Skip to main content

Lacework Console - Host Vulnerabilities

View Vulnerabilities

The Host vulnerabilities page displays current vulnerabilities and previous vulnerabilities that were fixed. Select Vulnerabilities > Hosts in the Lacework Console to view this page.

note

AWS Fargate containers do not show on the host vulnerability page.

Tabs

By default, the list displays vulnerabilities that are grouped by host and from the past day.

To change how the list groups vulnerabilities, select a different tab:

  • Host
  • CVE
  • AMI ID
  • Account
  • Zone
  • Package Name
  • Application (Windows)
  • Package Namespace

Use the search function at the top of the page to find specific text in any of the details available on the page. You can also click the search field to select values and operators to filter your search (these vary depending on the tab you have selected).

Apply an operator that helps refine your search (these vary depending on the type of filter).

When searching for package or Windows application names on hosts, the results contain both vulnerable and non-vulnerable packages and applications.

Filters

You can use the following methods to refine the list of vulnerabilities displayed:

  • Use the search function at the top of the page to find specific text in any of the details for all images.
  • Click the filter dropdowns along the top of the page, select your desired matches and then click Show results to make them active.
    • To remove an active filter, deselect the checkbox in the corresponding filter dropdown and then click Show results.
    • Click Reset in the filter dropdowns or in the row of filters to reset all filters.
    • You can also click on the tags in the vulnerabilities list to use them as filters.

Resource Group

Display vulnerability assessment results for the selected resource groups.

Fixability

tip

In the Host, AMI ID, Account, and Zone tabs, this filter functions as an AND operator when paired with one or more Severity levels.

For example, Fixability = Yes and Severity = Critical lists hosts with at least one CVE that is critical and fixable.

Host, AMI ID, Account, and Zone tab fixable filter definitions:

  • Yes - The hosts listed contain fixable packages and Windows applications for the vulnerabilities found.
  • No - The hosts listed contain unfixable packages and Windows applications for the vulnerabilities found.

CVE, Package Name, and Package Namespace tab fixable filter definitions:

  • Yes - The vulnerabilities listed are for fixable packages and Windows applications.
  • No - The vulnerabilities listed are for unfixable packages and Windows applications.

Severity

tip

In the Host, AMI ID, Account, and Zone tabs, this filter functions as an AND operator when paired with one or more Fixability levels.

For example, Severity = Critical and Fixability = Yes lists hosts with at least one CVE that is critical and fixable.

  • Host, AMI ID, Account, and Zone tabs: Display hosts that have vulnerabilities at the selected severity level (for example: Critical, High).
  • CVE, Package Name, and Package Namespace tabs: Display vulnerabilities (found in your environment) with the selected severity level (for example: Critical).

Machine Status

Lacework bases the machine status on the last hour’s Agent heartbeat. This lets you filter out ephemeral machines that are currently offline and helps you to understand fleet risk.

  • Online - The Lacework Agent sent a heartbeat in the last hour.
  • Offline - The Lacework Agent did not send a heartbeat in the last hour.

Scan Status

Host, AMI ID, Account, and Zone tab scan status filter definitions:

  • Successful - Matches hosts that were successfully scanned for vulnerabilities.
  • Failed - Matches hosts that couldn't be scanned due to an error.
  • Unsupported - Matches hosts that couldn't be scanned due to running an unsupported operating system.

Coverage Type

Host, AMI ID, Account, and Zone tab coverage type filter definitions (each option is mutually exclusive):

  • Agent - The vulnerability assessment data has only been collected by a Lacework Agent installed on the host.
  • Agentless - The vulnerability assessment data has only been collected through an Agentless Workload Scanning integration.
  • Agent and Agentless - The vulnerability assessment data has been collected by a combination of a Lacework Agent installed on the host and an Agentless Workload Scanning integration. Only the Agentless Workload Scanning assessments are shown as they include scanning data of language libraries on hosts (if present).
Scanner Type filter deprecation

Scanner Type has been deprecated in favor of this filter.

