Search

Identifying the TorNodes IP address using the Azure Sentinel.

Updated: Nov 22

Tor IP addresses are tunneled through other devices on the Tor network with "Onion Routing". This prevents a user's real IP address from being exposed and instead proxies a request through other Tor devices.

If any of these IP addresses match a TOR node. Checking if an IP address appears in a list of known ToR exit nodes


- Create a watchlist ‘TorNodes’.

- Column name should be ‘ipaddress’

- Download the list of IP address from here: https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst


Once the watch list is configured below listed KQL query can be used: -

​let TorIPAddress = _GetWatchlist('TorNodes') | extend SourceIPAddress = ipaddress; BehaviorAnalytics

| join TorIPAddress on SourceIPAddress

let TorIPAddress = _GetWatchlist('TorNodes') | extend DestinationIPAddress = ipaddress;

BehaviorAnalytics

| join TorIPAddress on DestinationIPAddress

​let TorIPAddress = _GetWatchlist('TorNodes') | extend CallerIpAddress = ipaddress; AzureActivity | where CallerIpAddress != '' | extend Impacted_User = Caller, ResourceName = tostring(parse_json(Properties).resource) | join TorIPAddress on CallerIpAddress

| project TimeGenerated, SearchKey, OperationNameValue, Type, SubscriptionId, Impacted_User, ResourceName, ResourceGroup







26 views0 comments

Recent Posts

See All

Azure Sentinel -- Security Incident Closure Reports

Here are few sample queries having logic to count the incident which are closed on same day , same week and same month. Incident Closed on Same Day ______________________________________ SecurityInc