[8organicbits]

In my brush with a similar issue, the intrusion detection system flagged Tor traffic as potential malicious traffic. The IDS can't tell if this is malware calling back to a command and control node via Tor.

We allow developers to install their own software, so there isn't a good way to enforce browser policies. We ended up letting the developers know that connections to Tor generate alerts, and that these tie up security resources. That was enough that we haven't seen the issue again.

In our case the developer was using Brave and had opened the private window with Tor. That gave us a plausible explanation that didn't include malware, so we closed the ticket.

I'd say that there are very few legitimate reasons a Tor connection would come from a corporate network. So we'd like to keep the alert on, but any false positives tie up resources. Developers sometimes accidentally install malware, so we need to be vigilant about detecting and remediating that.