EOL Date

Host, AMI ID, Account, and Zone tab OS end of life (EOL) filter definitions:

  • Currently EOL – Matches all Linux hosts whose operating system EOL date is in the past.
  • EOL within 30 days – Matches all Linux hosts whose operating system EOL date is within 30 days from now.
  • EOL within 90 days – Matches all Linux hosts whose operating system EOL date is within 90 days from now.

Internet Exposure

The vulnerability's internet exposure value is derived from the Exposure Polygraph / Attack Path Analysis feature.

Host, AMI ID, Account, and Zone tab internet exposure filter definitions:

  • Yes - Matches all hosts that have been determined as exposed to the internet during the latest Agentless or Agent scan.
  • No - Matches all hosts that have been determined as not exposed to the internet during the latest Agentless or Agent scan.
  • Unknown - Matches all hosts where the internet exposure status could not be determined.

Each host assessment contains tags for the internet exposure status and when the status was last updated. The internet exposure status depends on the last update in a given time range (including up to 24 hours prior to the start time).

note

Internet exposure deprecates the public facing filter.

Account

Filter for certain cloud accounts using this filter in the Host, AMI ID, Account, and Zone tabs. Apply an operator (for example: matches) to help constrain your search.

CVE

Filter for certain vulnerability IDs (CVEs) using this filter in the Host, AMI ID, Account, and Zone tabs. Apply an operator (for example: includes) to help constrain your search.

Hostname

Filter for certain hostnames using this filter in the Host, AMI ID, Account, and Zone tabs. Apply an operator (for example: excludes) to help constrain your search.

Machine ID

Filter for certain machine IDs using this filter in the Host, AMI ID, Account, and Zone tabs. Apply an operator (for example: does not match) to help constrain your search.

The Machine ID (or MID) is a Lacework generated identifier for the machine when it is first discovered.

Machine Tags

Filter for certain machine tags using this filter in the Host, AMI ID, Account, and Zone tabs. Search for specific tag values or check the tags you want to display.

Machine tags are metadata associated with the host (for example: AWS Instance metadata).

Vulnerability Status

CVE, Package Name, and Package Namespace tab vulnerability status filter definitions:

  • New - Vulnerability was detected for the first time during the last assessment.
  • Unpatched - Vulnerability was detected and has been active longer than a day (since the last assessment).
  • Fixed - Vulnerability was not detected in consecutive assessments.
  • Reopened - Vulnerability was fixed, but has been detected again.

Package Status

This filter relates to the active package detection feature.

note

Active package detection is only supported on Linux hosts and containers. It is not supported on Microsoft Windows hosts and containers.

Host, AMI ID, Account, and Zone tab package status filter definitions:

  • Active - The Lacework Agent on the host detected that a process accessed a file in the package in the last 30 days.
  • Inactive - The Lacework Agent on the host did not detect any process accessing a file in the package in the last 30 days.
  • Unknown - The host has a Lacework Agent installed, but active package detection is not enabled on the agent. Therefore, the package status cannot be determined.
  • N/A - The host does not have a Lacework Agent installed, therefore, the package status cannot be determined.

CVE, Package Name, and Namespace tab package status filter definitions:

  • Active - The Lacework Agent (on at least one host) detected that a process accessed a file in the vulnerable package in the last 30 days.
  • Inactive - The Lacework Agents installed on all the hosts did not detect any process accessing a file in the vulnerable package in the last 30 days.
  • Unknown - The hosts shown for this vulnerability have a Lacework Agent installed, but active package detection is not enabled on the agents. Therefore, the package status for this vulnerability cannot be determined on these hosts.
  • N/A - The hosts shown do not have a Lacework Agent installed, therefore, the package status for this vulnerability cannot be determined on these hosts.
API values for Package Status
ConsoleAPI
Active1
Inactive-1
Unknown0
N/A-2

Monitored by CAA

Filter for hosts that are monitored by Lacework Agents with active package detection enabled by using this filter in the Host, AMI ID, Account, and Zone tabs.

