Skip to main content

Bad External Server Host Connection

This event occurs when a bad external host, which has already been seen in the data center, is connected to via an application for the first time.

Why this Event is Important

Connecting to a known, bad URL may be the result of a compromised application, malware or an internal test. The malicious IP is typically associated with C&C (Command-and-Control) or crypto-mining.

Investigation

Verify that the IP URL was added to a denylist or blocklist using other sources. Examine any data transfer and determine if meaningful data has been exchanged - over 10 KB per connection. Look at the direction of transfer, for example, if this application does not typically connect to the Internet, even data transfer less than 10 KB per connection may indicate C&C (Command-and-Control).

Resolution

If the URL is confirmed to be malicious, block the URL and scan the local machine. Perform local forensics and then restore the machine to a known good state.