User activity from Tor

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect user activity from suspicious IPs, specifically the Tor anonymisation network.

This may highlight malicious activity that a user doesn’t want to be linked to their real IP address.

Strategy

Correlate traces tagged with a user with the Threat Intelligence qualification of their IP address.

Require the trace to be flagged, either by a user event or by an In-App WAF attack.

A Low signal is then generated.

Triage and response

  1. Investigate the activity and validate that it is legitimate.
  2. Review activity from Tor IPs (@threat_intel.ip:tor) to evaluate if you’re under attack.
  3. Consider blocking the user if the activity is suspicious.