The DetectTorrentUse rule identifies potential adversary use of torrenting software or browsing behavior associated with torrent sites, which could indicate data exfiltration or command and control activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage lateral movement or data theft tactics that may evade traditional detection methods.
KQL Query
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "torrent" or RemoteUrl has "vuze" or RemoteUrl has "azureus" or RemoteUrl endswith ".tor" or InitiatingProcessFileName has "torrent" or InitiatingProcessFileName has "vuze" or InitiatingProcessFileName contains "azureus"
| project Timestamp, ReportId, DeviceId, DeviceName, InitiatingProcessFileName, RemoteUrl , RemoteIP , RemotePort
id: 4011047d-6a0b-4ef0-bf62-d3eda0784e15
name: DetectTorrentUse
description: |
Custom detection to find use of torrenting software or browsing related to torrents.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
query: |
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "torrent" or RemoteUrl has "vuze" or RemoteUrl has "azureus" or RemoteUrl endswith ".tor" or InitiatingProcessFileName has "torrent" or InitiatingProcessFileName has "vuze" or InitiatingProcessFileName contains "azureus"
| project Timestamp, ReportId, DeviceId, DeviceName, InitiatingProcessFileName, RemoteUrl , RemoteIP , RemotePort
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using qBittorrent to download a large software update for the organization’s internal repository.
Filter/Exclusion: Exclude processes where the executable path contains /usr/local/bin/qBittorrent or qbittorrent-nox and the command line includes --webui-port or --download-dir=/var/tmp.
Scenario: A scheduled job runs Deluge to fetch backup files from a remote server using a torrent link.
Filter/Exclusion: Exclude processes where the command line includes --no-gui and the download directory is a known backup path like /backup/torrent_downloads.
Scenario: An IT technician is using Transmission to test a torrent file for malware analysis in a sandboxed environment.
Filter/Exclusion: Exclude processes where the parent process is a sandboxing tool (e.g., vmtoolsd, qemu, or sandboxed) or the download directory is within a malware analysis sandbox path.
Scenario: A user is browsing a torrent site via Mozilla Firefox to search for legitimate open-source software.
Filter/Exclusion: Exclude URLs that contain .torrent or magnet:? in the request, or filter by user agent strings associated with legitimate browsing activity.
Scenario: A DevOps team uses rTorrent as part of a CI/CD pipeline to fetch dependencies from a private torrent repository.
Filter/Exclusion: Exclude processes where the command line includes --auth and the download path is within a CI/CD artifact directory like /opt/ci-artifacts.