Skip to main content

When Host Assessment Metrics Carry Forward

Generally, assessment data is from what currently exists at the time of assessment. In some circumstances, however, Lacework can carry forward fixed status data to provide information about a previously existing vulnerability that has since been patched/addressed.

Hosts must be online at least once within a 30-day window for vulnerability assessment metrics to carry forward. Carrying forward metrics means Lacework updates the existing assessment report instead of creating a new assessment report.

If this sequence occurs:

  1. Host information collection runs and assessment occurs.
  2. The host shuts down for 29 days.
  3. The host comes back online on the 30th day.
  4. Host information collection runs.

Result: Lacework carries forward host assessment metrics and updates the host’s existing assessment report.

note

For carried over Fixed status vulnerabilities, the information is from the original (past) assessments. For example, seeing Fixed + Vulnerable assessments does not mean the specific (machine ID, package, version, vulnerability ID) is vulnerable. If Fixed, the specific combination cannot be vulnerable because it is based on past information that was patched. The information means that the previous assessment that was originally vulnerable was fixed (hence the Fixed status + Vulnerable).

If this sequence occurs:

  1. Host information collection runs and assessment occurs.
  2. The host shuts down for 30 days.
  3. The host comes back online on the 31st day.
  4. Host information collection runs.

Result: Lacework handles the host as new and creates a new assessment report.