Enrichments
TOR Exit Nodes
TOR Exit Nodes (Anonymizer Detection)
TOR Exit Nodes enrichment uses the official Tor Project Onionoo API to identify traffic from or to TOR exit nodes. This helps detect anonymized traffic patterns in enterprise networks.
Features
- Official Data Source: Uses the Tor Project's own API
- Exit Node Focus: Specifically identifies exit relay IPs
- Relay Metadata: Country, ASN, and relay flags
- Frequently Updated: TOR network changes constantly
- Free: No API key required
Data Fields Added
When TOR Exit Nodes is enabled, logs from/to exit nodes will have:
| Field | Description |
|---|---|
ioc_src_ip_threat_type / ioc_dest_ip_threat_type | "anonymizer" |
ioc_src_ip_confidence / ioc_dest_ip_confidence | Confidence level (default: 85) |
ioc_src_ip_tags / ioc_dest_ip_tags | ["tor_exit", "anonymizer"] |
See Field Reference for the complete IOC field list.
Setting Up TOR Exit Nodes
- Navigate to Marketplace in the left sidebar
- Search for TOR Exit Nodes or find it in the Data tab
- Configure settings:
- TTL: How long to keep exit node data (default: 1 day)
- Sync Interval: How often to refresh (default: every 6 hours)
- Confidence Level: IOC confidence for matches (default: 85%)
- Click Save, then Sync Now
- Toggle Enabled to activate
Using TOR Data in Queries
Find all TOR traffic:
ioc_src_ip_threat_type = "anonymizer" OR ioc_dest_ip_threat_type = "anonymizer"Outbound TOR connections:
ioc_dest_ip_threat_type = "anonymizer"TOR-tagged traffic:
has(ioc_src_ip_tags, 'tor_exit') OR has(ioc_dest_ip_tags, 'tor_exit')Exclude TOR from other IOC queries:
ioc_dest_ip_threat_type != "" AND ioc_dest_ip_threat_type != "anonymizer"Detection Rule Examples
TOR Exit Node Communication:
name: "TOR Exit Node Communication"
description: "Detects traffic to or from known TOR exit nodes"
query: |
ioc_src_ip_threat_type = "anonymizer"
OR ioc_dest_ip_threat_type = "anonymizer"
severity: mediumOutbound TOR Usage:
name: "Outbound TOR Connection"
description: "Detects internal hosts connecting to TOR exit nodes"
query: |
ioc_dest_ip_threat_type = "anonymizer"
AND src_ip IN CIDR("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")
severity: highNext Steps
- ThreatFox — Add malware and botnet IOCs
- Custom Enrichments — Build your own integrations
- Troubleshooting — Fix TOR enrichment issues