A known internal host makes a new connection to an unknown internal host, identified by its IP address. If an application cannot be associated with a connection, Lacework publishes a machine event.
Why this Event is Important
As east-west traffic with a data center is often predictable, this event may reflect malicious lateral movement.
Identify the unknown destination IP address. Is the destination IP address within the data center subnet or some other subnet, such as a management vlan? If the IP address can be associated with a user or administrator, understand if the data center host should be initiating the connection. Look for any data transfer, for example, is data being sent to the unknown IP address. If the unknown IP address is part of the data center subnet or another data center subnet, determine if the unknown IP address should be receiving connections from the known data center host.
Determine if a specific connection is expected and benign. If the connection appears to be the result of malicious use of an existing administrative tool or malware, review logs from both hosts. If the destination machine is a data center host without an agent, decide if the host should be receiving connections from the known data center host and consider adding a Lacework agent to the unknown host to incorporate the host into the baseline.