Skip to main content

New Internal Connection

This alert occurs when Lacework detects an application running on a single machine or multiple machines connects for the first time to another application.

Why this Alert is Important

As east-west traffic with a data center is often predictable, this alert may reflect malicious lateral movement.

Investigation

Investigate both applications. Is one or both of the applications a recent addition, which would explain the new communication path? Is one of the applications a common administrative tool? If yes, investigate who used the tool and if the use is as expected. For example, did the user move data to a server as would be expected during a troubleshooting session or was data moved from a server? If the application is not easily identified, check if the file is listed as known malware or listed in Host > Files (FIM) on the Lacework Console.

Resolution

Determine if an internal connection is expected and benign. If the connection appears to be the result of malicious use of an existing administrative tool, trace the activity of the user back to the login. If the new connection is the result of malware, restore the machine to a known good state or replace the container with a new, clean version.