This event occurs when an application connects to an external host, identified by its domain name, that intelligence has flagged as malicious.
Why this Event is Important
This event typically indicates a suspicious or malicious activity that can involve malware command and control communications, coinmining, malware downloads, and more.
Investigate threat tags and open source information regarding the domain to determine its history. Compare this information with the underlying applications and processes associated with the communication to determine if the connection may be malicious. Investigate byte transfers and subsequent connections to the external host to understand how much communication occurred. Investigate related events such as other suspicious connections, FIM alerts, and other suspicious activity.
Determine if the activity is malicious. If it is malicious, take steps to restore the affected systems to a known clean state. If possible, implement sinkholing or blocking of the domain to prevent reinfection.