Shivammalaviya/Detect Tor connections

## Detect Tor connections
let TorRelayData = (
externaldata (Nickname:string,Fingerprint:string,EntryAddress:string,IPAddress:string,Port:string,AddressType:string,Hostname:string,CountryCode:string,IsRunning:bool,RelayPublishDate:string,LastChangedIPData:string)
[h@'https://torinfo.blob.core.windows.net/public/TorRelayIPs.csv'] with (ignoreFirstRecord=true,format="csv")
| where AddressType == "IPv4"
);
TorRelayData
| join kind=inner DeviceNetworkEvents on $left.IPAddress == $right.RemoteIP
| join kind=inner (DeviceInfo | distinct DeviceId, PublicIP) on DeviceId
| project Timestamp, DeviceId, LocalPublicIP = PublicIP, LocalIP, RemoteIP, TorIP = IPAddress, Hostname, CountryCode, ActionType, InitiatingProcessFileName, InitiatingProcessFolderPath
	let TorRelayData = (
	externaldata (Nickname:string,Fingerprint:string,EntryAddress:string,IPAddress:string,Port:string,AddressType:string,Hostname:string,CountryCode:string,IsRunning:bool,RelayPublishDate:string,LastChangedIPData:string)
	[h@'https://torinfo.blob.core.windows.net/public/TorRelayIPs.csv'] with (ignoreFirstRecord=true,format="csv")
	\| where AddressType == "IPv4"
	);
	TorRelayData
	\| join kind=inner DeviceNetworkEvents on $left.IPAddress == $right.RemoteIP
	\| join kind=inner (DeviceInfo \| distinct DeviceId, PublicIP) on DeviceId
	\| project Timestamp, DeviceId, LocalPublicIP = PublicIP, LocalIP, RemoteIP, TorIP = IPAddress, Hostname, CountryCode, ActionType, InitiatingProcessFileName, InitiatingProcessFolderPath