Dashboard
This topic describes functionality that is currently in preview.
Overview
The Dashboard provides a holistic view of your cloud environment where you can track progress of your security posture.
This includes the following:
- Choose and configure risk metrics and definitions that matter the most to your organization.
- Track the progress of these metrics for each resource group in your environment.
- View current and historical trends of your overall security posture.
Prerequisites
Before you start to configure and use the Lacework Dashboard, integrate your environment with Lacework:
The Dashboard metrics are populated once Lacework has ingested at least one day's worth of data from your environment.
Limitations
- Oracle Cloud Infrastructure (OCI) environment data are not displayed in the dashboard.
Configure the Dashboard
Click the Configure button to choose the metrics and resource groups to display.
You can reconfigure your current view at any time by clicking the Configure option again (click Save).
Enable or Disable Alert Overview
Click the slider to enable or disable the alert overview.
Select Resource Groups
Choose the resource groups that you want to track the metrics for on the dashboard.
Click in the box to view all available resource groups.
Both default and custom resource groups are displayed. Add or remove them as desired.
At least one day's worth of data is required for newly created resource groups to show information in the dashboard.
Choose your Risk Metrics
Choose the risk metrics to display in the Dashboard. The following table describes the available options:
Risk Metric | Description |
---|---|
Attack path analysis | Track the overall potential for malicious attacks due to misconfiguration of resources with Attack Path Analysis metric data. |
Container vulnerabilities | Track vulnerable container images in your environment with Container Vulnerability metric data. |
Host vulnerabilities | Track vulnerable hosts in your environment with Host Vulnerability metric data. |
Identities | Track cloud identities deemed at risk with Entitlement Management metric data. |
Compliance | Track non-compliant resources or policies with Compliance (CSPM/KSPM) metric data. |
Choose your Risk Definitions
Define the constraints of the risk metrics that you have chosen to display. The following tables describe the available options:
- Attack path analysis
- Container vulnerabilities
- Host vulnerabilities
- Identities
- Compliance
Risk Definition | Description |
---|---|
Severity risk level of resources | Choose the severity levels to track for the overall potential of malicious attack due to misconfiguration of resources. The severity level applies to resources with an attack path. |
Risk Definition | Description |
---|---|
Internet exposed only | Choose whether to only track containers that are exposed to the internet. Uncheck to track all exposed and unexposed containers. |
Fixable vulnerabilities only | Choose whether to only track container image vulnerabilities that can be fixed. Uncheck to track all fixable and non-fixable vulnerabilities. |
Severity of vulnerabilities | Choose the severity levels to track for vulnerabilities found in your container image packages. |
Risk Definition | Description |
---|---|
Internet exposed only | Choose whether to only track hosts that are exposed to the internet. Uncheck to track all exposed and unexposed hosts. |
Fixable vulnerabilities only | Choose whether to only track host package vulnerabilities that can be fixed. Uncheck to track all fixable and non-fixable package vulnerabilities. |
Severity of vulnerabilities | Choose the severity levels to track for vulnerabilities found on your host packages. |
- At risk identities
- Identities with excessive privileges
Risk Definition | Description |
---|---|
Severity | Choose the severity levels to track for cloud identities deemed at risk in your environment. |
Risk Definition | Description |
---|---|
% unused entitlements | Choose the threshold (in percentage) in which to track cloud identities that are not using their current entitlements. |
- Resources with failed policies
- Failed policies
Use this metric definition to track resources with failed compliance policies.
Risk Definition | Description |
---|---|
Compliance policy severity levels | Choose the severity levels to track for resources that have one or more failed policy assessments due to non-compliance. The severity level applies to the compliance policies that a given resource has been assessed on. |
Compliance frameworks | Choose the Compliance Frameworks to track. Only the enabled policies that are part of your chosen compliance frameworks are used to calculate the risks and metrics on the dashboard. If left blank, all enabled compliance policies are used to calculate the risks and metrics on the dashboard. |
Use this metric definition to track compliance policies with violations versus compliance policies with no violations.
Risk Definition | Description |
---|---|
Severity | Choose the severity levels to track for non-compliant policies (due to resources failing assessments). The severity level applies to the compliance policy. |
Frameworks | Choose the Compliance Frameworks to track. Only the policies that are part of your chosen compliance frameworks are used to calculate the risks and metrics on the dashboard. If left blank, all enabled compliance policies are used to calculate the risks and metrics on the dashboard. |
Save Views
See Views Management for general guidance on how to create new views, switch between them, and set your default view.
The Save option becomes available after creating your first view. Click Save on the Dashboard to either:
- Overwrite view - Apply your current filters to your current view and save.
- Save as new - Create a new view based on your current filter selection and configuration.
Save your views to prevent them from being overwritten.
Date Picker
The date picker lets you choose the time period for your Dashboard metric data.
To change the assessment date, click Custom from the drop-down, then select a date from the calendar. After a custom date is selected, use the horizontal arrows to move to the next/previous time period.
