This KQL query retrieves all Tor exit nodes from the official tor project website.
Tor exit nodes are the gateways of the communication flow between the Tor client and the destination server (after leaving the Tor network).
Any request coming from one of these IP addresses indicates that the request came from the Tor network.
This query can be used to check how many login attempts are coming from Tor exit nodes to the Entra ID tenant and whether further login attempts from Tor exit nodes should be blocked (e.g. conditional access) or not.
let TorExitNodes = externaldata (IPAddress: string) ['https://check.torproject.org/torbulkexitlist'] with (format=txt);
union SigninLogs, AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(90d)
//| where ResultType == 0 //See all successfull Logons
| lookup kind = inner TorExitNodes on $left.IPAddress == $right.IPAddress
| project
TimeGenerated,
Category,
ResultType,
ResultDescription,
Identity,
AppDisplayName,
IPAddress,
AuthenticationRequirement,
RiskDetail,
RiskState,
RiskLevelAggregated,
RiskLevelDuringSignIn,
RiskEventTypes_V2
Cybersecurity tools play a critical role in safeguarding digital assets, systems, and networks from malicious…
MODeflattener is a specialized tool designed to reverse OLLVM's control flow flattening obfuscation through static…
"My Awesome List" is a curated collection of tools, libraries, and resources spanning various domains…
CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, allowed attackers to execute arbitrary…
The blog post "Chrome Browser Exploitation, Part 1: Introduction to V8 and JavaScript Internals" provides…
The exploitation of CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, relies on…