top of page

Identifying the TorNodes IP address using the Azure Sentinel.

Updated: Nov 22, 2021

Tor IP addresses are tunneled through other devices on the Tor network with "Onion Routing". This prevents a user's real IP address from being exposed and instead proxies a request through other Tor devices.

If any of these IP addresses match a TOR node. Checking if an IP address appears in a list of known ToR exit nodes

- Create a watchlist ‘TorNodes’.

- Column name should be ‘ipaddress’

- Download the list of IP address from here:

Once the watch list is configured below listed KQL query can be used: -

​let TorIPAddress = _GetWatchlist('TorNodes') | extend SourceIPAddress = ipaddress; BehaviorAnalytics

| join TorIPAddress on SourceIPAddress

let TorIPAddress = _GetWatchlist('TorNodes') | extend DestinationIPAddress = ipaddress;


| join TorIPAddress on DestinationIPAddress

​let TorIPAddress = _GetWatchlist('TorNodes') | extend CallerIpAddress = ipaddress; AzureActivity | where CallerIpAddress != '' | extend Impacted_User = Caller, ResourceName = tostring(parse_json(Properties).resource) | join TorIPAddress on CallerIpAddress

| project TimeGenerated, SearchKey, OperationNameValue, Type, SubscriptionId, Impacted_User, ResourceName, ResourceGroup

1,153 views4 comments

Recent Posts

See All

As a member of a Security Operations Center (SOC), one of the key responsibilities is to generate regular reports on incidents. These reports provide valuable insights into the security landscape and

bottom of page