This event occurs when an internal host that has not previously connected to the known external host makes a connection. The external host is part of the existing baseline, meaning that either another process or machine is making connections to it.
Why this Event is Important
North-south data traffic with a data center is often predictable, and 'listening' applications often make limited or no external connections. An outbound connection to a known, external host from an internal host that has not previously connected may indicate malicious activity.
Identify the data center host. Should it be making outbound connections? Research the domain name. If it is not clear that the destination domain name is benign, look at all machines and applications that are connecting to the same external host. Patterned communication may indicate some type of automation, which could be benign, C&C (Command-and-Control), or unknown leakage.
Determine if the specific connection is expected and benign. If the connection appears to be the result of malicious use of an existing administrative tool, malware, or an exploited application, review logs from the source machine and application. If the machine is compromised, take the necessary steps to restore it to a known, clean state.