T1597.001 Splunk · SPL

Detect Threat Intel Vendors in Splunk

Adversaries may search private threat intelligence vendor data for information that can be used during targeting. Threat intelligence vendors offer paid feeds, APIs, and portals containing richer contextual data than publicly reported sources — including breach trends, victim industry attribution, successful TTPs, countermeasures, and named threat actor profiles. Adversaries may register accounts under false pretenses, use stolen credentials, or leverage legitimate existing subscriptions to query vendor platforms such as Recorded Future, Mandiant Advantage, CrowdStrike Falcon Intelligence, IBM X-Force Exchange, VirusTotal Intelligence, Shodan, and similar services. The gathered intelligence informs more targeted intrusion campaigns by revealing defensive gaps, preferred targets in a sector, and previously successful attack chains. Detection is extremely difficult because adversary activity occurs entirely on third-party platforms outside the victim organization's telemetry boundary. Victim-side detection relies on anomalous access patterns to SSO-connected TI platforms, API key misuse, and downstream behavioral indicators resulting from the intelligence gathered.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1597 Search Closed Sources
Sub-technique
T1597.001 Threat Intel Vendors
Canonical reference
https://attack.mitre.org/techniques/T1597/001/

SPL Detection Query

Splunk (SPL)
spl 
| tstats count as RequestCount,
         dc(src_ip) as UniqueSourceIPs,
         values(http_user_agent) as UserAgents,
         values(uri_path) as URIPaths,
         earliest(_time) as FirstSeen,
         latest(_time) as LastSeen
  FROM datamodel=Web
  WHERE nodename=Web.Web
  BY Web.dest_host, Web.src_user, Web.src_ip, Web.http_method
| rename Web.* as *
| search dest_host IN (
    "recordedfuture.com", "api.recordedfuture.com",
    "virustotal.com", "api.virustotal.com",
    "shodan.io", "api.shodan.io",
    "falcon.crowdstrike.com",
    "threatconnect.com", "api.threatconnect.com",
    "anomali.com",
    "intelligence.mandiant.com", "advantage.mandiant.com",
    "exchange.xforce.ibmcloud.com",
    "talosintelligence.com",
    "otx.alienvault.com",
    "greynoise.io", "api.greynoise.io",
    "pulsedive.com",
    "flare.systems"
  )
| eval IsAPIPath=if(match(URIPaths, "(/api/|/v[0-9]/|apikey=|api_key=|\?key=)"), 1, 0)
| eval IsScriptedUA=if(match(lower(UserAgents), "(curl|python-requests|python-urllib|go-http-client|wget|libwww|httpie|axios|okhttp)"), 1, 0)
| eval HourlyRate=RequestCount / ((LastSeen - FirstSeen) / 3600 + 1)
| eval RiskScore=case(
    IsScriptedUA=1 AND IsAPIPath=1, 3,
    IsScriptedUA=1 OR IsAPIPath=1, 2,
    HourlyRate > 60, 2,
    true(), 1
  )
| where RequestCount > 10 OR IsScriptedUA=1 OR IsAPIPath=1
| eval FirstSeenHuman=strftime(FirstSeen, "%Y-%m-%d %H:%M:%S")
| eval LastSeenHuman=strftime(LastSeen, "%Y-%m-%d %H:%M:%S")
| table dest_host, src_user, src_ip, RequestCount, HourlyRate,
        IsAPIPath, IsScriptedUA, UserAgents, URIPaths,
        FirstSeenHuman, LastSeenHuman, RiskScore
| sort - RiskScore, - RequestCount
medium severity low confidence

Uses the Splunk Common Information Model (CIM) Web datamodel to identify bulk or scripted access to known threat intelligence vendor portals and APIs. Computes a RiskScore based on the presence of programmatic user agents (curl, python-requests, etc.), API path patterns, and query volume/rate. High-volume scripted queries from internal user accounts may indicate SOAR automation running with compromised credentials, insider reconnaissance, or an adversary using a compromised internal host to gather intelligence. The hourly rate calculation helps distinguish automated bulk queries from normal analyst browsing.

Data Sources

Network Traffic: Network Traffic ContentWeb Proxy LogsSplunk CIM Web Datamodel

Required Sourcetypes

stream:httppan:trafficproxysquidbluecoat:proxysg:access:syslog

False Positives & Tuning

  • Security operations teams conducting normal threat hunting and IOC enrichment workflows through TI vendor portals
  • SOAR automation (Splunk SOAR, Palo Alto XSOAR) running enrichment playbooks via service account API tokens
  • Threat intelligence platforms ingesting vendor feeds on a scheduled basis, generating high-volume but expected API traffic
  • Penetration testers or red teamers using Shodan or VirusTotal during authorized engagements
  • Security researchers within the organization performing vulnerability research or malware analysis using TI vendor APIs
Download portable Sigma rule (.yml)

Other platforms for T1597.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1VirusTotal Public API Reconnaissance Query

    Expected signal: Proxy/web gateway logs: outbound HTTP GET to api.virustotal.com with URI paths /api/v3/domains/ and /api/v3/ip_addresses/. User-Agent: curl/<version>. Sysmon Event ID 3 (Network Connection) if running on a monitored endpoint: DestinationHostName=www.virustotal.com, DestinationPort=443. DNS query (Sysmon Event ID 22) for virustotal.com.

  2. Test 2Shodan API Infrastructure Scan Query

    Expected signal: Proxy logs: outbound HTTPS GET requests to api.shodan.io with paths /shodan/host/search and /api-info. URI query strings containing key= (API key parameter), query= (search terms). User-Agent: curl. DNS resolution of api.shodan.io. Sysmon Event ID 3 (Network Connection): DestinationHostName=api.shodan.io, DestinationPort=443.

  3. Test 3Python Script Bulk TI Vendor Query Simulation

    Expected signal: Sysmon Event ID 3 (Network Connection): multiple outbound connections to virustotal.com, greynoise.io, otx.alienvault.com, pulsedive.com on port 443. InitiatingProcessFileName=python3. DNS resolution events (Sysmon Event ID 22) for each TI vendor domain. Proxy logs: HTTP GET requests from python-requests User-Agent to multiple TI vendor APIs within a short time window.

  4. Test 4Recorded Future API Key Enumeration (Credential Exposure Test)

    Expected signal: Sysmon Event ID 3 (Network Connection): outbound connections from powershell.exe to api.recordedfuture.com and www.virustotal.com on port 443. Sysmon Event ID 22 (DNS Query): DNS lookups for api.recordedfuture.com, www.virustotal.com. Sysmon Event ID 1 (Process Create): PowerShell execution with Invoke-WebRequest in command line. PowerShell ScriptBlock Log Event ID 4104: full script including API endpoint URLs. Proxy/firewall logs: HTTPS CONNECT to api.recordedfuture.com with python-requests User-Agent.

Last updated: 2026-03-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1597.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1597Search Closed Sources

Related Sub-techniques

T1597.002Purchase Technical Data

Related Techniques

T1597Search Closed SourcesT1597.002Purchase Technical DataT1596.001DNS/Passive DNST1596.005Scan DatabasesT1590Gather Victim Network InformationT1591Gather Victim Org InformationT1587Develop CapabilitiesT1588Obtain CapabilitiesT1190Exploit Public-Facing ApplicationT1078Valid Accounts

Same Tactic: Reconnaissance

Popular Detections