Managed Sentinel – Alert 226

Alert IDMS-A226
Alert NameSquid proxy events related to mining pools
DescriptionChecks for squid proxy events associated with common mining pools. This query presumes the default squid log format is being used.
Severity LevelLow
Threat IndicatorUnauthorized Access
MITRE ATT&CK TacticsPriviledge Escalation
Credential Access
Lateral Movement
Log sourcesWeb Proxy
False PositivesN/A
Recommendations1. Traffic to known mining pools can be blocked through the use of network black and whitelists
2. Perform a full AV/AM scan of the internal machine
3. Investigate in Azure Sentinel if any lateral attacks were done from the same entity (account or IP address)