Identifying the TorNodes IP address using the Azure Sentinel.
Updated: Nov 22, 2021
Tor IP addresses are tunneled through other devices on the Tor network with "Onion Routing". This prevents a user's real IP address from being exposed and instead proxies a request through other Tor devices.
If any of these IP addresses match a TOR node. Checking if an IP address appears in a list of known ToR exit nodes
- Create a watchlist ‘TorNodes’.
- Column name should be ‘ipaddress’
- Download the list of IP address from here: https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst
Once the watch list is configured below listed KQL query can be used: -
let TorIPAddress = _GetWatchlist('TorNodes') | extend SourceIPAddress = ipaddress; BehaviorAnalytics
| join TorIPAddress on SourceIPAddress
let TorIPAddress = _GetWatchlist('TorNodes') | extend DestinationIPAddress = ipaddress;
| join TorIPAddress on DestinationIPAddress
let TorIPAddress = _GetWatchlist('TorNodes') | extend CallerIpAddress = ipaddress; AzureActivity | where CallerIpAddress != '' | extend Impacted_User = Caller, ResourceName = tostring(parse_json(Properties).resource) | join TorIPAddress on CallerIpAddress
| project TimeGenerated, SearchKey, OperationNameValue, Type, SubscriptionId, Impacted_User, ResourceName, ResourceGroup