Host, AMI ID, Account, and Zone tab monitored by Code Aware Agent (CAA) filter definitions:

  • Yes - The host is monitored by a Lacework Agent with active package detection enabled, and the agent detected some package activity on the host within the last 24 hours.
  • No - This can be either of the following:
    • The host is monitored by a Lacework Agent with active package detection enabled, but the agent did not detect any package activity on the host within the last 24 hours.
    • The host is monitored by a Lacework Agent, but active package detection is not enabled on the agent.
    • The host does not have a Lacework Agent installed.

Kernel Status

CVE, Package Name, and Namespace tab kernel status filter definitions:

  • Active Kernel - Vulnerability has been found on a kernel package for an active kernel.
  • Inactive Kernel - Vulnerability has been found on a kernel package for an inactive kernel.
note

If the Kernel Status field value is empty, it indicates that Kernel Status field is not applicable because the vulnerability exists on a non-kernel package.

Package/Application Name

Filter for package names or Windows application using this filter in the CVE, Package Name, and Namespace tabs. Apply an operator (for example: starts with) to help constrain your search.

Package/Application Namespace

Filter for package or Windows application namespaces using this filter in the CVE, Package Name, and Namespace tabs. Apply an operator (for example: ends with) to help constrain your search.

Package/Application Version

Filter for package versions using this filter in the CVE, Package Name, and Namespace tabs. Apply an operator (for example: matches) to help constrain your search.

Fixed Version

Filter for the package, Microsoft KB article, or Windows application version you can install to fix the vulnerability using this filter in the CVE, Package Name, and Namespace tabs. Apply an operator (for example: includes) to help constrain your search.

OS

Filter for operating system-specific vulnerabilities.

OS filter definitions:

  • Windows - Vulnerability has been found on a Windows host.
  • Linux - Vulnerability has been found on a Linux host.

Windows Host Reboot

Filter for vulnerabilities on Windows hosts that require or do not require a reboot.

Group by Host Windows host reboot filter definitions:

  • Required - Vulnerability has been found on a Windows host that requires a reboot to ensure that all patches are installed correctly.
  • Not required - Vulnerability has been found on a Windows host that does not need to be rebooted to ensure that all patches are installed correctly.

Windows Automated Updates

Filter for vulnerabilities on Windows hosts on which Windows Server Update Services is enabled or disabled.

Group by Host Windows automated updates filter definitions:

  • Enabled - Vulnerability has been found on a Windows host on which Windows Server Update Services is enabled.
  • Disabled - Vulnerability has been found on a Windows host on which Windows Server Update Services is disabled. Lacework recommends enabling Windows Server Update Services on hosts to ensure that the latest product and security updates are automatically installed.

Exploit Available

Filter to determine whether there is a public exploit available for a vulnerability.

  • Host, AMI ID, Account, and Zone tabs: When set to Yes, the hosts displayed have at least one vulnerability with a public exploit available.
  • CVE, Package Name, and Namespace tabs: When set to Yes, the vulnerabilities displayed have a public exploit available.

CVSS Score

Filter for the Common Vulnerability Scoring System (CVSS) score of a vulnerability.

Select a minimum and maximum range between 0 and 10 to apply the filter. Enter the same number for both minimum and maximum to only filter for that number.

  • Host, AMI ID, Account, and Zone tabs: The hosts displayed have at least one vulnerability within the CVSS score range specified.
  • CVE, Package Name, and Namespace tabs: The vulnerabilities displayed are within the CVSS score range specified.

CVSS Vectors

Filter for Common Vulnerability Scoring System (CVSS) vectors relating to a vulnerability by using this filter in the CVE, Package Name, and Namespace tabs.

The vectors help determine the exploitability, scope, and impact of the vulnerability. Each vector is individually filterable with contextual options.

Remote attack vector

Describes the conditions an attacker must meet to reach the vulnerable component and exploit the vulnerability.

