Suspicious AI model usage from a Tor exit node

Cortex XDR Analytics Alert Reference by Alert name
Product
Cortex XDR
Last date published
2026-02-02
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

5 Days

Required Data

  • Requires one of the following data sources:
    • AWS Audit Log
      OR
    • Gcp Audit Log

Detection Modules

AIDR

Detector Tags

Cloud AI Infrastructure Analytics

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Proxy: Multi-hop Proxy (T1090.003)

Severity

High

Description

A cloud identity invoked an AI model from a Tor exit node.

Attacker's Goals

Conceal information about malicious activities, such as location and network usage.

Investigative actions

Block all web traffic to and from public Tor entry and exit nodes.

Variations

Failed AI model usage from a Tor exit node

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Proxy: Multi-hop Proxy (T1090.003)

Severity

Informational

Description

A cloud identity invoked an AI model from a Tor exit node.

Attacker's Goals

Conceal information about malicious activities, such as location and network usage.

Investigative actions

Block all web traffic to and from public Tor entry and exit nodes.