View Metrics on the Dashboard
The data displayed on the Dashboard is split into Risk Metrics, Resource Group Metrics, and Top Security Risks.
Your chosen configuration and view determines what metrics are displayed.
View your Alerts
The open alerts in your environment are displayed here, split by severity.
Click on the severity link to be taken to the Alerts page. The severity you have selected will be applied as the filter, as well as the chosen date range.
View your Risk Metrics
Your risk metrics present the overall percentage change in security posture for each metric. This is based on what the total figure was at the beginning date compared with the total figure at the end date.
Available actions:
- Hover over a risk metric and click the Apply as filter option to only display resource group metrics for that specific risk metric.
- Click the Remove filter option when hovering on the risk metric to switch back.
View your Resource Group Metrics
Your resource group metrics present the overall percentage change in security posture for your chosen risk metrics in each resource group. This is based on what the total figures were at the beginning date compared with the total figure at the end date.
Available actions:
- Sort ascending/descending.
- Sort by a variety of metric data options.
- Search for specific text within a resource group name (for example: entering All AWS Resources displays the default resource group by the same name).
- Hover over a resource group and click the Expanded view option to only display risk metrics for that specific resource group.
- Click Back to all Resource groups to switch back.
View your Top Security Risks
The riskiest resources, identities, and assets for each risk metric are displayed here.
Available actions:
- Click the Refresh option to refresh the table data.
- Click the Download CSV option to download the table in CSV format with additional columns that provide more detail.
- Click the Select columns option to change the columns displayed.
- Click on a column title to sort ascending/descending for that column.
- Click Display to change the number of entries displayed.
Download: CSV Column Descriptions
The tables below describe each column in the downloadable CSVs.
Top identity risks
CSV Column | Description |
---|---|
ACCOUNT_ALIAS | The cloud account alias that the identity is found in. |
ACCOUNT_ID | The cloud account ID (for example, the AWS Account ID) that the identity is found in. |
IDENTITY_NAME | The identity name (for example, the AWS IAM Role name). |
RESOURCE_TAGS | The cloud resource tags found for the identity (if any). |
RISK_SCORE | The Risk Severity of the identity. |
URN | The unique resource name for the identity. |
USED_ENTITLEMENTS_PERCENT | The percentage of the total granted entitlements to this identity that are used. |
IDENTITY_URN | Lacework internal. |
ENTITLEMENTS_COUNT | The number of the total granted entitlements for this identity. |
ENTITLEMENTS_USED_COUNT | The number of the total granted entitlements that are used. |
ENTITLEMENTS_USED_QUARTILE | Lacework internal. |
IDENTITY_TYPE | The type of identity (for example, an AWS instance profile). |
LINKED_IDENTITIES_COUNT | The number of identities that are linked to this identity. When a linked identity is established, it lets users authenticate themselves using their credentials from the external identity provider, and the cloud service provider verifies the identity and grants access based on the linked association. |
RESOURCES_COUNT | The number of resources that the identity is entitled to use. |
RESOURCES_USED_COUNT | The number of resources that the identity has used that it is entitled to. A used resource refers to any digital asset that is utilized or interacted with by users, applications, or processes within the cloud environment. |
SERVICES_COUNT | The number of services that the identity is entitled to access. |
SERVICES_USED_COUNT | The number of services that the identity has accessed that it is entitled to. A used service refers to a specific cloud service that is utilized or interacted with by users, applications, or processes within the cloud environment. |
Top non-compliant resources
CSV Column | Description |
---|---|
RESOURCE_ID | The resource identifier (can be the same as the URN or a short name). |
URN | The unique resource name. |
RULE_ID_VIOLATIONS | The total number of compliance policy violations on the resource. |
NUM_REC_ID | An array of frameworks containing compliance policies that apply to this resource. |
NUM_CRITICAL_VIOLATIONS | The number of critical severity compliance policy violations on the resource. |
NUM_HIGH_VIOLATIONS | The number of high severity compliance policy violations on the resource. |
NUM_MEDIUM_VIOLATIONS | The number of medium severity compliance policy violations on the resource. |
NUM_LOW_VIOLATIONS | The number of low severity compliance policy violations on the resource. |
NUM_INFO_VIOLATIONS | The number of info severity compliance policy violations on the resource. |
Top vulnerable containers
CSV Column | Description |
---|---|
IMAGE_ID | The SHA-256 identifier of the image. |
IMAGE_REGISTRY | The image registry. |
IMAGE_REPO | The image repository. |
RISK_SCORE | LW Risk Score for the image. |
INTERNET_REACHABLE | Whether one or more containers using this image are exposed to the internet or not. |
NUM_VULN | Total number of vulnerabilities found on the image. |
