Potential Google Cloud cryptomining attack from Tor IP


Detect when a Google Compute Engine cryptomining attack is observed from a Tor IP.


This rule monitors Google Cloud Audit Logs to determine when a compute network creation, compute image creation, or firewall rule creation event coincides with the creation of a compute engine and originates from a Tor client. Datadog enriches all ingested logs with expert-curated threat intelligence in real time. An attacker may use a Tor client to anonymize their true origin.

Triage and response

  1. Determine if the actions {{@evt.name}} taken by the user {{@usr.id}} from Tor IP address: {{@network.client.ip}} are legitimate by looking at past activity and the type of API calls occurring.
  2. Furthermore, use the Cloud SIEM - IP Investigation & User Investigation dashboards to see if the IP address: {{@network.client.ip}} & {{@usr.id}} have taken other actions.
  3. If the results of the triage indicate that an attacker has taken the action, begin your company’s incident response process and investigate.


  • 17 August 2023 - Updated query to replace attribute @threat_intel.results.subcategory:tor with @threat_intel.results.category:tor.