com",
  "virustotal.com", "api.virustotal.com",
  "shodan.io", "api.shodan.io",
  "falcon.crowdstrike.com", "crowdstrike.com",
  "threatconnect.com", "api.threatconnect.com",
  "anomali.com", "lookslike.anomali.com",
  "intelligence.mandiant.com", "advantage.mandiant.com",
  "exchange.xforce.ibmcloud.com", "ibmxforce.com",
  "talosintelligence.com",
  "otx.alienvault.com",
  "cyberint.com", "flare.systems", "flare.io",
  "pulsedive.com", "greynoise.io", "api.greynoise.io",
  "threatfox.abuse.ch", "urlhaus.abuse.ch"
]);
let SuspiciousUserAgents = dynamic([
  "curl", "python-requests", "python-urllib", "Go-http-client",
  "wget", "libwww-perl", "httpie", "axios", "okhttp"
]);
let LookbackDays = 7d;
// Branch 1: Proxy/firewall logs showing bulk or scripted TI vendor API access
CommonSecurityLog
| where TimeGenerated > ago(LookbackDays)
| where RequestURL has_any (ThreatIntelVendorDomains)
     or DestinationHostName has_any (ThreatIntelVendorDomains)
| extend IsAPICall = RequestURL has_any ("/api/", "/v1/", "/v2/", "/v3/", "apikey=", "api_key=", "?key=")
| extend IsScriptedClient = UserAgent has_any (SuspiciousUserAgents)
| extend VendorQueried = DestinationHostName
| project TimeGenerated, SourceIP, SourceUserName, DestinationHostName,
          RequestURL, RequestMethod, UserAgent,
          IsAPICall, IsScriptedClient, VendorQueried,
          DeviceVendor, DeviceProduct
| sort by TimeGenerated desc
| union (
// Branch 2: Azure AD / Entra ID sign-in anomalies to TI vendor apps
  SigninLogs
  | where TimeGenerated > ago(LookbackDays)
  | where AppDisplayName has_any ("Recorded Future", "CrowdStrike", "VirusTotal",
                                   "ThreatConnect", "Anomali", "Mandiant",
                                   "IBM X-Force", "Shodan")
  | where ResultType == 0  // Successful sign-in
  | extend IsAnomalousLocation = tostring(LocationDetails.city) !in ("")
  | extend CountryCode = tostring(LocationDetails.countryOrRegion)
  | extend SignInRisk = RiskLevelDuringSignIn
  | where SignInRisk in ("high", "medium")
       or NetworkLocationDetails has "anonymizedIPAddress"
       or NetworkLocationDetails has "maliciousIPAddress"
  | project TimeGenerated, UserPrincipalName, AppDisplayName,
            IPAddress, CountryCode, SignInRisk,
            NetworkLocationDetails, ConditionalAccessStatus
  | extend VendorQueried = AppDisplayName,
           IsAPICall = false,
           IsScriptedClient = false
)
| sort by TimeGenerated desc

medium severity low confidence

Data Sources

Network Traffic: Network Traffic Content Application Log: Application Log Content Logon Session: Logon Session Creation CommonSecurityLog (proxy/firewall) SigninLogs (Azure AD / Entra ID)

Required Tables

CommonSecurityLog SigninLogs

False Positives

Security analysts performing routine threat intelligence lookups against vendor APIs during incident investigations
SOAR/XSOAR playbooks and automated enrichment pipelines (e.g., Cortex, Splunk SOAR) making programmatic API calls to TI vendors using service account credentials
Threat intelligence platforms (TIPs) like MISP, OpenCTI, or ThreatConnect ingesting feeds via scheduled API jobs
Vulnerability management or red team tooling querying Shodan or VirusTotal for asset discovery
DevSecOps pipelines querying VirusTotal or similar for file hash validation during CI/CD build processes

