This KQL query retrieves all Tor exit nodes from the official tor project website.
Tor exit nodes are the gateways of the communication flow between the Tor client and the destination server (after leaving the Tor network).
Any request coming from one of these IP addresses indicates that the request came from the Tor network.
This query can be used to check how many login attempts are coming from Tor exit nodes to the Entra ID tenant and whether further login attempts from Tor exit nodes should be blocked (e.g. conditional access) or not.
let TorExitNodes = externaldata (IPAddress: string) ['https://check.torproject.org/torbulkexitlist'] with (format=txt);
union SigninLogs, AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(90d)
//| where ResultType == 0 //See all successfull Logons
| lookup kind = inner TorExitNodes on $left.IPAddress == $right.IPAddress
| project
TimeGenerated,
Category,
ResultType,
ResultDescription,
Identity,
AppDisplayName,
IPAddress,
AuthenticationRequirement,
RiskDetail,
RiskState,
RiskLevelAggregated,
RiskLevelDuringSignIn,
RiskEventTypes_V2Introduction Google Dorking is a technique where advanced search operators are used to uncover information…
Linux is renowned for its versatility, open-source nature, and security. Whether you're a beginner, developer,…
Cyber insurance helps businesses and individuals mitigate financial losses from data breaches, ransomware, extortion, legal…
Ransomware is one of the most dangerous and destructive forms of cybercrime today. With cybercriminals…
Social media is a key part of our daily lives, with millions of users sharing…
What Are Data Brokers? Data brokers are companies that collect, aggregate, and sell personal information,…