Issue: A 'New External IP address' event was triggered where an external connection to a Public IP was made from a host. However, no process or connection details were displayed for the event.
Understanding the Event
The 'Where' section of the event displays the In/Out Bytes which help to identify if this was a short-lived connection. For example, in this case, there were a total of 564 In Bytes and 417 Out Bytes exchanged during the duration of the connection implying that this is a short-lived connection.
Agent Versions prior to v4.3 used libpcap to capture packets on interfaces, thereby collecting the entire process information for short-lived connections was not always possible. To address this, eBPF Support was introduced for agents starting from version 4.3, and upgrading the agent to the latest version is recommended to avoid missing process details.
Additionally, clicking on the external IP address displayed in the event description redirects to the network address dossier for the IP where details like Resolved IP information can be found.
Note: If the agent is running a version higher than 4.3
1) Review config.json to verify if eBPF is enabled.
2) Review the running kernel version as eBPF support is contingent upon kernel versions that are newer than 4.16.
If the host is running a kernel version higher than 4.16 and eBPF is confirmed to be enabled for the agent version 4.3 and above, Please submit a support ticket for further investigation.