Available options (Local and Physical are not measured in this context):

  • Adjacent Network - The attacker must have access to the same local area network (LAN) as the targeted system to exploit the vulnerability.
  • Network - The vulnerability can be exploited remotely over a network.

Learn more about attack vectors here.

Attack complexity

Measures the level of complexity required for an attacker to exploit the vulnerability.

Available options:

  • High - The vulnerability is difficult to exploit, requiring specialized knowledge, sophisticated tools, or a complex set of conditions to be met before the attack can succeed.
  • Low - The vulnerability can be easily exploited, typically with little or no interaction from the attacker.

Learn more about attack complexity here.

Privileges required

Indicates the privileges an attacker needs to exploit the vulnerability.

Available options:

  • Yes - The attacker needs either administrative/root-level or non-administrative privileges to exploit the vulnerability.
  • No - The vulnerability can be exploited without any special privileges.

Learn more about required privileges here.

User interaction

Assesses whether user interaction is required for the vulnerability to be exploited.

Available options:

  • Required - A successful exploit of the vulnerability requires interaction from either an authenticated user or an unauthenticated user.
  • None - The vulnerability can be exploited without any interaction from any user.

Learn more about user interaction here.

Scope

Defines the extent of impact on the vulnerable component and surrounding components.

Available options:

  • Changed - The vulnerability's exploitation can affect resources beyond the vulnerable component.
  • Unchanged - The vulnerability's exploitation does not impact resources beyond the vulnerable component.

Learn more about scope here.

Availability impact

Assesses the potential impact on system availability if the vulnerability is exploited.

Available options:

  • Yes - The vulnerability's exploitation can either cause a partial impact or completely disrupt the availability of the affected component or system.
  • No - The vulnerability's exploitation does not have any impact on the availability of the affected component or system.

Learn more about availability impact here.

Confidentiality/Integrity impact

Evaluates the potential impact on confidentiality and data integrity if the vulnerability is exploited.

Available options:

  • Yes - The vulnerability's exploitation can cause a partial impact or can completely compromise the confidentiality of sensitive data or the integrity of data.
  • No - The vulnerability's exploitation does not have any impact on the confidentiality of sensitive data or the integrity of data.

Learn more about confidentiality impact here and integrity impact here.

Time Range

To change the time period, select a different one from the drop-down or use the horizontal arrows to move to the next/previous period. Select from the following past periods: hour, day, three days, week, month, or a Custom range.

Only information found during assessment of the specified date range is displayed.

Save View

When the page displays your desired vulnerability data, click Save or Create view in the top right corner. This allows you to access the saved view later. You can also copy the link to a saved view by opening the list of saved views and clicking the Share view icon of the view you want to share. You can then send that link to others, so they can see the same view. For more details about saved views, refer to Views Management.

Statistics

The statistics depict data for the current view:

  • 24-hour coverage (percentage) = (Number of hosts successfully scanned for vulnerabilities / Number of hosts discovered through Agents, Agentless and Cloud integrations) x 100. This figure is based on the last 24 hours.
  • MTTR = Mean Time to Resolve (MTTR) in days.
  • Hosts with Critical or High Severities = Number of scanned hosts with at least one critical vulnerability + Number of scanned hosts with at least one high vulnerability.
  • Hosts monitored by Code Aware Agent (CAA) = Number of hosts on which some package activity was detected within the last 24 hours by a Lacework Agent with active package detection enabled / Number of hosts that have been successfully scanned.

Charts

Open Vulnerabilities

The chart depicts open vulnerabilities. Hover your mouse over the Open vulnerabilities chart to see the vulnerabilities by filtered severity for that date. Hover over the filter icon to see the active filters that are influencing the chart.

note

The Open vulnerabilities chart always displays a minimum of one week's results even if the time range is set to less than a week. You can go back up to three months from today's date.

