Machines
To navigate to the Machines dossier in the Lacework Console, click Resources > Host > Machines. For information about filtering dossier data, see Dossier Navigation and Filters.
note
Machine category alerts and Polygraphs do not include UDP connections.
To view the Single Machine dossier for a specific machine, click a hostname in one of the tables such as Machine properties or Machine activity. Single machine dossiers contain additional information such as instance ID mapping, the Exposure Polygraph (if applicable), and detailed connection information.
Dashboard
These graphs aggregate data for machines where Lacework agents are installed. Available graphs present unique machines and users and network-related information such as connections and bytes.
Related alerts
Alerts for all machines where Lacework agents are installed.
Polygraphs
See Machines Polygraph.
Instance ID mapping
For single machine dossiers, this section maps the machine to an instance ID.
Exposure Polygraph
See Exposure Polygraph. Click View latest attack paths to go to the Path investigation page filtered to the associated hostname.
When there isn't an Exposure Polygraph because Internet exposure = No or Unknown, but the host is part of an attack path, click View attack path to go to the Path investigation page.
Machine properties
This table displays machine properties such as IP address and last known time. The table also includes vulnerabilities. Click View Report to view the vulnerability assessment for that machine.
Machine tag summary
This table lists tag names and their values.
note
- Both Agent and Agentless data are shown here.
- Azure public IP addresses are created with a SKU, either Basic or Standard. For Azure VMs, the
ExternalIp
tag will display the external IP address only for an Azure VM with a Basic SKU. The external IP address for an Azure VM with a Standard SKU will not be displayed. This is currently a limitation of Azure.
Machine activity
This table displays uptime, users, total connections, processes, etc., at the machine level.
All of the dossier's displayed data is relative to the selected date range. For example, if the date range is Last 7 days, the maximum machine Up Time that could be displayed is 7 days, even if it has been up much longer.
The Vulnerabilities column lists the number of highest severity CVEs found during the last assessment. It will also display the number of CVEs that are fixable (regardless of severity). Hover over a row in this column and click View Report to see a vulnerability assessment for the host.
List of external facing server machines
This table displays servers that have an interface with a non-RFC1918 address. The open port/protocol is displayed as well.
The Vulnerabilities column lists the number of highest severity CVEs found during the last assessment. It will also display the number of CVEs that are fixable (regardless of severity). Hover over a row in this column and click View Report to see a vulnerability assessment for the host.
TCP - client machines making external connections and UDP - client machines making external connections
These tables display detailed connection information. Details include both ends of the connection, number of connections, and amount of data transferred in both directions. If a connection is made to a known bad IP/domain, an appropriate Threat Tag is displayed as well.
User login activity
This table displays all logins within the specified time frame.
User authentication summary
This table displays all attempted logins and whether they were successful or not.
Active listening ports
This table displays any open ports on the host. Note that the displayed ports are open locally and any blocks by firewalls or iptables are not reflected.
Domain lookups by machine
This table displays the number of successful and failed lookups for each machine.
Dropped packets summary
This table displays information including hostname, destination, count, etc.
List of active executables and executable information
These tables display information for all observed executables.
List of active containers and Container image information
These tables display active containers and container image information and any vulnerabilities found in them. Container information includes the container type, the host where it is located, associated tags, hash, etc. Image information includes size, number of such containers, creation time, etc.
To view additional details about the compliance status for a container or image, hover over a row until View Report displays and click View Report. Click an entry link in any table to open a new view with details about that entry. For example, click a hostname to display additional information about that machine.
If your environment does not have any running containers, these tables do not display any data.
A Kubernetes Pod is the smallest deployed unit in the Kubernetes object model. A Pod represents a single instance of an application in Kubernetes, which might consist of either a single container or a small number of containers that are tightly coupled and share resources.