New Child Launched

This alert occurs when Lacework detects a process on a host running the Lacework agent launches a child process for the first time.

Why this Alert is Important

An unauthorized child process may cause any number of risks to the host and network, such as running non-approved software and terminal sessions, introducing unapproved file, and launching unauthorized terminal sessions. List of data center processes is for the most part static. New applications are sometimes introduced as part of service offering or internal tooling changes, but their introduction may indicate malicious activity.

Investigation

Identify the new child process. Is its introduction expected? If not, research the application and its purpose. Perform local forensics, look for signs of lateral movement.

Resolution

Determine if the process and its use are expected and benign. If it appears to be possible malicious use of an existing administrative tool, review logs from both source and destination machines. Disable the user and take the necessary steps to restore either host to a known, clean state.