New External Client IP Address

This alert occurs when Lacework detects a new external client IP address connects to an internal host running a Lacework agent. This client was unknown to the host before it connected to the host.

Why this Alert is Important

This alert may indicate that an IP address is attempting to connect to an Internet-facing service in your infrastructure. These connection attempts may include automated port scanning, service discovery, brute-forcing, or application exploitation. Such an alert may highlight services that have been mistakenly exposed to the Internet.

Investigation

Investigate threat tags and any open source information to determine what activity has been associated with this IP address in the past. Examine the number of connections and size of data transfer for the connections to determine if meaningful data has been transferred - over 10 KB per connection. If available, review any relevant or useful logs for successful login activity from the remote IP.

Resolution

Determine if the activity associated with IP was successful. If successful, inspect for signs of persistence and lateral movement. If determined to be malicious, block future communications from the IP.

Why this Alert is Important​

Investigation​

Resolution​

Why this Alert is Important

Investigation

Resolution