This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Toutrial: Detecting Tor Traffic in XSIAM

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Toutrial: Detecting Tor Traffic in XSIAM

A.Elzedy
L2 Linker

‎06-25-2025 12:10 PM - edited ‎06-25-2025 12:20 PM

Hi Everyone, 

 

Some members in the community have recently been exploring ways to detect Tor traffic within their environments. I’ve spent some time working on a solution to this challenge, and I wanted to turn that work into a dedicated post so more people can benefit from it.

 

Why This Matters ?

Detecting communication with Tor exit nodes gives your team visibility into potentially suspicious behavior, regardless of the application or protocol used.

Step 1: Use a Reliable Exit Node Source

Instead of relying on rate-limited or unstable feeds, I recommend using this curated and regularly updated list:

https://firewalliplists.gypthecat.com/lists/kusto/kusto-tor-exit.csv.zip 

  • Download and extract the ZIP file.

The CSV file already includes a header named IPAddress, which is required for XSIAM ingestion.

Step 2: Upload the Dataset to Cortex XSIAM

  1. Go to
    Settings > Configurations > Data Management > Dataset Management
  2. Click + Lookup
  3. Upload the CSV file
  4. Name the dataset something clear, like tor_nodes

This creates a reusable dataset that can be referenced in your detection logic.

Step 3: Run the Detection Query

Use the following XQL query to identify any network events involving known Tor exit nodes:

 

dataset = xdr_data
| filter event_type = ENUM.NETWORK
| join type = inner (
    dataset = tor_nodes
    | fields IPAddress
  ) as tor_list action_remote_ip = tor_list.IPAddress 
| fields agent_hostname, action_remote_ip, event_timestamp, IPAddress




This method has already helped a few teams gain better visibility into anonymized traffic, and I hope it proves just as useful for others here. If you have feedback, enhancements, or alternative approaches, I’d genuinely appreciate hearing them.

The strength of this community lies in our willingness to share, challenge, and refine ideas together.


0 Likes Likes
2 REPLIES 2

eluis
L4 Transporter

‎06-26-2025 09:56 AM

Hi A.Elzedy, 

Very good tutorial and topic

 

KR, 

Luis 

0 Likes Likes

A.Elzedy
L2 Linker

‎06-27-2025 03:33 AM

Thank you @eluis !

0 Likes Likes
  • 297 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks