Skip to main content

New External Host Server Connection

This alert occurs when Lacework detects a process on an internal host running a Lacework agent makes a connection to an external host that it has never connected to before.

Why this Alert is Important

North-south data traffic with a data center is often predictable. An outbound connection to a known, external host from an internal host that has not previously connected may indicate malicious activity.

Investigation

Identify the application. Is the application well known and expected to be in the data center? If the application is known, determine if it should be making outbound connections and research the destination host. If it is not clear that the destination host is benign, look for subsequent connections to the same host. Patterned communication may indicate some type of automation, which could be benign or unknown leakage.

Resolution

Determine if the specific connection is expected and benign. If the connection appears to be the result of malicious use of an existing administrative tool, malware, or an exploited application, review logs from the source machine and application. If the machine is compromised, take the necessary steps to restore it to a known, clean state.