you have two ways to approach this:
• collect all network and process data and do the specific searches to determine crypto mining on the log aggregation side
• hone the queries so you'll hit most of the mining ioc's and only collect when searches produce the output.