NUM_CRITICAL_VULNS | Number of Critical vulnerabilities found on the image. |
NUM_HIGH_VULNS | Number of High vulnerabilities found on the image. |
NUM_MEDIUM_VULNS | Number of Medium vulnerabilities found on the image. |
NUM_LOW_VULNS | Number of Low vulnerabilities found on the image. |
NUM_INFO_VULNS | Number of Info vulnerabilities found on the image. |
NUM_FIXABLE_CRITICAL_VULNS | Number of Critical and Fixable vulnerabilities found on the image. |
NUM_FIXABLE_HIGH_VULNS | Number of High and Fixable vulnerabilities found on the image. |
NUM_FIXABLE_MEDIUM_VULNS | Number of Medium and Fixable vulnerabilities found on the image. |
NUM_FIXABLE_LOW_VULNS | Number of Low and Fixable vulnerabilities found on the image. |
NUM_FIXABLE_INFO_VULNS | Number of Info and Fixable vulnerabilities found on the image. |
Top vulnerable hosts
CSV Column | Description |
---|---|
HOSTNAME | The internal hostname of the machine. |
MID | The Machine ID for the host. |
RISK_SCORE | LW Risk Score for the host. |
INTERNET_REACHABLE | Whether the host is exposed to the internet or not. |
NUM_VULN | Total number of vulnerabilities found on the host. |
NUM_CRITICAL_VULNS | Number of Critical vulnerabilities found on the host. |
NUM_HIGH_VULNS | Number of High vulnerabilities found on the host. |
NUM_MEDIUM_VULNS | Number of Medium vulnerabilities found on the host. |
NUM_LOW_VULNS | Number of Low vulnerabilities found on the host. |
NUM_INFO_VULNS | Number of Info vulnerabilities found on the host. |
NUM_FIXABLE_CRITICAL_VULNS | Number of Critical and Fixable vulnerabilities found on the host. |
NUM_FIXABLE_HIGH_VULNS | Number of High and Fixable vulnerabilities found on the host. |
NUM_FIXABLE_MEDIUM_VULNS | Number of Medium and Fixable vulnerabilities found on the host. |
NUM_FIXABLE_LOW_VULNS | Number of Low and Fixable vulnerabilities found on the host. |
NUM_FIXABLE_INFO_VULNS | Number of Info and Fixable vulnerabilities found on the host. |
MACHINE_IMAGE | The machine image for the host (for example, an AMI ID). |
Top resources by attack paths
CSV Column | Description |
---|---|
URN | The unique resource name. |
RESOURCE_ID | The resource identifier (can be the same as the URN or a short name). |
INTERNET_REACHABLE | Whether the resource is exposed to the internet or not. |
NUM_CRITICAL_PATHS | Number of Critical severity attack paths found for the resource. |
NUM_HIGH_PATHS | Number of High severity attack paths found for the resource. |
NUM_MEDIUM_PATHS | Number of Medium severity attack paths found for the resource. |
NUM_LOW_PATHS | Number of Low severity attack paths found for the resource. |
NUM_INFO_PATHS | Number of Info severity attack paths found for the resource. |
NUM_PATHS | Total number of attack paths found for the resource. |
Lacework Organization Dashboard
When logged in as a Lacework Organization admin/user, the following differences apply:
- Instead of selecting and viewing resource groups during configuration, you can select and view Lacework Organization sub-accounts.
- Once the sub-accounts are selected, each individual sub-account is displayed with condensed trend charts for all chosen risk metrics.
- For each sub-account, click the Go to account option to be taken to the sub-account's dashboard.
- When downloading Top Security Risk CSVs, an additional
ACCOUNT_KEY
column describes the associated Lacework sub-account that the entity belongs to.
Alert overview by subaccounts
The Lacework Organization dashboard displays an alert summary for each sub-account in a table.
Available actions:
- Use the Sort option to adjust the table as desired.
- Use the Search to find accounts by name.
- Click the Download option to download the table in CSV format.
- Click the Table settings option to change the table style and the columns displayed.
- Click on a column title to sort ascending/descending for that column.
- Click and drag a column title to adjust the order of the columns.
- Click on an account row value to be taken to the sub-account's dashboard or alerts page with the relevant filter applied.
- Click Display to change the number of entries displayed.
FAQs
Why are some cloud accounts showing as non-compliant when they contain no related resources?
Cloud accounts can be displayed as a non-compliant resource even when there is no related resource (within the account) that can be assessed for compliance.
This will occur if the cloud account is missing a resource that is required to ensure compliance of the account.
For example, lacework-global-65 requires that a log metric filter and alarm exist for VPC changes. If neither the filter nor alarm exist, then the AWS account is marked as non-compliant.
To check the cause of the non-compliance:
- Click on the cloud account in the Top non-compliant resources table row.
- Click the hyperlink in Compliance Findings in the resource overview.
- This will display the Related Compliance Violations for the cloud account.
Related to this, a fix was released on 25th March 2024 to include cloud accounts that are non-compliant due to compliance policy violations (even when there is no related resource for the cloud account).
Top non-compliant resources: Why are some AWS resources listed with a Lacework unique resource name (URN) instead of an Amazon resource name (ARN)?
When there is no associated ARN found for an AWS resource, Lacework will display a generated unique resource name instead.