This event occurs when an application connects to an unknown external host, identified by its domain name.
Why this Event is Important
North-south traffic with a data center is often predictable, and 'listening' applications usually make limited or no external connections. An outbound connection to an unknown host may indicate malicious activity.
Identify the application. Is the application well known and expected to be in the data center? If the application is known, determine if it should be making outbound connections and research the destination host. If it is not clear that the destination host is benign, look for subsequent connections to the same host. Patterned communication may indicate some type of automation, which could be benign or unknown leakage.
Determine if the connection is expected and benign. If the connection appears to be the result of malicious use of an existing administrative tool, malware, or an exploited application, review logs from both hosts. If the machine is compromised, take the necessary steps to restore the affected systems to a known, clean state.