Question
Network monitoring flags an internal app host making thousands of connections to an **internal Elasticsearch cluster** that holds logs and indexed customer records — but the source app has no business querying it directly. The queries are broad `match_all` scrolls pulling large result sets. The ES cluster has **no authentication** (it was 'internal only') and is reachable flat across the VPC. The source host was recently running a vulnerable image-processing library. Nothing is 'breached' from outside; this is east-west. How do you triage whether the source host is compromised, contain it, and fix the exposure?
Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.