T1597.002 Purchase Technical Data Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1597.002 — Purchase Technical Data: Downstream Indicators
// Detects authentication patterns consistent with use of purchased credentials or session tokens
// Focus: risky sign-ins, impossible travel, Tor/anonymizer logins, and credential stuffing patterns
let TorExitNodes = externaldata(ip: string)
    [@"https://check.torproject.org/exit-addresses"]
    with (format="txt", ignoreFirstRecord=true);
let LookbackPeriod = 7d;
let CredentialStuffingThreshold = 5; // distinct accounts from same IP
// Branch 1: Entra ID Protection high-risk sign-ins (purchased creds often trigger risk engine)
let RiskySignIns = SigninLogs
| where TimeGenerated > ago(LookbackPeriod)
| where RiskLevelDuringSignIn in ("high", "medium")
    or RiskEventTypes_V2 has_any ("leakedCredentials", "anonymizedIPAddress", "unfamiliarFeatures", "malwareLinkedIPAddress", "investigationsThreatIntelligence")
| extend DetectionSource = "EntraID_RiskEngine"
| project TimeGenerated, UserPrincipalName, IPAddress, Location, RiskLevelDuringSignIn, RiskEventTypes_V2, AppDisplayName, AuthenticationRequirement, ConditionalAccessStatus, DetectionSource, CorrelationId;
// Branch 2: Impossible travel — sign-ins from geographically distant locations within short window
let ImpossibleTravel = SigninLogs
| where TimeGenerated > ago(LookbackPeriod)
| where ResultType == 0 // successful sign-in
| extend Country = tostring(LocationDetails.countryOrRegion)
| summarize Locations = make_set(Country), SignInTimes = make_list(TimeGenerated), IPAddresses = make_set(IPAddress) by UserPrincipalName, bin(TimeGenerated, 6h)
| where array_length(Locations) > 1
| extend DetectionSource = "ImpossibleTravel"
| project TimeGenerated, UserPrincipalName, Locations, IPAddresses, DetectionSource;
// Branch 3: Credential stuffing — single IP attempting authentication against many accounts
let CredentialStuffing = SigninLogs
| where TimeGenerated > ago(LookbackPeriod)
| summarize DistinctAccounts = dcount(UserPrincipalName), AttemptCount = count(), ResultCodes = make_set(ResultType) by IPAddress, bin(TimeGenerated, 1h)
| where DistinctAccounts >= CredentialStuffingThreshold
| extend DetectionSource = "CredentialStuffing"
| project TimeGenerated, IPAddress, DistinctAccounts, AttemptCount, ResultCodes, DetectionSource;
// Branch 4: Successful sign-ins from first-time ASN or country for established accounts
let NewLocationSignIns = SigninLogs
| where TimeGenerated > ago(LookbackPeriod)
| where ResultType == 0
| extend Country = tostring(LocationDetails.countryOrRegion)
| join kind=leftanti (
    SigninLogs
    | where TimeGenerated between (ago(90d) .. ago(LookbackPeriod))
    | where ResultType == 0
    | distinct UserPrincipalName, Country = tostring(LocationDetails.countryOrRegion)
) on UserPrincipalName, Country
| extend DetectionSource = "NewCountrySignIn"
| project TimeGenerated, UserPrincipalName, IPAddress, Country, AppDisplayName, DetectionSource;
// Combine branches
RiskySignIns
| union (ImpossibleTravel | extend IPAddress = tostring(IPAddresses[0]), RiskLevelDuringSignIn = "computed", RiskEventTypes_V2 = dynamic([]), AppDisplayName = "", AuthenticationRequirement = "", ConditionalAccessStatus = "", CorrelationId = "")
| union (NewLocationSignIns | extend RiskLevelDuringSignIn = "new_location", RiskEventTypes_V2 = dynamic([]), AppDisplayName, AuthenticationRequirement = "", ConditionalAccessStatus = "", CorrelationId = "")
| sort by TimeGenerated desc

high severity low confidence

Data Sources

Authentication: Authentication Logs User Account: User Account Authentication Microsoft Entra ID Protection Risk Events SigninLogs

