This Elastic detection rule identifies the creation of service files associated with cryptomining on Linux systems, indicating a potential infection by cryptominers. The rule specifically looks for the creation of files with names commonly associated with mining services such as 'aliyun.service', 'moneroocean_miner.service', and others. It is essential for responding organizations to monitor these events as they can suggest unauthorized use of system resources for cryptocurrency mining, which can significantly degrade performance and pose security risks. The detection rule employs event monitoring through Elastic Defend, requiring proper setup and integration with Elastic Agent and associated endpoints. When an alert is triggered, security teams are advised to conduct thorough investigations, including reviewing alert details, analyzing the creation timestamps, and verifying the legitimacy of the files against known threat intelligence. Immediate response measures include isolating affected systems, terminating suspicious processes, and conducting comprehensive system scans to recover from potential incidents.