* [Blog](https://www.paloaltonetworks.com/blog)
* [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/)
* [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/)
* Prisma Cloud Now Detects ...

# Prisma Cloud Now Detects Threats Using the TOR Network

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fthreat-detection-using-tor-networks%2F)  
[](https://twitter.com/share?text=Prisma+Cloud+Now+Detects+Threats+Using+the+TOR+Network&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fthreat-detection-using-tor-networks%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fthreat-detection-using-tor-networks%2F&title=Prisma+Cloud+Now+Detects+Threats+Using+the+TOR+Network&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/cloud-security/threat-detection-using-tor-networks/&ts=markdown)  
\[\](mailto:?subject=Prisma Cloud Now Detects Threats Using the TOR Network)  
Link copied  
By [Rachel Deng](https://www.paloaltonetworks.com/blog/author/rachel-deng/?ts=markdown "Posts by Rachel Deng"), [Venkatesh Pappakrishnan](https://www.paloaltonetworks.com/blog/author/venkatesh-pappakrishnan/?ts=markdown "Posts by Venkatesh Pappakrishnan") and [Alok Tongaonkar](https://www.paloaltonetworks.com/blog/author/alok-tongaonkar/?ts=markdown "Posts by Alok Tongaonkar")  
Jun 06, 2022  
4 minutes  
[Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown)  
[Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security/?ts=markdown)  
[Cloud Security Posture Management](https://www.paloaltonetworks.com/blog/category/cloud-security-posture-management/?ts=markdown)  
[CSPM](https://www.paloaltonetworks.com/blog/tag/cspm/?ts=markdown)  
[Threat Detection](https://www.paloaltonetworks.com/blog/tag/threat-detection/?ts=markdown)  
[Tor](https://www.paloaltonetworks.com/blog/tag/tor/?ts=markdown)  
[UEBA](https://www.paloaltonetworks.com/blog/tag/ueba/?ts=markdown)

Malicious actors, including the notorious [Lapsus$ group](https://unit42.paloaltonetworks.com/lapsus-group/), tend to take advantage of stolen credentials obtained using various means such as scraping public repos or storage for credentials which are inadvertently exposed to gain access to victims' accounts. One of the effective components that can help your organization defend against these threats is the use of comprehensive [User and Entity Behavior Analytics (UEBA)](https://blog.paloaltonetworks.com/2020/01/cloud-ueba/).

Prisma Cloud UEBA leverages advanced machine learning (ML) techniques and multiple threat intelligence feeds that help detect anomalous activity in your cloud environments. Previously, we presented one of our UEBA capabilities called [compute provisioning anomaly detection](https://www.paloaltonetworks.com/blog/prisma-cloud/compute-provisioning-anomaly-detection/?ts=markdown) to detect the provisioning of virtual machines for cryptomining that has already saved customers thousands of dollars a day. We are excited to introduce our most recent UEBA capabilities for detecting suspicious activity originating from The Onion Routing (TOR) network!

![Prisma Cloud introduces 16 New Policies to Detect AnThreat Detection Policies](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/06/table-description-automatically-generated.png)
Prisma Cloud introduces 16 New Policies to Detect AnThreat Detection Policies

![Prisma Cloud policy dashboard](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/06/graphical-user-interface-table-description-autom.png)
Prisma Cloud policy dashboard

## Why Attackers use TOR Anonymity Networks

TOR is a tool that offers users the ability to perform their activity anonymously by encrypting and routing requests through multiple relay layers or nodes (like an onion). The online activities using TOR would appear to have originated from one of the TOR exit nodes, instead of the IP address of the user's device. In general, attackers use TOR networks to perform activities that help in the preparation of attacks such as data exfiltration of personal or financial data and cryptojacking. Hence, early identification of such TOR-based events is critical for preventing these attacks.

