top of page
Search
Writer's pictureKeshav Jain

Identifying the TorNodes IP address using the Azure Sentinel.

Updated: Nov 22, 2021

Tor IP addresses are tunneled through other devices on the Tor network with "Onion Routing". This prevents a user's real IP address from being exposed and instead proxies a request through other Tor devices.

If any of these IP addresses match a TOR node. Checking if an IP address appears in a list of known ToR exit nodes


- Create a watchlist ‘TorNodes’.

- Column name should be ‘ipaddress’



Once the watch list is configured below listed KQL query can be used: -

​let TorIPAddress = _GetWatchlist('TorNodes') | extend SourceIPAddress = ipaddress; BehaviorAnalytics

| join TorIPAddress on SourceIPAddress

let TorIPAddress = _GetWatchlist('TorNodes') | extend DestinationIPAddress = ipaddress;

BehaviorAnalytics

| join TorIPAddress on DestinationIPAddress

​let TorIPAddress = _GetWatchlist('TorNodes') | extend CallerIpAddress = ipaddress; AzureActivity | where CallerIpAddress != '' | extend Impacted_User = Caller, ResourceName = tostring(parse_json(Properties).resource) | join TorIPAddress on CallerIpAddress

| project TimeGenerated, SearchKey, OperationNameValue, Type, SubscriptionId, Impacted_User, ResourceName, ResourceGroup








1,477 views4 comments

4 Comments


rah muhammad
rah muhammad
Jan 09, 2022

Thanks but you have not allowed the query to be copied.

Like
Keshav Jain
Keshav Jain
Jan 10, 2022
Replying to

let me check.

Like
bottom of page