tor_connection_external_internal
Explanation
This event is triggered by Netography’s Fusion Portal when it detects traffic originating from a TOR network exit node communicating with monitored hosts. Traffic from the TOR network is not inherently malicious; however, attackers will commonly use the TOR network to hide the origin of other attacks. These attacks might include: password brute forcing, host or vulnerability discovery (scanning), or data exfiltration.
What to Look For
Scanning activity from the Internet is very common, and this event is not necessarily concerning or even malicious. Some things to investigate include: traffic to hosts not expected to be reachable from the Internet, lots of requests to a single host, a large volume of data leaving a single host.
Related MITRE ATT&CK Categories
Updated about 1 month ago