## Detecting TOR-based Suspicious Activities Using Prisma Cloud

Prisma Cloud continuously scans the event logs from the activity of all the users in the customers' accounts. The source IP from the audit logs is mapped with the recent TOR exit nodes list, which is a threat intelligence source updated every day. If the IP address matches with one of the TOR exit nodes, then an alert is generated.
![High-level workflow of Prisma Cloud TOR-based suspicious activity detection](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/06/diagram-description-automatically-generated.png)
High-level workflow of Prisma Cloud TOR-based suspicious activity detection

Commonly, the activities related to data exfiltration or cryptojacking attempts involve security sensitive operations such as making copies of VM images, attaching, or removing policies to an account to modify the permissions, adding, or removing keypairs, and so on. Prisma Cloud formulated the new anomaly policies based on the service group of the resources the user is trying to access from a TOR exit node. We categorized the cloud resources, from the Cloud Service Providers (CSPs), into 16 service groups and developed a policy for each service group as listed in the table below.

![New anomaly policies and the corresponding service groups ](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/06/table-description-automatically-generated-1.png)
New anomaly policies and the corresponding service groups

Prisma Cloud [CSPM](https://www.paloaltonetworks.com/cyberpedia/what-is-cloud-security-posture-management?ts=markdown) Threat Detection uses the [MITRE ATT\&CK framework for Cloud](https://www.paloaltonetworks.com/blog/prisma-cloud/mitre-attck-for-cloud-improve-threat-detection/?ts=markdown) as our guiding principle.

The new TOR-based suspicious activity detection falls under the MITRE ATT\&CK Tactics, "Defense Evasion".
![Current Threat Detection Coverage for MITRE ATT\&CK framework](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/06/a-picture-containing-table-description-automatica.png)
Current Threat Detection Coverage for MITRE ATT\&CK framework

[Prisma Cloud's new TOR-based suspicious activity detection as well as the compute provisioning anomaly detection keeps delivering real customer value.](https://www.paloaltonetworks.com/blog/prisma-cloud/mitre-attck-for-cloud-improve-threat-detection/?ts=markdown)

Let's take a real customer case as an example: recently, a high-severity incident was detected for one of the Prisma Cloud customers in a Google Cloud environment. The incident involved activities covered under anomalous compute provisioning policy and suspicious activity policies. There were 4,000 compute instances created via 68 anonymous proxy IPs in a short duration including five TOR exit nodes and multiple other suspicious activities through four TOR exit nodes. It was later confirmed, by the customer, that the incident was a real cryptojacking attack. If the incident was not identified promptly by Prisma Cloud, the customer's potential financial loss could have been approx. $50,000 per day or higher!

## Begin Detecting Suspicious User Behavior with Prisma Cloud

TOR-based suspicious activity detection is available in Prisma Cloud today. Existing Threat Detection customers can take advantage of this new capability. If you want to try out Threat Detection, then [request a 30-day trial](https://www.paloaltonetworks.com/prisma/request-a-prisma-cloud-trial?ts=markdown) for Cloud Security Posture Management.

*** ** * ** ***

## Related Blogs

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### New CSPM Functionality Frees Teams from Alert Noise and Blind Spots](https://www.paloaltonetworks.com/blog/2021/06/new-cspm-functionality/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Native Application Protection Platform](https://www.paloaltonetworks.com/blog/category/cloud-native-application-protection-platforms/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown)

[#### Where Cloud Security Stands Today and Where AI Breaks It](https://www.paloaltonetworks.com/blog/2025/12/cloud-security-2025-report-insights/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud ASM](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-asm/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown)

[#### What's New in Cortex Cloud](https://www.paloaltonetworks.com/blog/cloud-security/attack-surface-dspm-fim/)

### [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Demystifying Impossible Traveler Detection](https://www.paloaltonetworks.com/blog/security-operations/demystifying-impossible-traveler-detection/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown)

[#### Prisma Cloud's Code to Cloud Security Featured at Google Cloud Next '24](https://www.paloaltonetworks.com/blog/cloud-security/google-cloud-next-2024/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Announcement](https://www.paloaltonetworks.com/blog/cloud-security/category/announcement/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Prisma Cloud: Darwin Release Introduces Code to Cloud Intelligence](https://www.paloaltonetworks.com/blog/2023/10/announcing-innovations-cnapp-prisma-cloud/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language