Keshav Jain
Nov 10, 20211 min
Updated: Nov 22, 2021
Tor IP addresses are tunneled through other devices on the Tor network with "Onion Routing". This prevents a user's real IP address from being exposed and instead proxies a request through other Tor devices.
If any of these IP addresses match a TOR node. Checking if an IP address appears in a list of known ToR exit nodes
- Create a watchlist ‘TorNodes’.
- Column name should be ‘ipaddress’
- Download the list of IP address from here: https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst
Once the watch list is configured below listed KQL query can be used: -