Suspicious Ingress Authentications

These detection rules identify suspicious activity from ingress authentication records collected by InsightIDR Collectors.

Suspicious Authentication - Tor Exit Node


This detection identifies successful authentications from IP addresses of known TOR Exit Nodes. The TOR Project was established to provide online privacy through network anonymization. Because of this, it is often used by malicious actors as a free proxy service to hide their identity.


Review the authentication history for the user for the past few weeks to identify any other suspicious activity. Reach out to the user to verify if they are knowingly using the TOR Project when accessing organizational resources. Lock the account as necessary and have the user change their password. If this system does not require two-factor authentication, consider adding it to prevent brute-force and simple phishing attacks.

MITRE ATT&CK Techniques

  • Valid Accounts - T1078
  • Proxy - T1090
  • Multi-hop Proxy - T1090.003