Cloud provider activity observed from IP associated with cryptomining

This rule is part of a beta feature. To learn more, contact Support.

Classification:

threat-intel

Tactic:

Technique:

Goal

Detect when a host in AWS, GCP, or Azure is potentially infected with a cryptominer.

This rule compares the @network.client.ip standard attribute to a curated threat intelligence list of known cryptomining IP addresses.

Determine if the resource should be contacting a cryptomining associated IP address.
If not, begin your company’s incident response process.