Skip to main content

Bad External Host

This event occurs when a bad external host (connected via an application) is seen for the first time ever in the data center. This can be observed as a “new node” in the Polygraph.

Why this Event is Important

This event typically indicates a suspicious or malicious activity that can involve malware command and control communications, coinmining, malware downloads, and more.

Investigation

Investigate threat tags and open source information regarding the domain to determine its history. Compare this information with the underlying applications and processes associated with the communication to determine if the connection may be malicious. Investigate byte transfers and subsequent connections to the external host to understand how much communication occurred. Investigate related events such as other suspicious connections, FIM alerts, and other suspicious activity.

Resolution

Determine if the activity is malicious. If it is malicious, take steps to restore the affected systems to a known clean state. If possible, implement sinkholing or blocking of the domain to prevent reinfection.