* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Security Operations](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/)
* [Playbook of the Week](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/)
* Automating Response to Su...

# Automating Response to Suspicious SaaS Access From a Tor Exit Node

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fautomating-response-to-suspicious-saas-access-from-a-tor-exit-node%2F)  
[](https://twitter.com/share?text=Automating+Response+to+Suspicious+SaaS+Access+From+a+Tor+Exit+Node&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fautomating-response-to-suspicious-saas-access-from-a-tor-exit-node%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fautomating-response-to-suspicious-saas-access-from-a-tor-exit-node%2F&title=Automating+Response+to+Suspicious+SaaS+Access+From+a+Tor+Exit+Node&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/automating-response-to-suspicious-saas-access-from-a-tor-exit-node/&ts=markdown)  
\[\](mailto:?subject=Automating Response to Suspicious SaaS Access From a Tor Exit Node)  
Link copied  
By [Arik Day](https://www.paloaltonetworks.com/blog/author/arik-day/?ts=markdown "Posts by Arik Day")  
Mar 06, 2025  
4 minutes  
[Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)  
[Cortex](https://www.paloaltonetworks.com/blog/tag/cortex/?ts=markdown)  
[Incident Response](https://www.paloaltonetworks.com/blog/tag/incident-response/?ts=markdown)  
[SaaS access](https://www.paloaltonetworks.com/blog/tag/saas-access/?ts=markdown)  
[Security Automation](https://www.paloaltonetworks.com/blog/tag/security-automation/?ts=markdown)  
[security operations](https://www.paloaltonetworks.com/blog/tag/security-operations/?ts=markdown)  
[SOC](https://www.paloaltonetworks.com/blog/tag/soc/?ts=markdown)  
[Tor](https://www.paloaltonetworks.com/blog/tag/tor/?ts=markdown)  
[XSIAM](https://www.paloaltonetworks.com/blog/tag/xsiam/?ts=markdown)

### Introduction

Anonymizing networks like Tor are commonly used to mask user identities and bypass security measures. While Tor has legitimate uses, attackers frequently exploit it to conduct unauthorized access attempts, particularly against software-as-a-service (SaaS) applications. To counteract this threat,[Cortex XSIAM's Response and Remediation Pack](https://cortex.marketplace.pan.dev/marketplace/details/CortexResponseAndRemediation/)includes the [**Suspicious SaaS Access From a Tor Exit Node**](https://xsoar.pan.dev/docs/reference/playbooks/suspicious-saa-s-access-from-a-tor-exit-node) playbook, designed to detect and remediate such suspicious access attempts.

### Threat Overview

Attackers often leverage Tor exit nodes to conduct reconnaissance, attempt credential stuffing, or gain unauthorized access to SaaS environments without revealing their true locations. This playbook is triggered by the following alerts:

* Suspicious SaaS API call from a Tor exit node
* Suspicious SaaS API call from a Tor exit node via a mobile device
* Suspicious API call from a Tor exit node
* Suspicious Kubernetes API call from a Tor exit node

### Purpose of the Playbook

The **Suspicious SaaS Access From a Tor Exit Node** playbook automates the detection and remediation of unauthorized access by:

* Identifying user sessions originating from Tor exit nodes
* Evaluating the legitimacy of the associated user agent
* Assessing the user's risk level based on behavioral analytics and advanced AI logic
* Enforcing early containment by revoking active sessions
* Providing remediation options for blocking suspicious accounts and Tor-related IPs

### Stages of the Playbook

#### **Early Containment**

* The playbook promptly clears or revokes the user's active sessions and forces re-authentication.
* Depending on the SaaS platform, the playbook utilizes Microsoft Graph or G-Suite Admin to enforce session termination.

![Fig 1: Segment of playbook showcasing automated early containment actions](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/03/word-image-335969-1.png)
Fig 1: Segment of playbook showcasing automated early containment actions

#### **Investigation**

* The playbook retrieves the risk score of the user associated with the access from a Tor exit node.
* It inspects the user agent to determine if the access is legitimate or indicative of the use of a malicious attack tool or automated behavior.

![Fig 2: Segment of playbook showcasing user risk score checks](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/03/word-image-335969-2.png)
Fig 2: Segment of playbook showcasing user risk score checks

#### **Containment**

* If the user's risk score is high or the user agent is flagged as suspicious, the playbook recommends blocking the account.
* The account can be blocked through Microsoft Graph, G-Suite Admin, or AWS IAM, depending on the cloud provider.

![Fig 3: Segment of the playbooks showing automated actions taken if user is flagged as suspicious](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/03/word-image-335969-3.png)
Fig 3: Segment of the playbooks showing automated actions taken if user is flagged as suspicious

#### **Eradication**

* If Palo Alto Networks PAN-OS is enabled, the playbook suggests blocking Tor exit node IPs using the predefined External Dynamic List (EDL) feature, preventing further anonymous access attempts.

![Fig 4: Playbook segment showcasing automated blocking of Tor IPs using EDLs](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/03/word-image-335969-4.png)
Fig 4: Playbook segment showcasing automated blocking of Tor IPs using EDLs

### Integration Requirements

To enable automated containment and remediation, the necessary integrations should be configured based on the log source that generated the alert:

* **Microsoft Graph User** -- Required for alerts originating from **Azure**, enabling response actions for Microsoft SaaS accounts.
* **Google Workspace Admin** -- Required for alerts from **GCP**, allowing administrative actions within Google Workspaces.
* **AWS IAM** -- Required for alerts from **AWS**, managing cloud infrastructure-related access attempts.
* **PAN-OS** -- Required for **network-wide Tor exit node blocking**, ensuring threat actors cannot use anonymized traffic to evade detection.

### Security Challenges Addressed

* **Detecting Anonymized Access**: Identifies unauthorized access attempts originating from Tor exit nodes.
* **Mitigating Unauthorized API Calls**: Prevents attackers from exploiting SaaS API endpoints for malicious activities.
* **Session Revocation for Suspicious Users**: Immediately disrupts potential account takeovers by revoking user sessions.
* **Enforcing Adaptive Access Control**: Adjusts security controls based on the assessed risk level of the user.

### Conclusion

The [**Suspicious SaaS Access From a Tor Exit Node**](https://xsoar.pan.dev/docs/reference/playbooks/suspicious-saa-s-access-from-a-tor-exit-node) playbook offers a structured approach to identifying and remediating unauthorized Tor-based access attempts. By leveraging automated session revocation, risk assessment, and adaptive containment measures, security teams can effectively mitigate threats posed by anonymized connections.

### Learn More

For more details on the Cortex XSIAM Response and Remediation Pack, visit:[Cortex Response and Remediation Pack](https://cortex.marketplace.pan.dev/marketplace/details/CortexResponseAndRemediation/).

*** ** * ** ***

## Related Blogs

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Automating Response to Unauthorized User Privilege Escalations Using PowerShell Commands](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/automating-response-to-unauthorized-user-privilege-escalations-using-powershell-commands/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### What's New for Cortex and Cortex Cloud (Apr '25)](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/whats-new-for-cortex-and-cortex-cloud-apr-25/)

### [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### It's Here! It's Here! Cortex XSOAR 6.2 is here!](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/cortex-xsoar-6-2-is-here/)

### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Automation of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/automation-of-the-week/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### A Day in the Life with Your AgentiX Automation Engineer Agent](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/a-day-in-the-life-with-your-agentix-automation-engineer-agent/)

### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Automation of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/automation-of-the-week/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)

[#### Introducing the Cortex MCP Server](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/introducing-the-cortex-mcp-server/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### What's New in Cortex](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/whats-new-in-cortex/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language