Required Tables

SigninLogs

False Positives

Legitimate user travel to a new country or use of a corporate VPN exit node in an unfamiliar region will trigger the impossible travel and new-country branches
Users sharing a corporate NAT or proxy will cause multiple accounts to appear from the same IP, triggering the credential stuffing threshold even for legitimate logins
Entra ID Protection risk events may fire for legitimate users connecting from cloud provider IP ranges (AWS, Azure, GCP) that are also abused by attackers
Red team or penetration testing exercises using purchased breach data to validate detection coverage will produce high-confidence true positives that are authorized
Password reset or IT helpdesk-initiated logins from shared admin workstations may appear as unusual geographic or ASN origins

Splunk

spl

| tstats count AS attempt_count, dc(user) AS distinct_accounts, dc(src) AS distinct_sources, values(action) AS actions
    FROM datamodel=Authentication
    WHERE earliest=-7d
    BY _time span=1h, src, user, app
| eval credential_stuffing_flag=if(distinct_accounts >= 5 AND distinct_sources == 1, 1, 0)
| eval spray_flag=if(distinct_accounts >= 10, 1, 0)
| eval risk_score=credential_stuffing_flag + spray_flag
| where risk_score > 0
| eval detection_branch="credential_stuffing_or_spray"
| table _time, src, user, app, attempt_count, distinct_accounts, distinct_sources, actions, risk_score, detection_branch
| append
    [ search index=* (sourcetype="okta:im:log" OR sourcetype="azure:aad:signin" OR sourcetype=WinEventLog:Security)
      (EventCode=4625 OR result="FAILURE" OR outcome.result="FAILURE")
      earliest=-7d
    | eval src=coalesce(src_ip, client.ipAddress, IpAddress)
    | eval user=coalesce(actor.alternateId, TargetUserName, userPrincipalName)
    | eval country=coalesce(client.geographicalContext.country, location.countryOrRegion)
    | stats count AS fail_count, dc(user) AS distinct_users, values(country) AS countries, latest(_time) AS last_seen
        BY src
    | where distinct_users >= 5
    | eval detection_branch="multi_account_brute_force"
    | table last_seen, src, distinct_users, fail_count, countries, detection_branch ]
| append
    [ search index=* (sourcetype="okta:im:log" OR sourcetype="azure:aad:signin")
      (riskLevel="HIGH" OR riskLevel="MEDIUM" OR riskReasons="*leaked*" OR riskReasons="*anonymized*" OR risk_reasons="*leaked*")
      earliest=-7d
    | eval src=coalesce(src_ip, client.ipAddress, ipAddress)
    | eval user=coalesce(actor.alternateId, userPrincipalName)
    | eval risk=coalesce(riskLevel, risk_level)
    | eval detection_branch="identity_protection_risk_signal"
    | table _time, user, src, risk, riskReasons, detection_branch ]
| sort - _time

high severity low confidence

Data Sources

Authentication: Authentication Logs User Account: User Account Authentication Okta Identity Engine Azure AD Sign-in Logs Windows Security Event Log

Required Sourcetypes

okta:im:log azure:aad:signin WinEventLog:Security

False Positives

Corporate VPN or proxy concentrating legitimate user logins through a small pool of IP addresses will frequently trigger the credential stuffing threshold
Helpdesk password reset campaigns or IT provisioning workflows that authenticate against many accounts in sequence from admin workstations
Security tooling such as vulnerability scanners, SIEM health checks, or authentication testing scripts that probe authentication endpoints
Okta ThreatInsight or Azure Identity Protection false positives for users on shared hosting, cloud IDEs, or university networks sharing IP ranges with threat actors
Legitimate users traveling internationally or using commercial VPN services for privacy will trigger new-location and anonymized-IP signals

Elastic Security (EQL)

eql

// T1597.002 — Purchase Technical Data
any where event.dataset : "azure.signinlogs"
  and (azure.signinlogs.properties.risk_level_during_sign_in in ("high", "medium")
  or azure.signinlogs.properties.risk_state == "atRisk"
  or azure.signinlogs.properties.is_interactive == true)

high severity low confidence

Data Sources

Azure Active Directory Microsoft 365

Required Tables

logs-azure.* logs-azure.signinlogs-*

False Positives

Legitimate user travel to a new country or use of a corporate VPN exit node in an unfamiliar region will trigger the impossible travel and new-country branches
Users sharing a corporate NAT or proxy will cause multiple accounts to appear from the same IP, triggering the credential stuffing threshold even for legitimate logins
Entra ID Protection risk events may fire for legitimate users connecting from cloud provider IP ranges (AWS, Azure, GCP) that are also abused by attackers
Red team or penetration testing exercises using purchased breach data to validate detection coverage will produce high-confidence true positives that are authorized

