Tor Exit Nodes


This feature is available as a Pack as of version 1.37.2 of the panther-analysis repository, and is available as of Panther version 1.45.
Tor is an anonymizing network for Internet browsing in which the user's client IP address is randomly picked from nodes around the world. It is also sometimes used by bad actors to hide their location. Panther automatically updates this list every hour.
Panther offers a Lookup Table that contains the IP addresses for the Tor Exit Nodes. The list of IP addresses is automatically updated every hour.

Enabling Tor Exit Nodes enrichment

If you are using a CI/CD workflow, please see the CI/CD Users section below to learn about additional considerations.
To enable the Tor Exit Node Lookup Table:
  1. 1.
    Log in to your Panther Console.
  2. 2.
    From the left sidebar menu, click Build > Packs. Search for "Tor" in the search bar.
    • On this page, you can see the built-in pack available for Tor Lookup Tables. Packs are disabled by default, so to use this data you will need to enable the pack first.
  3. 3.
    On the right side of the tile labeled Tor Lookup Tables, click the toggle to enable the pack.
  4. 4.
    Click Continue in the dialog that appears.
    • If you'd like to make additional changes through CI/CD with the panther_analysis_tool, please contact your Panther representative for more information.
  5. 5.
    To verify if the Lookup Table is enabled, from the left sidebar menu, click Configure > Enrichment Providers.
    • On this page, you can see Panther-managed enrichment sources. You can also see whether the sources are currently enabled or disabled and when a source’s data was last refreshed.

Considerations for CI/CD users

Please note the following considerations:
  • CI/CD users do not need to use Detection Packs to get Tor Exit Node Lookup Tables. You can pull in the latest release of panther-analysis and use the panther_analysis_tool (PAT) to upload the Lookup Tables.
  • It is possible for CI/CD users to enable Lookup Tables via Detection Packs, as long as you do not customize the tables using PAT.
    • If you choose to manage Lookup Tables through PAT after enabling them in the Panther Console, you must first disable the Detection Packs in the Panther Console. Simultaneous use of both the Panther Console and PAT to manage Lookup Tables is not supported.


You can leverage the Tor Exit Nodes Lookup Table via a Python helper in detections. See the example below:
import panther_tor_helpers as p_tor_h
def rule(event):
# alert if activity is from Tor Exit Nodes
return p_tor_h.TorExitNodes(event).has_exit_nodes()
def alert_context(event):
# add useful context for the alert, including a URL to Tor project exit node database
return p_tor_h.TorExitNodes(event).context('sourceIP')