# tor\_connection\_external\_internal

**Explanation**

This event is triggered by Netography’s Fusion Portal when it detects traffic originating from a TOR network exit node communicating with monitored hosts. Traffic from the TOR network is not inherently malicious; however, attackers will commonly use the TOR network to hide the origin of other attacks. These attacks might include: password brute forcing, host or vulnerability discovery (scanning), or data exfiltration.

**What to Look For**

Scanning activity from the Internet is very common, and this event is not necessarily concerning or even malicious. Some things to investigate include: traffic to hosts not expected to be reachable from the Internet, lots of requests to a single host, a large volume of data leaving a single host.

**Related MITRE ATT\&CK Categories**

[Command and Control: Proxy, Technique T1090 - Enterprise](https://attack.mitre.org/techniques/T1090)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.fusion.vectra.ai/detection-models/library/attack/tor_connection_external_internal.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.