This talk will be a walkthrough of how I built a detection engine focused on finding cryptocoin miners within an AWS architecture. It utilizes AWS Flow Logs as the data source and multiple statistical analysis techniques for both massaging the data and performing the actual detection. AWS Flow Logs do not function as traditional per-packet 5-tuple captures. Instead, the data is aggregated over a 10-minute period, organized by unique IP address and port numbers. This presents a unique challenge for building a detection model as you don't have detailed per-packet logs. The methodology itself follows an iterative design: look for a pattern, implement into code, check for false positives. This is repeated until we have a sufficiently knowledgable model capable of flagging cryptocoin mining traffic with a minimal false positive rate. The techniques discussed include cluster analysis via k-means and DBSCAN, convex hulls, linear regression analysis, nearest neighbor, and several other simple but very powerful statistical analysis techniques. The final implementation will be built on top of ELK, culminating into a turn-key release that owners can drop into their environments.