Skip to main content

Machines

To navigate to the Machines dossier in the Lacework Console, click Resources > Host > Machines. For information about filtering dossier data, see Dossier Navigation and Filters.

note

Machine category alerts and Polygraphs do not include UDP connections.

To view the Single Machine dossier for a specific machine, click a hostname in one of the tables such as Machine properties or Machine activity. Single machine dossiers contain additional information such as instance ID mapping, the Exposure Polygraph (if applicable), and detailed connection information.

Dashboard

These graphs aggregate data for machines where Lacework agents are installed. Available graphs present unique machines and users and network-related information such as connections and bytes.

Alerts for all machines where Lacework agents are installed.

Polygraphs

See Machines Polygraph.

Instance ID mapping

For single machine dossiers, this section maps the machine to an instance ID.

Exposure Polygraph

See Exposure Polygraph. Click View latest attack paths to go to the Path investigation page filtered to the associated hostname.

When there isn't an Exposure Polygraph because Internet exposure = No or Unknown, but the host is part of an attack path, click View attack path to go to the Path investigation page.

Machine properties

This table displays machine properties such as IP address and last known time. The table also includes vulnerabilities. Click View Report to view the vulnerability assessment for that machine.

Machine tag summary

This table lists tag names and their values.

note
  • Both Agent and Agentless data are shown here.
  • Azure public IP addresses are created with a SKU, either Basic or Standard. For Azure VMs, the ExternalIp tag will display the external IP address only for an Azure VM with a Basic SKU. The external IP address for an Azure VM with a Standard SKU will not be displayed. This is currently a limitation of Azure.

Machine activity

This table displays uptime, users, total connections, processes, etc., at the machine level.

All of the dossier's displayed data is relative to the selected date range. For example, if the date range is Last 7 days, the maximum machine Up Time that could be displayed is 7 days, even if it has been up much longer.

The Vulnerabilities column lists the number of highest severity CVEs found during the last assessment. It will also display the number of CVEs that are fixable (regardless of severity). Hover over a row in this column and click View Report to see a vulnerability assessment for the host.

List of external facing server machines

This table displays servers that have an interface with a non-RFC1918 address. The open port/protocol is displayed as well.

The Vulnerabilities column lists the number of highest severity CVEs found during the last assessment. It will also display the number of CVEs that are fixable (regardless of severity). Hover over a row in this column and click View Report to see a vulnerability assessment for the host.

TCP - client machines making external connections and UDP - client machines making external connections

These tables display detailed connection information. Details include both ends of the connection, number of connections, and amount of data transferred in both directions. If a connection is made to a known bad IP/domain, an appropriate Threat Tag is displayed as well.

User login activity

This table displays all logins within the specified time frame.

User authentication summary

This table displays all attempted logins and whether they were successful or not.

Active listening ports

This table displays any open ports on the host. Note that the displayed ports are open locally and any blocks by firewalls or iptables are not reflected.

Domain lookups by machine

This table displays the number of successful and failed lookups for each machine.

Dropped packets summary

This table displays information including hostname, destination, count, etc.

List of active executables and executable information

These tables display information for all observed executables.

List of active containers and Container image information

These tables display active containers and container image information and any vulnerabilities found in them. Container information includes the container type, the host where it is located, associated tags, hash, etc. Image information includes size, number of such containers, creation time, etc.

To view additional details about the compliance status for a container or image, hover over a row until View Report displays and click View Report. Click an entry link in any table to open a new view with details about that entry. For example, click a hostname to display additional information about that machine.

If your environment does not have any running containers, these tables do not display any data.

A Kubernetes Pod is the smallest deployed unit in the Kubernetes object model. A Pod represents a single instance of an application in Kubernetes, which might consist of either a single container or a small number of containers that are tightly coupled and share resources.