Very quick and easy post today. Sometimes you want to monitor any Tor users coming into your environment. This post will show you how to look for Tor usage in Azure Sentinel, Azure Security Center (ASC), Microsoft Defender Advanced Threat Protection (MDATP) and Azure Log Analytics (ALA) by using a quick and easy Kusto query!
The inbuilt intelligence in all these tools should normally spot these things but it is nice to be able to see explicitly what is happening. To change the time frames be sure to change the Timestamp and TimeGenerated details. There are similar queries to this out there, but I’ve found that the sources of the Tor lists are sometimes rate limited or otherwise blocked. I shall try and keep the mirror reflected below up and running forever 🙂
Microsoft Defender ATP
Go to Advanced Hunting and paste the following:
let TorNodes = (
externaldata (TorIP:string, Source:string, Description:string)
[h@'https://firewalliplists.gypthecat.com/lists/kusto/kusto-tor-exit.csv.zip']
with (ignoreFirstRecord=true));
TorNodes
| join ( DeviceAlertEvents | where Timestamp > ago(7d) ) on $left.TorIP == $right.RemoteIP
Azure Sentinel, ASC and ALA
In the logs view use the following query:
let TorNodes = (
externaldata (TorIP:string, Source:string, Description:string)
[h@'https://firewalliplists.gypthecat.com/lists/kusto/kusto-tor-exit.csv.zip']
with (ignoreFirstRecord=true));
TorNodes
| join ( WireData | where TimeGenerated > ago(7d) ) on $left.TorIP == $right.RemoteIP
No Comment