Knowledge BaseRelease NotesRequest Demo

Tor Exit Nodes

Overview

You can use Tor Exit Nodes as an enrichment source in Panther. Tor is an anonymizing network for Internet browsing in which the user's client IP address is randomly picked from nodes around the world. It is also sometimes used by bad actors to hide their location.

The Tor enrichment provider contains IP addresses for Tor Exit Nodes. Panther automatically updates this list of IP addresses every hour. Learn how to view stored Enrichment Provider data here, and how to view log events with enrichment data here.

Enabling Tor Exit Nodes enrichment

If you are using a CI/CD workflow, please see the CI/CD Users section below to learn about additional considerations.

To enable the Panther-managed Tor Exit Node enrichment:

  1. In the left-hand navigation bar of your Panther Console, click Detections.

  2. Click the Packs tab. Search for "Tor" in the search bar.

    • On this page, you can see the Detection Pack available for Tor Lookup Tables. Packs are disabled by default, so to use this data you will need to enable the pack first. The "Tor Lookup Tables" tile is displayed on the Packs page in the Panther Console.

  3. On the right side of the Tor Lookup Tables tile, click the Enabled toggle to ON to enable the pack.

  4. Click Continue in the dialog that appears. The image shows a popup dialog labeled "Enable detection pack?". There is a blue "Continue" button at the bottom.

    • If you'd like to make additional changes through CI/CD with PAT, please contact your Panther representative for more information.

  5. To verify the enrichment is enabled, from the left sidebar menu, click Configure > Enrichments.

    • On this page, you can see all enrichment sources, whether each source is currently enabled or disabled, and when a source’s data was last refreshed.

Considerations for CI/CD users

To enable the Tor enrichment in the CLI workflow, see the Managing Enrichments with the Panther Analysis Tool guide.

Please note the following considerations:

  • CI/CD users do not need to use Detection Packs to get Tor Exit Node enrichment tables. You can pull in the latest release of panther-analysis and use the panther_analysis_tool (PAT) to upload the enrichments.

  • If you are using a CI/CD workflow, we advise against enabling an enrichment via Detection Packs; you should instead enable and manage enrichments via your regular CI/CD workflow.

    • If you choose to manage enrichments through PAT after enabling them in the Panther Console, you must first disable the Detection Packs in the Panther Console. Simultaneous use of both the Panther Console and PAT to manage enrichments is not supported.

Example

You can leverage the Tor Exit Nodes enrichment via a Python helper in detections. See the example below:

import panther_tor_helpers as p_tor_h

def rule(event): 
    # alert if activity is from Tor Exit Nodes
    return p_tor_h.TorExitNodes(event).has_exit_nodes()
    
def alert_context(event): 
    # add useful context for the alert, including a URL to Tor project exit node database
    return p_tor_h.TorExitNodes(event).context('sourceIP')
PreviousSnowflake Enrichment (Beta)NextTrailDiscover (Beta)

Last updated

Was this helpful?