Potential cryptomining detected through IP callback
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect when a host is potentially infected with a cryptominer.
Strategy
This rule compares the @network.client.ip
standard attribute to a curated list of cryptomining pools.
Triage and response
- Determine if the
{{host}}
host should be contacting a cryptomining pool. - If not, begin your company’s IR process.
Note You can use the signal sidepanel to assist with the initial investigation by looking at CPU utilization and processes to identify unauthorized activity.
Changelog
- 8 April 2022 - Initial beta release to select organizations.
- 13 April 2022 - Added additional filters for specific ports to reduce false positives.
- 26 April 2022 - Removed
restrictedToOrgs
settings, launching rule to all of production.