This event occurs when an additional application connects to a previously seen external IP address.
Why this Event is Important
North-south data traffic with a data center is often predictable, and 'listening' applications usually make limited or no external connections. An outbound connection to an unknown IP address may indicate malicious activity.
Identify the application. Is it an expected data center application? If the application is known, determine if it should be making an outbound connection to an IP address that a previous application or machine connected to? If it is not clear that the destination IP address is benign, look for subsequent connections to the same IP address. Patterned communication may indicate some type of automation, which could be benign or unknown leakage.
Determine if the connection is expected and benign. If the connection appears to be the result of malicious use of an existing administrative tool, malware, or an exploited application, review logs from both hosts. If the machine is compromised, take the necessary steps to restore the affected systems to a known, clean state.