Detect Search Threat Vendor Data in Microsoft Sentinel
Detects adversary reconnaissance activity where threat actors query threat intelligence vendor services — such as VirusTotal, Shodan, Recorded Future, AlienVault OTX, or GreyNoise — to monitor whether their own infrastructure, malware samples, or campaign indicators have been detected and published. Since this technique primarily occurs outside the victim network, detections are indirect and focus on observable side effects: suspicious outbound connections to threat intel APIs from hosts with no legitimate business reason, correlation of known malicious IP indicators making threat intel queries visible through egress proxy logs, and rapid indicator rotation patterns following public threat intel disclosures. Adversaries have been documented replacing flagged indicators within days of publication, making behavioral correlation between threat intel release timestamps and infrastructure changes a secondary hunting signal.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1681 Search Threat Vendor Data
- Canonical reference
- https://attack.mitre.org/techniques/T1681/
KQL Detection Query
let ThreatIntelAPIs = dynamic([
"virustotal.com", "api.virustotal.com",
"api.shodan.io", "shodan.io",
"api.recordedfuture.com", "app.recordedfuture.com",
"api.greynoise.io", "viz.greynoise.io",
"otx.alienvault.com",
"urlscan.io", "urlscan.io",
"malwarebazaar.abuse.ch", "bazaar.abuse.ch",
"threatfox.abuse.ch",
"mb-api.abuse.ch",
"pulsedive.com",
"api.threatminer.org",
"www.hybrid-analysis.com", "api.hybrid-analysis.com",
"tria.ge", "api.tria.ge",
"any.run"
]);
let KnownSOCAccounts = dynamic(["svc-threathunting", "svc-siem", "soc-analyst", "siem-collector"]);
CommonSecurityLog
| where TimeGenerated > ago(7d)
| where isnotempty(RequestURL)
| extend AccessedDomain = tolower(extract(@"(?:https?://)?([^/:?#\\s]+)", 1, RequestURL))
| where AccessedDomain has_any (ThreatIntelAPIs)
| where SourceUserName !in~ (KnownSOCAccounts)
| where DeviceAction !in ("block", "deny", "drop")
| summarize
QueryCount = count(),
UniqueURLs = dcount(RequestURL),
SampledURLs = make_set(RequestURL, 10),
UserAccounts = make_set(SourceUserName, 10),
BytesOut = sum(SentBytes),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by SourceIP, AccessedDomain
| join kind=leftouter (
ThreatIntelligenceIndicator
| where TimeGenerated > ago(30d)
| where IsActive == true
| where IndicatorType == "networkip"
| summarize ThreatScore = max(ConfidenceScore), ThreatTypes = make_set(ThreatType, 5) by NetworkIP
) on $left.SourceIP == $right.NetworkIP
| extend RiskFlag = case(
isnotempty(ThreatScore) and ThreatScore > 70, "KnownMaliciousSource",
QueryCount > 100 and array_length(UserAccounts) == 1, "HighVolumeNonSOC",
UniqueURLs > 20, "BroadRecon",
"Low"
)
| where RiskFlag != "Low"
| project FirstSeen, LastSeen, SourceIP, AccessedDomain, QueryCount, UniqueURLs, SampledURLs, UserAccounts, ThreatScore, ThreatTypes, RiskFlag
| sort by ThreatScore desc, QueryCount descMonitors proxy and firewall logs (CommonSecurityLog) for outbound connections from internal hosts to known threat intelligence vendor APIs and platforms. Correlates source IPs against the ThreatIntelligenceIndicator table to flag when hosts with existing threat intelligence hits are querying these services — a pattern consistent with adversaries checking if their infrastructure has been detected and reported. Also flags high-volume, non-SOC queries suggesting automated reconnaissance.
Data Sources
Required Tables
False Positives & Tuning
- Security Operations Center analysts performing daily threat hunting or indicator enrichment via threat intel APIs
- Automated SOAR playbooks or SIEM enrichment workflows querying VirusTotal or similar platforms to enrich alerts
- Vulnerability management or penetration testing tools performing infrastructure fingerprinting via Shodan
- Security researchers and threat intelligence teams conducting legitimate campaign analysis
- Endpoint protection platforms that perform cloud-based file reputation lookups through proxy-visible connections
Other platforms for T1681
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1VirusTotal API Indicator Self-Lookup via PowerShell
Expected signal: Sysmon Event ID 3 (Network Connection) showing powershell.exe connecting to www.virustotal.com:443. Proxy logs (CommonSecurityLog / squid) showing HTTPS CONNECT to www.virustotal.com with User-Agent indicating PowerShell Invoke-RestMethod. DNS query (Sysmon Event ID 22) for www.virustotal.com.
- Test 2Shodan Infrastructure Reconnaissance via Python Script
Expected signal: Linux auditd SYSCALL records for execve of python3 with the Shodan API script content. Network connection logs (firewall/proxy) showing outbound HTTPS to api.shodan.io:443 from the test host. DNS query log entry for api.shodan.io.
- Test 3Automated Multi-Vendor Threat Intel Sweep Simulating Adversary Self-Monitoring
Expected signal: Network/proxy logs showing sequential outbound HTTPS connections to urlscan.io, threatfox-api.abuse.ch (abuse.ch), and api.greynoise.io within a 30-second window from the same source IP. Auditd SYSCALL records for execve of curl (or bash executing the script). DNS queries for all three domains in rapid succession.
Unlock Pro Content
Get the full detection package for T1681 including response playbook, investigation guide, and atomic red team tests.