tor_connection_internal_external
Explanation
This event is triggered by Netography’s Fusion Portal when it detects a connection attempt to a known Tor entry node from an internal network device. Tor is often used to hide the origin of network traffic, and this may be indicative of malicious behavior, attempts to evade network use policy, or circumvention of other network controls.
What to Look For
If this activity is against internal policy, the detected endpoints should be examined for any applications or processes that may be attempting to use Tor. Tor entry traffic can use many different TCP ports, and may be hard to block at the network level.
Related MITRE ATT&CK Categories
Updated 4 days ago