Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Identity Threat Module |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
High |
Description
A SaaS API was called from a Tor exit node.
Attacker's Goals
Conceal information about malicious activities, such as location and network usage.
Investigative actions
Block all web traffic to and from public Tor entry and exit nodes.
Variations
A Failed API call from a Tor exit nodeSuspicious SaaS API call from a Tor exit node via Mobile Device