Query Details

Tor Connections

TI Feed Tor Connections

Query

let TorNodes = externaldata(IP:string )[@"https://www.dan.me.uk/Torlist/?full"] with (format="txt", ignoreFirstRecord=False);
let IPs = TorNodes
 | distinct IP;
DeviceNetworkEvents
| where ActionType == "ConnectionSuccess"
| where RemoteIP in (IPs)
| project-reorder Timestamp, DeviceName, RemoteIP, InitiatingProcessAccountName,InitiatingProcessCommandLine

About this query

Tor Connections

Query Information

Description

While Tor has legitimate uses for protecting personal privacy and circumventing censorship, it is often unwanted that connections are being made to Tor nodes. Detecting connections to Tor nodes can be done using the dynamic IP list of Tor nodes provided by dan.me.uk, this will allow you to query the most recent nodes each time the query is executed.

Risk

Explain what risk this detection tries to cover

References

Defender XDR

Sentinel

let TorNodes = externaldata(IP:string )[@"https://www.dan.me.uk/Torlist/?full"] with (format="txt", ignoreFirstRecord=False);
let IPs = TorNodes
 | distinct IP;
DeviceNetworkEvents
| where ActionType == "ConnectionSuccess"
| where RemoteIP in (IPs)
| project-reorder TimeGenerated, DeviceName, RemoteIP, InitiatingProcessAccountName,InitiatingProcessCommandLine

Explanation

This query is designed to detect network connections to Tor nodes, which are part of the Tor network known for anonymizing internet traffic. While Tor can be used for legitimate purposes like protecting privacy and bypassing censorship, it can also be associated with risky or unwanted activities, such as hiding malicious actions or accessing restricted content.

Summary of the Query:

  1. Data Source: The query uses an external data source from dan.me.uk to obtain a list of current Tor node IP addresses.

  2. Data Processing:

    • It retrieves the list of Tor node IPs and ensures there are no duplicates by using the distinct function.
    • The query then filters network events to find successful connection attempts (ConnectionSuccess) where the remote IP matches one of the Tor node IPs.
  3. Output:

    • The query outputs relevant details about these connections, such as the timestamp, device name, remote IP, and information about the initiating process (account name and command line).

Risk Explanation:

The risk addressed by this detection is the potential for unauthorized or malicious activity being conducted through Tor connections. By identifying devices connecting to Tor nodes, organizations can investigate whether these connections are legitimate or if they pose a security threat.

Differences Between Defender XDR and Sentinel:

The queries for both Microsoft Defender XDR and Microsoft Sentinel are essentially the same, with a slight difference in the field used for the timestamp (Timestamp in Defender XDR and TimeGenerated in Sentinel). This reflects the different schema or field names used in these platforms.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 21, 2024

Tables

DeviceNetworkEvents

Keywords

TorNodesIPDeviceNetworkEventsActionTypeRemoteIPTimestampDeviceNameInitiatingProcessAccountNameInitiatingProcessCommandLineTimeGenerated

Operators

letexternaldatawithdistinctinproject-reorderwhere

Actions

GitHub