https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/toutrial-detecting-tor-traffic-in-xsiam/m-p/1232764#M8492 <P>Thank you&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/190764">@eluis</a>&nbsp;!</P> Fri, 27 Jun 2025 10:33:38 GMT A.Elzedy 2025-06-27T10:33:38Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/toutrial-detecting-tor-traffic-in-xsiam/m-p/1232598#M8488 <P><SPAN>Hi Everyone,&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>Some members in the community have recently been exploring ways to detect Tor traffic within their environments. I’ve spent some time working on a solution to this challenge, and I wanted to turn that work into a dedicated post so more people can benefit from it.</SPAN></P> <P>&nbsp;</P> <H3>Why This Matters ?</H3> <P>Detecting communication with Tor exit nodes gives your team visibility into potentially suspicious behavior, regardless of the application or protocol used.<BR /><BR /></P> <H3>Step 1: Use a Reliable Exit Node Source</H3> <P>Instead of relying on rate-limited or unstable feeds, I recommend using this curated and regularly updated list:</P> <P><STRONG><A href="https://firewalliplists.gypthecat.com/lists/kusto/kusto-tor-exit.csv.zip" target="_blank">https://firewalliplists.gypthecat.com/lists/kusto/kusto-tor-exit.csv.zip</A>&nbsp;</STRONG></P> <UL> <LI>Download and extract the ZIP file.</LI> </UL> <P>The CSV file already includes a header named<SPAN>&nbsp;</SPAN><CODE>IPAddress</CODE>, which is required for XSIAM ingestion.<BR /><BR /></P> <H3>Step 2: Upload the Dataset to Cortex XSIAM</H3> <OL> <LI>Go to<BR /><CODE>Settings &gt; Configurations &gt; Data Management &gt; Dataset Management</CODE></LI> <LI>Click<SPAN>&nbsp;</SPAN><STRONG>+ Lookup</STRONG></LI> <LI>Upload the CSV file</LI> <LI>Name the dataset something clear, like<SPAN>&nbsp;</SPAN><CODE>tor_nodes</CODE></LI> </OL> <P>This creates a reusable dataset that can be referenced in your detection logic.<BR /><BR /></P> <H3>Step 3: Run the Detection Query</H3> <P>Use the following XQL query to identify any network events involving known Tor exit nodes:</P> <P>&nbsp;</P> <LI-CODE lang="markup">dataset = xdr_data | filter event_type = ENUM.NETWORK | join type = inner ( dataset = tor_nodes | fields IPAddress ) as tor_list action_remote_ip = tor_list.IPAddress | fields agent_hostname, action_remote_ip, event_timestamp, IPAddress </LI-CODE> <P><BR /><BR /><BR /><SPAN>This method has already helped a few teams gain better visibility into anonymized traffic, and I hope it proves just as useful for others here. If you have feedback, enhancements, or alternative approaches, I’d genuinely appreciate hearing them.<BR /><BR />The strength of this community lies in our willingness to share, challenge, and refine ideas together.</SPAN><BR /><BR /><BR /></P> Wed, 25 Jun 2025 19:20:07 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/toutrial-detecting-tor-traffic-in-xsiam/m-p/1232598#M8488 A.Elzedy 2025-06-25T19:20:07Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/toutrial-detecting-tor-traffic-in-xsiam/m-p/1232691#M8491 <P>Hi A.Elzedy,&nbsp;</P> <P>Very good tutorial and topic</P> <P>&nbsp;</P> <P>KR,&nbsp;</P> <P>Luis&nbsp;</P> Thu, 26 Jun 2025 16:56:18 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/toutrial-detecting-tor-traffic-in-xsiam/m-p/1232691#M8491 eluis 2025-06-26T16:56:18Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/toutrial-detecting-tor-traffic-in-xsiam/m-p/1232764#M8492 <P>Thank you&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/190764">@eluis</a>&nbsp;!</P> Fri, 27 Jun 2025 10:33:38 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/toutrial-detecting-tor-traffic-in-xsiam/m-p/1232764#M8492 A.Elzedy 2025-06-27T10:33:38Z