A combination of disabling the BIOC rule and excluding the alerts seems to do the trick. If your tenant has a few thousand endpoints, then you will need to wait whilst it plays catchup and processes all the events. Given how much Identity Analytics does, I wouldn't disable that feature. It's clear the new content update is flagging BAU traffic as TOR.
... View more