topic Re: Correlation Rules that detect tor browser in Cortex XDR Discussions

Correlation Rules that detect tor browser

mirtoghrulseyid — Mon, 23 Jun 2025 12:19:22 GMT

Hello,

We have decided to create a correlation rule in Cortex XDR to detect employees using the Tor Browser. However, based on our observations, it is possible to access the Tor Browser through a redirect from the Brave application, which is currently not being detected.

We kindly ask for your assistance in reviewing the correlation rule we’ve created and helping us modify it to include the redirect scenario as well.

dataset = xdr_data | filter lowercase(action_process_image_name) in ("tor.exe","brave.exe","pluggable-transports.exe","obfs4proxy.exe","tbb-firefox.exe","tor-launcher.exe" ) or lowercase(action_process_image_path) contains "tor browser" | fields agent_hostname,agent_ip_addresses,event_type,event_sub_type,event_id,action_process_image_name,action_process_image_path,agent_hostname, actor_process_image_name,actor_process_command_line,action_process_signature_status,action_process_signature_vendor,event_timestamp

Re: Correlation Rules that detect tor browser

jmazzeo — Mon, 23 Jun 2025 13:46:47 GMT

Hi @mirtoghrulseyid,

Have you considered to use the signer as another option using an "or"?

causality_actor_process_signature_vendor in ("""The Tor Project, Inc.""" ) or actor_process_signature_vendor in ("""The Tor Project, Inc.""" )

If this post answers your question, please mark it as the solution.

Re: Correlation Rules that detect tor browser

A.Elzedy — Mon, 23 Jun 2025 21:04:49 GMT

Hi @mirtoghrulseyid,

If you're just looking for some enhancements, here's a better query that improves detection of Tor usage, you may also integrate what what @jmazzeo has suggested

dataset = xdr_data | filter event_type in (ENUM.PROCESS, ENUM.STORY, ENUM.NETWORK) and agent_os_type = ENUM.AGENT_OS_WINDOWS and ( // Direct Tor process execution lowercase(action_process_image_name) in ("tor.exe", "tbb-firefox.exe", "pluggable-transports.exe", "obfs4proxy.exe", "tor-launcher.exe") or lowercase(action_process_image_path) contains "tor browser" or ( lowercase(actor_process_image_name) = "brave.exe" and ( lowercase(action_process_image_name) in ("tor.exe", "tor-launcher.exe", "obfs4proxy.exe") or lowercase(actor_process_command_line) contains "tor" ) ) or ( lowercase(actor_process_command_line) contains "tor" and ( lowercase(action_process_image_name) = "brave.exe" or lowercase(actor_process_image_name) = "brave.exe" ) ) or (dns_query_name contains ".onion") ) | fields agent_hostname, agent_ip_addresses, event_timestamp, actor_process_image_name, actor_process_command_line, action_process_image_name, action_process_image_path, action_process_signature_status, action_process_signature_vendor, dns_query_name, action_remote_ip | sort desc event_timestamp

Re: Correlation Rules that detect tor browser

A.Elzedy — Mon, 23 Jun 2025 21:14:48 GMT

But to detect if users in your environment are communicating with the Tor network, what you really need is a list of Tor exit node IP addresses. There are the IPs that Tor traffic uses to reach the public internet. you can compare your xdr network logs against this list, you’ll be able to spot potential Tor usage regardless of which application was used.

You can get an up-to-date list of Tor exit nodes from this link:

https://www.dan.me.uk/torlist/?exit

This page gives you a plain text list of IP addresses, one per line. and you may integrate that list as dataset in your XSIAM environment:

Open the link and download the list.
Save it as a .csv file
Open the file and add a header row at the top. Just type:
```
tor_ip
```
This is important because XDR needs a header to recognize the column.

A quick heads-up: don’t refresh or download from that link too often. The site has rate limits and may block you if you make too many requests in a short time.

Once your file is ready, go to your Cortex XSIAM console and upload it:

Navigate to Settings > Configurations > Data Management > Dataset Management
Click + Lookup
Upload your .csv file
Name the dataset something like tor_exit_nodes

Now you’ve got a reusable dataset that you can reference in your XQL queries to detect any communication with known Tor exit nodes
assuming that you've followed the steps for naming for header and dataset, you may execute this query for the results

dataset = xdr_data | filter event_type = ENUM.NETWORK | join type = inner ( dataset = tor_nodes | fields tor_ip ) as tor_list action_remote_ip = tor_list.tor_ip | fields agent_hostname, action_remote_ip, event_timestamp, tor_ip