Splunk

spl

| tstats count as RequestCount,
         dc(src_ip) as UniqueSourceIPs,
         values(http_user_agent) as UserAgents,
         values(uri_path) as URIPaths,
         earliest(_time) as FirstSeen,
         latest(_time) as LastSeen
  FROM datamodel=Web
  WHERE nodename=Web.Web
  BY Web.dest_host, Web.src_user, Web.src_ip, Web.http_method
| rename Web.* as *
| search dest_host IN (
    "recordedfuture.com", "api.recordedfuture.com",
    "virustotal.com", "api.virustotal.com",
    "shodan.io", "api.shodan.io",
    "falcon.crowdstrike.com",
    "threatconnect.com", "api.threatconnect.com",
    "anomali.com",
    "intelligence.mandiant.com", "advantage.mandiant.com",
    "exchange.xforce.ibmcloud.com",
    "talosintelligence.com",
    "otx.alienvault.com",
    "greynoise.io", "api.greynoise.io",
    "pulsedive.com",
    "flare.systems"
  )
| eval IsAPIPath=if(match(URIPaths, "(/api/|/v[0-9]/|apikey=|api_key=|\?key=)"), 1, 0)
| eval IsScriptedUA=if(match(lower(UserAgents), "(curl|python-requests|python-urllib|go-http-client|wget|libwww|httpie|axios|okhttp)"), 1, 0)
| eval HourlyRate=RequestCount / ((LastSeen - FirstSeen) / 3600 + 1)
| eval RiskScore=case(
    IsScriptedUA=1 AND IsAPIPath=1, 3,
    IsScriptedUA=1 OR IsAPIPath=1, 2,
    HourlyRate > 60, 2,
    true(), 1
  )
| where RequestCount > 10 OR IsScriptedUA=1 OR IsAPIPath=1
| eval FirstSeenHuman=strftime(FirstSeen, "%Y-%m-%d %H:%M:%S")
| eval LastSeenHuman=strftime(LastSeen, "%Y-%m-%d %H:%M:%S")
| table dest_host, src_user, src_ip, RequestCount, HourlyRate,
        IsAPIPath, IsScriptedUA, UserAgents, URIPaths,
        FirstSeenHuman, LastSeenHuman, RiskScore
| sort - RiskScore, - RequestCount

medium severity low confidence

Data Sources

Network Traffic: Network Traffic Content Web Proxy Logs Splunk CIM Web Datamodel

Required Sourcetypes

stream:http pan:traffic proxy squid bluecoat:proxysg:access:syslog

False Positives

Security operations teams conducting normal threat hunting and IOC enrichment workflows through TI vendor portals
SOAR automation (Splunk SOAR, Palo Alto XSOAR) running enrichment playbooks via service account API tokens
Threat intelligence platforms ingesting vendor feeds on a scheduled basis, generating high-volume but expected API traffic
Penetration testers or red teamers using Shodan or VirusTotal during authorized engagements
Security researchers within the organization performing vulnerability research or malware analysis using TI vendor APIs

Elastic Security (EQL)

eql

// T1597.001 — Threat Intel Vendor Recon
any where event.dataset : "network_traffic.http"
  and url.domain : (
    "recordedfuture.com", "virustotal.com", "shodan.io",
    "mandiant.com", "crowdstrike.com", "misp-project.org"
  )
  and not user_agent.original : ("Mozilla*", "Chrome*", "Safari*", "Edge*")

medium severity low confidence

Data Sources

Azure Active Directory Microsoft 365

Required Tables

logs-azure.* logs-azure.signinlogs-*

False Positives

Security analysts performing routine threat intelligence lookups against vendor APIs during incident investigations
SOAR/XSOAR playbooks and automated enrichment pipelines (e.g., Cortex, Splunk SOAR) making programmatic API calls to TI vendors using service account credentials
Threat intelligence platforms (TIPs) like MISP, OpenCTI, or ThreatConnect ingesting feeds via scheduled API jobs
Vulnerability management or red team tooling querying Shodan or VirusTotal for asset discovery

