Tor Exit Nodes


Tor is an anonymizing network for Internet browsing in which the user's client IP address is randomly picked from nodes around the world. It is also sometimes used by bad actors to hide their location.
The Tor integration is an Enrichment Provider, also known as a Panther-managed Lookup Table. It contains IP addresses for Tor Exit Nodes. Panther automatically updates this list of IP addresses every hour.

Enabling Tor Exit Nodes enrichment

If you are using a CI/CD workflow, please see the CI/CD Users section below to learn about additional considerations.
To enable the Panther-managed Tor Exit Node Lookup Table:
  1. 1.
    Log in to your Panther Console.
  2. 2.
    From the left sidebar menu, click Build > Packs. Search for "Tor" in the search bar.
    • On this page, you can see the Detection Pack available for Tor Lookup Tables. Packs are disabled by default, so to use this data you will need to enable the pack first.
      The "Tor Lookup Tables" tile is displayed on the Packs page in the Panther Console.
  3. 3.
    On the right side of the Tor Lookup Tables tile, click the Enabled toggle to ON to enable the pack.
  4. 4.
    Click Continue in the dialog that appears.
    The image shows a popup dialog labeled "Enable detection pack?". There is a blue "Continue" button at the bottom.
    • If you'd like to make additional changes through CI/CD with PAT, please contact your Panther representative for more information.
  5. 5.
    To verify the Lookup Table is enabled, from the left sidebar menu, click Configure > Enrichment Providers.
    • On this page, you can see Panther-managed Enrichment Providers. You can also see whether the sources are currently enabled or disabled and when a source’s data was last refreshed.

Considerations for CI/CD users

To enable the Tor Enrichment Provider in the CLI workflow, see the Managing Lookup Tables and Enrichment Providers with the Panther Analysis Tool guide.
Please note the following considerations:
  • CI/CD users do not need to use Detection Packs to get Panther-managed Tor Exit Node Lookup Tables. You can pull in the latest release of panther-analysis and use the panther_analysis_tool (PAT) to upload the Lookup Tables.
  • If you are using a CI/CD workflow, we advise against enabling a Lookup Table via Detection Packs; you should instead enable and manage Lookup Tables via your regular CI/CD workflow.
    • If you choose to manage Lookup Tables through PAT after enabling them in the Panther Console, you must first disable the Detection Packs in the Panther Console. Simultaneous use of both the Panther Console and PAT to manage Lookup Tables is not supported.


You can leverage the Tor Exit Nodes Panther-managed Lookup Table via a Python helper in detections. See the example below:
import panther_tor_helpers as p_tor_h
def rule(event):
# alert if activity is from Tor Exit Nodes
return p_tor_h.TorExitNodes(event).has_exit_nodes()
def alert_context(event):
# add useful context for the alert, including a URL to Tor project exit node database
return p_tor_h.TorExitNodes(event).context('sourceIP')