Bad External Host
This alert occurs when Lacework detects a bad external host (connected via an application) is seen for the first time ever in the data center. This can be observed as a “new node” in the Polygraph.
Why this Alert is Important
This alert typically indicates a suspicious or malicious activity that can involve malware command and control communications, coinmining, malware downloads, and more.
Investigation
Investigate threat tags and open source information regarding the domain to determine its history. Compare this information with the underlying applications and processes associated with the communication to determine if the connection may be malicious. Investigate byte transfers and subsequent connections to the external host to understand how much communication occurred. Investigate related events such as other suspicious connections, FIM alerts, and other suspicious activity.
Resolution
Determine if the activity is malicious. If it is malicious, take steps to restore the affected systems to a known clean state. If possible, implement sinkholing or blocking of the domain to prevent reinfection.