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
    LOGSOURCENAME(logsourceid) AS "LogSource",
    LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
    "username", "sourceip", "destinationip",
    "eventid", "deviceaction", "message",
    CASE
        WHEN "eventid" IN (4624, 4625) AND (LOWER("authenticationmethod") ILIKE '%impossible travel%' OR "riskstate" ILIKE '%atRisk%') THEN 8
        ELSE 4
      END AS "RiskScore"
  FROM events
  WHERE ("eventid" IN (4624, 4625) AND (LOWER("authenticationmethod") ILIKE '%impossible travel%' OR "riskstate" ILIKE '%atRisk%'))
    AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
  ORDER BY "RiskScore" DESC, "EventTime" DESC
  LAST 24 HOURS

high severity low confidence

Data Sources

QRadar SIEM Windows Security Events Network Firewall Logs Syslog

Required Tables

events

False Positives

Legitimate user travel to a new country or use of a corporate VPN exit node in an unfamiliar region will trigger the impossible travel and new-country branches
Users sharing a corporate NAT or proxy will cause multiple accounts to appear from the same IP, triggering the credential stuffing threshold even for legitimate logins
Entra ID Protection risk events may fire for legitimate users connecting from cloud provider IP ranges (AWS, Azure, GCP) that are also abused by attackers
Red team or penetration testing exercises using purchased breach data to validate detection coverage will produce high-confidence true positives that are authorized

Sumo Logic CSE

sql

_sourceCategory=*azure* OR _sourceCategory=*aad*
| json auto
| where isNotNull(userPrincipalName)
| count by userPrincipalName, ipAddress, appDisplayName
| sort by _count desc

high severity low confidence

Data Sources

Sumo Logic Cloud SIEM Log Sources via Sumo Logic Collector

Required Tables

azure/activedirectory azure/signinlogs

False Positives

Legitimate user travel to a new country or use of a corporate VPN exit node in an unfamiliar region will trigger the impossible travel and new-country branches
Users sharing a corporate NAT or proxy will cause multiple accounts to appear from the same IP, triggering the credential stuffing threshold even for legitimate logins
Entra ID Protection risk events may fire for legitimate users connecting from cloud provider IP ranges (AWS, Azure, GCP) that are also abused by attackers
Red team or penetration testing exercises using purchased breach data to validate detection coverage will produce high-confidence true positives that are authorized

Google Chronicle / SecOps

yaral

rule t1597_002_purchase_technical_data {
  meta:
    author = "df00tech"
    description = "Detects Purchase Technical Data (T1597.002)"
    mitre_attack_tactic = "TA0043"
    mitre_attack_technique = "T1597.002"
    confidence = "low"
    severity = "high"
  events:
    $e.metadata.event_type = "USER_LOGIN"
    $e.principal.user.userid != ""
  condition:
    $e
}

high severity low confidence

Data Sources

Google Chronicle SIEM Chronicle UDM

Required Tables

USER_LOGIN USER_RESOURCE_ACCESS

False Positives

Legitimate user travel to a new country or use of a corporate VPN exit node in an unfamiliar region will trigger the impossible travel and new-country branches
Users sharing a corporate NAT or proxy will cause multiple accounts to appear from the same IP, triggering the credential stuffing threshold even for legitimate logins
Entra ID Protection risk events may fire for legitimate users connecting from cloud provider IP ranges (AWS, Azure, GCP) that are also abused by attackers
Red team or penetration testing exercises using purchased breach data to validate detection coverage will produce high-confidence true positives that are authorized

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /python|curl|wget|nmap|masscan/i
| TechniqueLabel := "T1597.002 - Reconnaissance"
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, TechniqueLabel])

high severity low confidence

Data Sources

CrowdStrike Falcon CrowdStrike LogScale

Required Tables

UserLogon ProcessRollup2

False Positives

Legitimate user travel to a new country or use of a corporate VPN exit node in an unfamiliar region will trigger the impossible travel and new-country branches
Users sharing a corporate NAT or proxy will cause multiple accounts to appear from the same IP, triggering the credential stuffing threshold even for legitimate logins
Entra ID Protection risk events may fire for legitimate users connecting from cloud provider IP ranges (AWS, Azure, GCP) that are also abused by attackers
Red team or penetration testing exercises using purchased breach data to validate detection coverage will produce high-confidence true positives that are authorized

Purchase Technical Data

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Reconnaissance

Popular Detections