Detect Threat Intel Vendors in IBM QRadar
Adversaries may search private threat intelligence vendor data for information that can be used during targeting. Threat intelligence vendors offer paid feeds, APIs, and portals containing richer contextual data than publicly reported sources — including breach trends, victim industry attribution, successful TTPs, countermeasures, and named threat actor profiles. Adversaries may register accounts under false pretenses, use stolen credentials, or leverage legitimate existing subscriptions to query vendor platforms such as Recorded Future, Mandiant Advantage, CrowdStrike Falcon Intelligence, IBM X-Force Exchange, VirusTotal Intelligence, Shodan, and similar services. The gathered intelligence informs more targeted intrusion campaigns by revealing defensive gaps, preferred targets in a sector, and previously successful attack chains. Detection is extremely difficult because adversary activity occurs entirely on third-party platforms outside the victim organization's telemetry boundary. Victim-side detection relies on anomalous access patterns to SSO-connected TI platforms, API key misuse, and downstream behavioral indicators resulting from the intelligence gathered.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1597 Search Closed Sources
- Sub-technique
- T1597.001 Threat Intel Vendors
- Canonical reference
- https://attack.mitre.org/techniques/T1597/001/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
LOGSOURCENAME(logsourceid) AS "LogSource",
LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
"username", "sourceip", "destinationip",
"eventid", "deviceaction", "message",
CASE
WHEN LOWER("destinationhostname") ILIKE '%recordedfuture.com%' OR LOWER("destinationhostname") ILIKE '%virustotal.com%' OR LOWER("destinationhostname") ILIKE '%shodan.io%' OR LOWER("destinationhostname") ILIKE '%mandiant.com%' THEN 8
ELSE 4
END AS "RiskScore"
FROM events
WHERE (LOWER("destinationhostname") ILIKE '%recordedfuture.com%' OR LOWER("destinationhostname") ILIKE '%virustotal.com%' OR LOWER("destinationhostname") ILIKE '%shodan.io%' OR LOWER("destinationhostname") ILIKE '%mandiant.com%')
AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
ORDER BY "RiskScore" DESC, "EventTime" DESC
LAST 24 HOURSQRadar AQL detection for Threat Intel Vendors (T1597.001). SQL-like syntax queries the QRadar events store, correlating log source telemetry with risk scoring to surface reconnaissance and attack patterns. Filters out noise from internal SIM and rule engine log sources.
Data Sources
Required Tables
False Positives & Tuning
- Security analysts performing routine threat intelligence lookups against vendor APIs during incident investigations
- SOAR/XSOAR playbooks and automated enrichment pipelines (e.g., Cortex, Splunk SOAR) making programmatic API calls to TI vendors using service account credentials
- Threat intelligence platforms (TIPs) like MISP, OpenCTI, or ThreatConnect ingesting feeds via scheduled API jobs
- Vulnerability management or red team tooling querying Shodan or VirusTotal for asset discovery
Other platforms for T1597.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1VirusTotal Public API Reconnaissance Query
Expected signal: Proxy/web gateway logs: outbound HTTP GET to api.virustotal.com with URI paths /api/v3/domains/ and /api/v3/ip_addresses/. User-Agent: curl/<version>. Sysmon Event ID 3 (Network Connection) if running on a monitored endpoint: DestinationHostName=www.virustotal.com, DestinationPort=443. DNS query (Sysmon Event ID 22) for virustotal.com.
- Test 2Shodan API Infrastructure Scan Query
Expected signal: Proxy logs: outbound HTTPS GET requests to api.shodan.io with paths /shodan/host/search and /api-info. URI query strings containing key= (API key parameter), query= (search terms). User-Agent: curl. DNS resolution of api.shodan.io. Sysmon Event ID 3 (Network Connection): DestinationHostName=api.shodan.io, DestinationPort=443.
- Test 3Python Script Bulk TI Vendor Query Simulation
Expected signal: Sysmon Event ID 3 (Network Connection): multiple outbound connections to virustotal.com, greynoise.io, otx.alienvault.com, pulsedive.com on port 443. InitiatingProcessFileName=python3. DNS resolution events (Sysmon Event ID 22) for each TI vendor domain. Proxy logs: HTTP GET requests from python-requests User-Agent to multiple TI vendor APIs within a short time window.
- Test 4Recorded Future API Key Enumeration (Credential Exposure Test)
Expected signal: Sysmon Event ID 3 (Network Connection): outbound connections from powershell.exe to api.recordedfuture.com and www.virustotal.com on port 443. Sysmon Event ID 22 (DNS Query): DNS lookups for api.recordedfuture.com, www.virustotal.com. Sysmon Event ID 1 (Process Create): PowerShell execution with Invoke-WebRequest in command line. PowerShell ScriptBlock Log Event ID 4104: full script including API endpoint URLs. Proxy/firewall logs: HTTPS CONNECT to api.recordedfuture.com with python-requests User-Agent.
References (8)
- https://attack.mitre.org/techniques/T1597/001/
- https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/
- https://www.recordedfuture.com/platform/threat-intelligence
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-commonsecuritylog-table
- https://docs.splunk.com/Documentation/CIM/latest/User/Web
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1597.001/T1597.001.md
- https://www.mandiant.com/resources/blog/how-threat-intelligence-is-used-by-defenders
Unlock Pro Content
Get the full detection package for T1597.001 including response playbook, investigation guide, and atomic red team tests.