Solved: GCTI Tor List not equals to https://check.torproje...

smaxs · 02-08-2024 04:21 AM

We use the rule for TOR exit nodes, described here: https://chronicle.security/blog/posts/new-to-chronicle-detecting-tor-exit-nodes-and-remote-access-to.... But we notice that we do not get alerts for some TOR related traffic from the GCTI feed. So we tried using the Tor Exit list (https://check.torproject.org/torbulkexitlist) as a list in the chronicle to check against, and got hits on the traffic we were missing before. So the question is, do we have wrong expectations on the GCTI (Tor Exit Nodes) feed or do we need to update the feed somehow?

Some feedback on this would be appreciated.

Thanks

Sam

herrald

Hello. Thanks for sharing your experience. The engineering team responsible for maintaining that list in Chronicle SIEM has read this post. Do you mind opening a support case so we can get more details?

View solution in original post

herrald

Hello. Thanks for sharing your experience. The engineering team responsible for maintaining that list in Chronicle SIEM has read this post. Do you mind opening a support case so we can get more details?

smaxs

thx for the fast reply, i will open a support case

Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps

GCTI Tor List not equals to https://check.torproject.org/torbulkexitlist ?!

Webinar May 14th: Gemini's generative AI within Google SecOpsWebinar May 29th: Log Ingestion: Bindplane + Google SecOps

GCTI Tor List not equals to https://check.torproject.org/torbulkexitlist ?!

Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps