Cyber security

MEID-SignIns-TorExitNodes : Leveraging Microsoft Sentinel To Monitor And Manage Tor Network Access

This KQL query retrieves all Tor exit nodes from the official tor project website.

Tor exit nodes are the gateways of the communication flow between the Tor client and the destination server (after leaving the Tor network).

Any request coming from one of these IP addresses indicates that the request came from the Tor network.

This query can be used to check how many login attempts are coming from Tor exit nodes to the Entra ID tenant and whether further login attempts from Tor exit nodes should be blocked (e.g. conditional access) or not.

Microsoft Sentinel

let TorExitNodes = externaldata (IPAddress: string) ['https://check.torproject.org/torbulkexitlist'] with (format=txt);
union SigninLogs, AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(90d)
//| where ResultType == 0 //See all successfull Logons
| lookup kind = inner TorExitNodes on $left.IPAddress == $right.IPAddress
| project
    TimeGenerated,
    Category,
    ResultType,
    ResultDescription,
    Identity,
    AppDisplayName,
    IPAddress,
    AuthenticationRequirement,
    RiskDetail,
    RiskState,
    RiskLevelAggregated,
    RiskLevelDuringSignIn, 
    RiskEventTypes_V2
Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Cybersecurity – Tools And Their Function

Cybersecurity tools play a critical role in safeguarding digital assets, systems, and networks from malicious…

9 hours ago

MODeflattener – Miasm’s OLLVM Deflattener

MODeflattener is a specialized tool designed to reverse OLLVM's control flow flattening obfuscation through static…

9 hours ago

My Awesome List : Tools And Their Functions

"My Awesome List" is a curated collection of tools, libraries, and resources spanning various domains…

9 hours ago

Chrome Browser Exploitation, Part 3 : Analyzing And Exploiting CVE-2018-17463

CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, allowed attackers to execute arbitrary…

9 hours ago

Chrome Browser Exploitation, Part 1 : Introduction To V8 And JavaScript Internals

The blog post "Chrome Browser Exploitation, Part 1: Introduction to V8 and JavaScript Internals" provides…

10 hours ago

Chrome Browser Exploitation, Part 3: Analyzing and Exploiting CVE-2018-17463

The exploitation of CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, relies on…

12 hours ago