Code Room
On-callMediumoc-g373
Subject Suspicious accessLevel Mid–Senior~35 minCommon in Networking & APIs interviewsIndustries Software development, Technology

Question

Network monitoring flags an internal app host making thousands of connections to an **internal Elasticsearch cluster** that holds logs and indexed customer records — but the source app has no business querying it directly. The queries are broad `match_all` scrolls pulling large result sets. The ES cluster has **no authentication** (it was 'internal only') and is reachable flat across the VPC. The source host was recently running a vulnerable image-processing library. Nothing is 'breached' from outside; this is east-west. How do you triage whether the source host is compromised, contain it, and fix the exposure?

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.