Skip to main content

Networks

The Networks dossier displays information about network connections, open ports, and DNS lookups.

To navigate to the Networks dossier in the Lacework Console, click Resources > Host > Networks. For information about filtering dossier data, see Dossier Navigation and Filters.

Dashboard

These graphs aggregate data for machines and network traffic. Available graphs display information including unique machines, unique users, and total connections.

Alerts for network connections where Lacework agents are installed.

Polygraphs

See Networks Polygraph.

Domain lookups

This table displays the number of successful and failed lookups for each domain name.

Active listening ports

This table displays the number of machines and applications for each listening port number.

Machine properties

This table displays machine properties such as name and IP address.

User properties

This table displays user properties such as UID, groups, and home directory.

Server ports with no connection

This table displays open/listening ports without any active connections. This information can alert you to potentially unwanted open ports or it could indicate low usage. Note that any blocks, whether host-level (firewalld, iptables) or a security group/ACL/NACL are not reflected; this is strictly a list of open ports on the server. Both IPv4 and IPv6 are displayed, if supported by the OS. Also note that the listening interface is listed; although in many cases, only the loopback is listening.

List of listening servers

This table displays servers with open ports on an interface other than the loopback.

List of external facing server machines

This table displays servers that have an interface with a non-RFC1918 address. The open port/protocol is displayed as well.

Client machines making external connections

This table displays a list of hosts with connections to “remote” hosts.

TCP - client machines making external connections and UDP - client machines making external connections

These tables display detailed connection information. Details include both ends of the connection, number of connections, and amount of data transferred in both directions. If a connection is made to a known bad IP/domain, an appropriate Threat Tag is displayed as well.

External UDP connections

This table displays detailed connection information for external UDP connections. It also details the number of connections and amount of data transferred in both directions.

IP address summary

This table provides a breakdown of information about all observed connections, using various whois-type information to display the geographic distribution of connections and perceived risk.

DNS summary

This table displays a synopsis of lookups done by hosts. Unexpected domain lookups could require further investigation.

Resolved IP information

This table displays information about used DNS resolvers and the results. Unexpected resolvers or remote hosts might warrant more investigation.