This event occurs when an application, not included in the set of learned applications, connects to a known application.
Why this Event is Important
The list of data center applications is for the most part static. New applications are sometimes introduced as part of service offering or internal tooling changes, but their introduction may indicate malicious activity.
Identify the new application. Is its introduction expected? If not, research the application and its purpose. Perform local forensics, look for signs of lateral movement
Determine if the application and its use are expected and benign. If it appears to be possible malicious use of an existing administrative tool, review logs from both source and destination machines. Disable the user and take the necessary steps to restore either host to a known, clean state.