This event occurs when an application connects to a never before seen external IP address.
Why this Event is Important
North-south data traffic with a data center is often predictable, and 'listening' applications usually make limited or no external connections. An outbound connection to an unknown IP address may indicate malicious activity.
Identify the application. Is it well known and expected to be in the data center? If the application is known, determine if it should be making outbound connections and research the destination IP address. If it is not clear that the destination IP is benign, look for subsequent connections to the same IP address. Patterned communication may indicate some type of automation, which could be benign or unknown leakage.
Determine if the connection is expected and benign. If the connection appears to be the result of malicious use of an existing administrative tool, malware, or an exploited application, review logs from both hosts. If the machine is compromised, take the necessary steps to restore the affected systems to a known, clean state.