WARNING: This rule is being deprecated on 16 July 2025.

Goal

Detect when a host in AWS, GCP, or Azure is potentially infected with a cryptominer.

Strategy

This rule compares the @network.client.ip standard attribute to a curated threat intelligence list of known cryptomining IP addresses.

Triage and response

1. Determine if the resource should be contacting a cryptomining associated IP address.
2. If not, begin your company’s incident response process.