• Home
  • The Song
  • The Avatar
  • The Cat
  • Contact the Cat

Gyp the Cat dot Com

Monitoring Tor Usage in Azure Sentinel, ASC, MDATP and ALA
Computers, internet

Monitoring Tor Usage in Azure Sentinel, ASC, MDATP and ALA

Very quick and easy post today.  Sometimes you want to monitor any Tor users coming into your environment.  This post will show you how to look for Tor usage in Azure Sentinel, Azure Security Center (ASC), Microsoft Defender Advanced Threat Protection (MDATP) and Azure Log Analytics (ALA) by using a quick and easy Kusto query!

The inbuilt intelligence in all these tools should normally spot these things but it is nice to be able to see explicitly what is happening. To change the time frames be sure to change the Timestamp and TimeGenerated details.  There are similar queries to this out there, but I’ve found that the sources of the Tor lists are sometimes rate limited or otherwise blocked.  I shall try and keep the mirror reflected below up and running forever 🙂

Microsoft Defender ATP

Go to Advanced Hunting and paste the following:

let TorNodes = (
externaldata (TorIP:string, Source:string, Description:string)
[[email protected]'https://firewalliplists.gypthecat.com/lists/kusto/kusto-tor-exit.csv.zip']
with (ignoreFirstRecord=true));
TorNodes
| join ( DeviceAlertEvents | where Timestamp > ago(7d) ) on $left.TorIP == $right.RemoteIP

Azure Sentinel, ASC and ALA

In the logs view use the following query:

let TorNodes = (
externaldata (TorIP:string, Source:string, Description:string)
[[email protected]'https://firewalliplists.gypthecat.com/lists/kusto/kusto-tor-exit.csv.zip']
with (ignoreFirstRecord=true));
TorNodes
| join ( WireData | where TimeGenerated > ago(7d) ) on $left.TorIP == $right.RemoteIP

Related

Written by gyp - August 7, 2020 - 3755 Views
Tags | azure, azure log analytics, internet, microsoft

You Might Also Like

HTTP to HTTPS Redirect on Azure CDN

November 9, 2019

MX Records, FQDNs, Host Names and Dots

November 2, 2010

How to Block Internet Access with Group Policy (GPO)

July 9, 2017

No Comment

Please Post Your Comments & Reviews
Cancel reply

Your email address will not be published. Required fields are marked *

Previous Post
Next Post

Latest Posts

  • Kusto Geolocation IP Lookup
  • Monitoring Tor Usage in Azure Sentinel, ASC, MDATP and ALA
  • HTTP to HTTPS Redirect on Azure CDN
  • Strongswan IPSec (Including Cryptomap) to Microsoft Azure Virtual Network Gateway
  • Black Ops 3 NAT Type Strict & PS4 NAT Type 3 with pfSense Fixed!
  • Sorry for the lack of posts
  • How to Block Internet Access with Group Policy (GPO)
  • Enforcing Microsoft Office 365 and Azure Tennancy with McAfee Web Gateway (MWG)
  • Scanning Subnet for Issuing Certificate Authority with OpenSSL
  • How to Configure Windows 2012 NPS for Radius Authentication with Ubiquiti Unifi

Top Posts & Pages

  • How to Block Internet Access with Group Policy (GPO)
    How to Block Internet Access with Group Policy (GPO)
  • IPSec VPN Host to Host on Ubuntu 14.04 with strongSwan
    IPSec VPN Host to Host on Ubuntu 14.04 with strongSwan
  • How to fix Mail Loops Back to Myself
    How to fix Mail Loops Back to Myself
  • ISEB Business Analysis (BA) Revision Notes
    ISEB Business Analysis (BA) Revision Notes
  • HTTP to HTTPS Redirect on Azure CDN
    HTTP to HTTPS Redirect on Azure CDN
  • How to Configure Windows 2012 NPS for Radius Authentication with Ubiquiti Unifi
    How to Configure Windows 2012 NPS for Radius Authentication with Ubiquiti Unifi
  • 3 Ethical Dilemma for Information Security Professionals
    3 Ethical Dilemma for Information Security Professionals
  • Using SSH as a SOCKS VPN on Mac OS
    Using SSH as a SOCKS VPN on Mac OS
  • Why Does Lightening McQueen Stick His Tongue Out?
    Why Does Lightening McQueen Stick His Tongue Out?
  • Black Ops 3 NAT Type Strict & PS4 NAT Type 3 with pfSense Fixed!
    Black Ops 3 NAT Type Strict & PS4 NAT Type 3 with pfSense Fixed!

Tags

apache2 azure azure log analytics blops business centos cheating cissp cloudflare cryptography dns game google gyp internet iphone ipsec isc linux mac marketing microsoft mw2 mx mysql nginx pfsense postfix proxy ps3 qualification radius revision security seo smtp socks squid ssh strongswan tinyproxy ubuntu windows 2012 wordpress xdecrypt.com
Gyp the Cat dot Com

Some rights retained Gyp the Cat Dot Com