Rules: Crypto Miner User Agent
Observes for several known cryptominer user agents
| Detail | Value |
|---|---|
| Type | Templated Match |
| Category | Unknown/Other |
| Apply Risk to Entities | device_hostname, srcDevice_hostname, user_username, srcDevice_ip |
| Signal Name | Crypto Miner User Agent |
| Summary Expression | User agent string: {{http_userAgent}} contains keywords associated with crypto miners |
| Score/Severity | Static: 5 |
| Enabled by Default | True |
| Prototype | False |
| Tags | _mitreAttackTactic:TA0011, _mitreAttackTechnique:T1071.001, _mitreAttackTechnique:T1071, _mitreAttackTechnique:T1496 |
- Akamai - SIEM
- Amazon AWS - AWS S3 Server Access Logs
- Amazon AWS - CloudFront
- Amazon AWS - CloudTrail
- Amazon AWS - Elastic Load Balancer
- Amazon AWS - Web Application Firewall (WAF)
- Bro - Bro
- Cloudflare - Logpush
- Forcepoint - Web Security
- Microsoft - IIS
- Okta - Single Sign-On
| Origin | Field |
|---|---|
| Normalized Schema | device_hostname |
| Normalized Schema | http_userAgent |
| Normalized Schema | srcDevice_hostname |
| Normalized Schema | srcDevice_ip |
| Normalized Schema | user_username |