Bad External Server DNS Connection
This alert occurs when Lacework detects an internal host connected to an external host, identified by its domain name, has been flagged as malicious by intelligence sources. If a connection cannot be associated with an application, Lacework generates a machine alert.
Why this Alert is Important
This alert may be the result of a compromised application, malware, or an internal test. The malicious domain may be associated with C&C or crypto mining.
Investigation
Verify that the domain was added to a denylist or blocklist using other sources. Examine any data transfer and determine if meaningful data has been exchanged - over 10 KB per connection. Look at the direction of transfer. For example, if this machine does not typically connect to the Internet, even data transfer less than 10 KB per connection may indicate C&C (Command-and-Control).
Resolution
If the domain is confirmed to be malicious, block the URL and scan the host. Perform local forensics and then restore the host to a known good state.