This event occurs when a user launches an application that has not previously observed being launched by that specific user.
Why this Event is Important
The list of data center applications is for the most part static. New applications are sometimes introduced as part of a service offering or internal tooling changes, but their introduction may indicate malicious activity.
Identify the new application. Is its introduction expected? If not, research the application and its purpose. Perform local forensics, look for signs of lateral movement.
Determine if the application and its use are expected and benign. If it appears to be possible malicious use of an existing administrative tool, review logs from both source and destination machines. Disable the user and take the necessary steps to restore either host to a known, clean state.