Issue
A 'New External IP address' event was triggered where an external connection to a Public IP was made from a host. However, no process or connection details were displayed for the event.
Understanding the Event
The 'Where' section of the event displays the In/Out Bytes which help to identify if this was a short-lived connection. For example, in this case, there were a total of 564 In Bytes and 417 Out Bytes exchanged during the duration of the connection implying that this is a very short-lived connection.
Prior Agent Versions
Agent Versions prior to v4.3 used libpcap to capture packets on interfaces, thereby collecting the entire process information for short-lived connections was not always possible. To address this, eBPF Support was introduced for agents starting from version 4.3, and upgrading the agent to the latest version is recommended to avoid missing process details.
Additionally, clicking on the external IP address displayed in the event description redirects to the network address dossier for the IP where details like Resolved IP information can be found.
Note: If the Lacework agent is running 4.3 version or higher, verify the below conditions for eBPF usage
1) Review config.json to verify if eBPF is enabled.
2) Review the running Linux kernel version. The Lacework agent will only use eBPF when running on Linux with kernel versions that are newer than 4.16.
If the host is running a kernel version higher than 4.16 and eBPF is confirmed to be enabled for the agent version 4.3 and above, Please submit a support ticket for further investigation.