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
    LOGSOURCENAME(logsourceid) AS "LogSource",
    LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
    "username", "sourceip", "destinationip",
    "eventid", "deviceaction", "message",
    CASE
        WHEN LOWER("destinationhostname") ILIKE '%recordedfuture.com%' OR LOWER("destinationhostname") ILIKE '%virustotal.com%' OR LOWER("destinationhostname") ILIKE '%shodan.io%' OR LOWER("destinationhostname") ILIKE '%mandiant.com%' THEN 8
        ELSE 4
      END AS "RiskScore"
  FROM events
  WHERE (LOWER("destinationhostname") ILIKE '%recordedfuture.com%' OR LOWER("destinationhostname") ILIKE '%virustotal.com%' OR LOWER("destinationhostname") ILIKE '%shodan.io%' OR LOWER("destinationhostname") ILIKE '%mandiant.com%')
    AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
  ORDER BY "RiskScore" DESC, "EventTime" DESC
  LAST 24 HOURS

medium severity low confidence

Data Sources

QRadar SIEM Windows Security Events Network Firewall Logs Syslog

Required Tables

events

False Positives

Security analysts performing routine threat intelligence lookups against vendor APIs during incident investigations
SOAR/XSOAR playbooks and automated enrichment pipelines (e.g., Cortex, Splunk SOAR) making programmatic API calls to TI vendors using service account credentials
Threat intelligence platforms (TIPs) like MISP, OpenCTI, or ThreatConnect ingesting feeds via scheduled API jobs
Vulnerability management or red team tooling querying Shodan or VirusTotal for asset discovery

Sumo Logic CSE

sql

_sourceCategory=*azure* OR _sourceCategory=*aad*
| json auto
| where isNotNull(userPrincipalName)
| count by userPrincipalName, ipAddress, appDisplayName
| sort by _count desc

medium severity low confidence

Data Sources

Sumo Logic Cloud SIEM Log Sources via Sumo Logic Collector

Required Tables

azure/activedirectory azure/signinlogs

False Positives

Security analysts performing routine threat intelligence lookups against vendor APIs during incident investigations
SOAR/XSOAR playbooks and automated enrichment pipelines (e.g., Cortex, Splunk SOAR) making programmatic API calls to TI vendors using service account credentials
Threat intelligence platforms (TIPs) like MISP, OpenCTI, or ThreatConnect ingesting feeds via scheduled API jobs
Vulnerability management or red team tooling querying Shodan or VirusTotal for asset discovery

Google Chronicle / SecOps

yaral

rule t1597_001_threat_intel_vendors {
  meta:
    author = "df00tech"
    description = "Detects Threat Intel Vendors (T1597.001)"
    mitre_attack_tactic = "TA0043"
    mitre_attack_technique = "T1597.001"
    confidence = "low"
    severity = "medium"
  events:
    $e.metadata.event_type = "USER_LOGIN"
    $e.principal.user.userid != ""
  condition:
    $e
}

medium severity low confidence

Data Sources

Google Chronicle SIEM Chronicle UDM

Required Tables

USER_LOGIN USER_RESOURCE_ACCESS

False Positives

Security analysts performing routine threat intelligence lookups against vendor APIs during incident investigations
SOAR/XSOAR playbooks and automated enrichment pipelines (e.g., Cortex, Splunk SOAR) making programmatic API calls to TI vendors using service account credentials
Threat intelligence platforms (TIPs) like MISP, OpenCTI, or ThreatConnect ingesting feeds via scheduled API jobs
Vulnerability management or red team tooling querying Shodan or VirusTotal for asset discovery

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ["NetworkConnectIP4", "NetworkConnectIP6"]
| not RemoteAddressIP4 = /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
| groupBy([RemoteAddressIP4], function=count(as=TotalConns))
| TotalConns > 100
| TechniqueLabel := "T1597.001 - Reconnaissance"
| table([@timestamp, RemoteAddressIP4, TotalConns, TechniqueLabel])

medium severity low confidence

Data Sources

CrowdStrike Falcon CrowdStrike LogScale

Required Tables

UserLogon ProcessRollup2

False Positives

Security analysts performing routine threat intelligence lookups against vendor APIs during incident investigations
SOAR/XSOAR playbooks and automated enrichment pipelines (e.g., Cortex, Splunk SOAR) making programmatic API calls to TI vendors using service account credentials
Threat intelligence platforms (TIPs) like MISP, OpenCTI, or ThreatConnect ingesting feeds via scheduled API jobs
Vulnerability management or red team tooling querying Shodan or VirusTotal for asset discovery

Threat Intel Vendors

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Reconnaissance

Popular Detections