Rules: Crypto Miner User Agent
Observes for several known cryptominer user agents
Detail | Value |
---|---|
Type | Templated Match |
Category | Unknown/Other |
Apply Risk to Entities | device_hostname, srcDevice_hostname, user_username, srcDevice_ip |
Signal Name | Crypto Miner User Agent |
Summary Expression | User agent string: {{http_userAgent}} contains keywords associated with crypto miners |
Score/Severity | Static: 5 |
Enabled by Default | True |
Prototype | False |
Tags | _mitreAttackTactic:TA0011, _mitreAttackTechnique:T1071.001, _mitreAttackTechnique:T1071, _mitreAttackTechnique:T1496 |
- Akamai - SIEM
- Amazon AWS - AWS S3 Server Access Logs
- Amazon AWS - CloudFront
- Amazon AWS - CloudTrail
- Amazon AWS - Elastic Load Balancer
- Amazon AWS - Web Application Firewall (WAF)
- Bro - Bro
- Cloudflare - Logpush
- Forcepoint - Web Security
- Microsoft - IIS
- Okta - Single Sign-On
Origin | Field |
---|---|
Normalized Schema | device_hostname |
Normalized Schema | http_userAgent |
Normalized Schema | srcDevice_hostname |
Normalized Schema | srcDevice_ip |
Normalized Schema | user_username |