The TOR IP List for Microsoft Sentinel

Introduction

TOR was introduced and popularized with a mindset keep the privacy in place for the users using the internet.

Theses days it has become a very misaligned thought and most used to hide activities done with a improper mindset.

Now organizations want identify the users using TOR IP addresses to perform anonymous activity. And Microsoft Sentinel Provides single pane of glass for any hunting or analytical activities.

But, there Tor website publishes a list IP addresses which is directly available to used for Analytics or Hunting in Microsoft Sentinel

Hence, have build this solution and published with source code for the ease of adoption.

The original list is available https://check.torproject.org/torbulkexitlist

Solution Design

Solution workflow

1. A GitHub action is the core of the solution.
2. It runs every 12hours and invokes another PowerShell file within the repository.
3. The PowerShell file is designed to updated the TOP IPAddress list to a text file local to the repository.

Source Code structure

• Root repository

• Action YAML File

Code Repository

A live file name torips.txt is present in the repo

https://raw.githubusercontent.com/samikroy/the-tor-project/main/torips.txt

And you can always refer this repo or clone to extend your thoughts

Sample KQL

Here is sample KQL code referenced to the live file. This can be used in to identify TOR IP address logged in Sentinel Data sources.

externaldata (IPAddress:string)[
"https://raw.githubusercontent.com/samikroy/the-tor-project/main/torips.txt"
]
| project IPAddress

        

Dataflow

In addition, would also like to show how the data flow has been from TOR to the repo.

Conclusion

This article summarizes use case where we want to identify the the TOR IPAddresses within the data sources logged in Microsoft Sentinel or any log source which supports KQL as a query language.

Thank you for reading till the end, would love to know about thoughts as well.