Are any of your organizations trusted network assets behaving as TOR relays, bridges, or devices?
To find out, enable Lumeta to ingest NetFlow v9 (or netflow from a similar flow-collection infrastructure and also enable a threat intelligence feed containing TOR intelligence data such as iDefense.
Note: The standard Lumeta requirements are not inclusive of this integration. Additional storage may be required to index a TOR feed.
Configure the TOR feed as follows: