This rule identifies potential Tor network activity which can indicate obfuscated communication to the internet by threat actors. Tor is commonly used to disguise a user's identity and activities by routing their traffic through multiple encrypted layers. This detection rule focuses on TCP traffic accessing specific ports attributed to Tor services (9001 and 9030) from local source IPs typical in private networks (e.g., 10.x.x.x, 172.16.x.x, 192.168.x.x). Since Tor usage can also appear in unmanaged/public networks, the rule accounts for certain false positives that may arise from legitimate NATed traffic. It is designed to alert on possible command and control activities when unexpected Tor traffic is detected, as this could indicate an attempt to communicate away from enterprise control mechanisms.