top of page

Identifying the TorNodes IP address using the Azure Sentinel.

Updated: Nov 22, 2021

Tor IP addresses are tunneled through other devices on the Tor network with "Onion Routing". This prevents a user's real IP address from being exposed and instead proxies a request through other Tor devices.

If any of these IP addresses match a TOR node. Checking if an IP address appears in a list of known ToR exit nodes

- Create a watchlist ‘TorNodes’.

- Column name should be ‘ipaddress’

Once the watch list is configured below listed KQL query can be used: -

​let TorIPAddress = _GetWatchlist('TorNodes') | extend SourceIPAddress = ipaddress; BehaviorAnalytics

| join TorIPAddress on SourceIPAddress

let TorIPAddress = _GetWatchlist('TorNodes') | extend DestinationIPAddress = ipaddress;


| join TorIPAddress on DestinationIPAddress

​let TorIPAddress = _GetWatchlist('TorNodes') | extend CallerIpAddress = ipaddress; AzureActivity | where CallerIpAddress != '' | extend Impacted_User = Caller, ResourceName = tostring(parse_json(Properties).resource) | join TorIPAddress on CallerIpAddress

| project TimeGenerated, SearchKey, OperationNameValue, Type, SubscriptionId, Impacted_User, ResourceName, ResourceGroup

1,406 views4 comments

Recent Posts

See All

Optimizing Microsoft Sentinel (SIEM) Environment

In the ever-evolving landscape of cybersecurity, the importance of a well-optimized Sentinel Environment cannot be overstated. As threats continue to morph and adapt, security teams must engage in a c


rah muhammad
rah muhammad
Jan 09, 2022

Thanks but you have not allowed the query to be copied.

Keshav Jain
Keshav Jain
Jan 10, 2022
Replying to

let me check.

bottom of page