GCTI Tor List not equals to https://check.torproject.org/torbulkexitlist ?!

Question

We use the rule for TOR exit nodes, described here: https://chronicle.security/blog/posts/new-to-chronicle-detecting-tor-exit-nodes-and-remote-access-tools/. But we notice that we do not get alerts for some TOR related traffic from the GCTI feed. So we tried using the Tor Exit list (https://check.torproject.org/torbulkexitlist) as a list in the chronicle to check against, and got hits on the traffic we were missing before. So the question is, do we have wrong expectations on the GCTI (Tor Exit Nodes) feed or do we need to update the feed somehow?

Some feedback on this would be appreciated.

Thanks

Sam

Page 1 / 1

Hello. Thanks for sharing your experience. The engineering team responsible for maintaining that list in Chronicle SIEM has read this post. Do you mind opening a support case so we can get more details?

thx for the fast reply, i will open a support case

Reply

herrald · Accepted Answer

Hello. Thanks for sharing your experience. The engineering team responsible for maintaining that list in Chronicle SIEM has read this post. Do you mind opening a support case so we can get more details?

smaxs · Answer

thx for the fast reply, i will open a support case

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded