User activity from Tor

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect user activity from suspicious IPs, specifically the Tor anonymisation network.

This may highlight malicious activity that a user doesn’t want to be linked to their real IP address.

Strategy

Correlate traces tagged with a user with the Threat Intelligence qualification of their IP address.

Require the trace to be flagged, either by a user event or by an In-App WAF attack.

A Low signal is then generated.

Triage and response

  1. Investigate the activity and validate that it is legitimate.
  2. Review activity from Tor IPs (@threat_intel.ip:tor) to evaluate if you’re under attack.
  3. Consider blocking the user if the activity is suspicious.