Understand High risk app usage trigger - FortiAnalyser
please help me to understand this,
when I checked the Event monitor by threat (High Risk App Usage), I found out that the application: TOR is using by some computers in company, actually the tor is not installed on any computers, please let me know why Fortianalyser show that? how we can investigate?
1. it can be used to bypass firewall filters (traffic to blocked sites can be accessed through Tor)
2. It is used to access the "dark web"
3. It can put undue stress on your network and if users are somehow running relays or exit nodes on your network can put you on blacklists
Just like other protocols, you can access these "apps" through web browsers. So just like IRC, or WhatsApp, etc. I don't always need a dedicated app to access these things. A web browser works just the same. And FGT App Control will flag the access to these apps regardless of how they are accessed.
You can investigate by figuring out which devices are accessing the Tor network by looking at FAZ logs. You can also put an app control policy in place to block it if you feel it is required to do so.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.