Search Threat Vendor Data
Detects adversary reconnaissance activity where threat actors query threat intelligence vendor services — such as VirusTotal, Shodan, Recorded Future, AlienVault OTX, or GreyNoise — to monitor whether their own infrastructure, malware samples, or campaign indicators have been detected and published. Since this technique primarily occurs outside the victim network, detections are indirect and focus on observable side effects: suspicious outbound connections to threat intel APIs from hosts with no legitimate business reason, correlation of known malicious IP indicators making threat intel queries visible through egress proxy logs, and rapid indicator rotation patterns following public threat intel disclosures. Adversaries have been documented replacing flagged indicators within days of publication, making behavioral correlation between threat intel release timestamps and infrastructure changes a secondary hunting signal.
let ThreatIntelAPIs = dynamic([
"virustotal.com", "api.virustotal.com",
"api.shodan.io", "shodan.io",
"api.recordedfuture.com", "app.recordedfuture.com",
"api.greynoise.io", "viz.greynoise.io",
"otx.alienvault.com",
"urlscan.io", "urlscan.io",
"malwarebazaar.abuse.ch", "bazaar.abuse.ch",
"threatfox.abuse.ch",
"mb-api.abuse.ch",
"pulsedive.com",
"api.threatminer.org",
"www.hybrid-analysis.com", "api.hybrid-analysis.com",
"tria.ge", "api.tria.ge",
"any.run"
]);
let KnownSOCAccounts = dynamic(["svc-threathunting", "svc-siem", "soc-analyst", "siem-collector"]);
CommonSecurityLog
| where TimeGenerated > ago(7d)
| where isnotempty(RequestURL)
| extend AccessedDomain = tolower(extract(@"(?:https?://)?([^/:?#\\s]+)", 1, RequestURL))
| where AccessedDomain has_any (ThreatIntelAPIs)
| where SourceUserName !in~ (KnownSOCAccounts)
| where DeviceAction !in ("block", "deny", "drop")
| summarize
QueryCount = count(),
UniqueURLs = dcount(RequestURL),
SampledURLs = make_set(RequestURL, 10),
UserAccounts = make_set(SourceUserName, 10),
BytesOut = sum(SentBytes),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by SourceIP, AccessedDomain
| join kind=leftouter (
ThreatIntelligenceIndicator
| where TimeGenerated > ago(30d)
| where IsActive == true
| where IndicatorType == "networkip"
| summarize ThreatScore = max(ConfidenceScore), ThreatTypes = make_set(ThreatType, 5) by NetworkIP
) on $left.SourceIP == $right.NetworkIP
| extend RiskFlag = case(
isnotempty(ThreatScore) and ThreatScore > 70, "KnownMaliciousSource",
QueryCount > 100 and array_length(UserAccounts) == 1, "HighVolumeNonSOC",
UniqueURLs > 20, "BroadRecon",
"Low"
)
| where RiskFlag != "Low"
| project FirstSeen, LastSeen, SourceIP, AccessedDomain, QueryCount, UniqueURLs, SampledURLs, UserAccounts, ThreatScore, ThreatTypes, RiskFlag
| sort by ThreatScore desc, QueryCount descData Sources
Required Tables
False Positives
- Security Operations Center analysts performing daily threat hunting or indicator enrichment via threat intel APIs
- Automated SOAR playbooks or SIEM enrichment workflows querying VirusTotal or similar platforms to enrich alerts
- Vulnerability management or penetration testing tools performing infrastructure fingerprinting via Shodan
- Security researchers and threat intelligence teams conducting legitimate campaign analysis
- Endpoint protection platforms that perform cloud-based file reputation lookups through proxy-visible connections
Unlock Pro Content
Get the full detection package for T1681 including response playbook, investigation guide, and atomic red team tests.