<  Back to rules search

Potential cryptomining detected through IP callback





Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.


Detect when a host is potentially infected with a cryptominer.


This rule compares the @network.client.ip standard attribute to a curated list of cryptomining pools.

Triage and response

  1. Determine if the {{host}} host should be contacting a cryptomining pool.
  2. If not, begin your company’s IR process.

Note You can use the signal sidepanel to assist with the initial investigation by looking at CPU utilization and processes to identify unauthorized activity.


  • 8 April 2022 - Initial beta release to select organizations.
  • 13 April 2022 - Added additional filters for specific ports to reduce false positives.
  • 26 April 2022 - Removed restrictedToOrgs settings, launching rule to all of production.