Charts in the Host, AMI ID, Account, and Zone Tabs

If you select the Host, AMI ID, Account, or Zone tab, a sunburst chart appears in the row for each host. You can click on the host row for more details. A detailed sunburst chart is displayed on the CVE tab.

info

The numbers of vulnerabilities detailed in the sunburst chart represent only the unique vulnerabilities that Lacework discovers. As one vulnerability can affect multiple packages or Windows applications, the total vulnerabilities in the list can be greater.

Additionally, active filters specific to packages and Windows applications (such as Package/Application name, Fixed version, etc) will not influence this chart.

Charts in the CVE, Package Name, Package Namespace, and Application (Windows) Tabs

If you select the CVE, Package Name, or Package Namespace tab, a sunburst chart appears in the row for each vulnerability. You can click on the vulnerability row for more details. The same sunburst chart is then displayed on the Hosts tab.

Vulnerabilities List

Below the overview is the vulnerabilities list. The information displayed depends on how the vulnerabilities are grouped.

The vulnerability list allows you to Refresh data, Download CSV, and sort.

Click a tag link in a row to reload the vulnerability list with the tag as the filter. For example, in the Group by Host view, click the Account: account-name tag in a row to view only the vulnerabilities for hosts in that cloud account.

Download CSV

note

Hosts with zero vulnerabilities are not listed in the CSV report.

There is a limit of 500,000 rows per report.

Click on the Download icon to generate a vulnerability report in CSV format.

The following options are available depending on tab is selected:

  • In the CVE, Package Name, and Package Namespace tabs, the Download option provides the Simplified CSV.
  • In the Host, AMI ID, Account, and Zone tabs, choose from Simplified or Detailed for your CSV report.

Once you have selected the report type, click Start the download. A popup appears once the report is ready to download. You can also view available and in-progress downloads on the Downloads page.

Some reports are compressed in Gzip format, you can decompress them using the following command:

Example
gzip -d 'Host Vulnerabilities Simplified CSV.csv.gz'

Do not use tar as the format will be unrecognized.

Simplified CSV

Your active filters or tags control which Hosts or CVEs are listed in the CSV report.

Both types list when the last assessment was performed on the Host/CVE.

  • Host, AMI ID, Account, and Zone tabs: The CSV is indexed by Hostname and provides details about the host and a summary on the number vulnerabilities found (categorized into severity and fixability).

    CSV ColumnDescription
    HOST_NAMEThe hostname of the machine.
    UP_TIME_MINSThe uptime of the host in minutes.
    RISK_SCORELW Risk Score for the host.
    RISK_INFOLacework internal.
    ACCOUNTThe cloud account identifier associated with the host.
    EVAL_GUIDLacework internal.
    INTERNAL_IPThe internal IP of the host.
    EXTERNAL_IPThe external IP of the host (if applicable).
    MACHINE_TAGSThe Machine Tags of the host.
    HOST_TYPEThe Machine Status of the host.
    EVAL_STATUSWhether the host was successfully evaluated or not (equivalent to Scan Status).
    EVAL_MSGThe reason for the evaluation failure on the host (if applicable).
    NUM_VULNERABILITIESTotal number of vulnerabilities found on the host.
    NUM_FIXESTotal number of fixable vulnerabilities found on the host.
    NUM_VULNERABILITIES_SEVERITY_1Number of Critical vulnerabilities found on the host.
    NUM_VULNERABILITIES_SEVERITY_2Number of High vulnerabilities found on the host.
    NUM_VULNERABILITIES_SEVERITY_3Number of Medium vulnerabilities found on the host.
    NUM_VULNERABILITIES_SEVERITY_4Number of Low vulnerabilities found on the host.
    NUM_VULNERABILITIES_SEVERITY_5Number of Info vulnerabilities found on the host.
    NUM_VULNERABILITIES_FIX_SEVERITY_1Number of Critical and Fixable vulnerabilities found on the host.
    NUM_VULNERABILITIES_FIX_SEVERITY_2Number of High and Fixable vulnerabilities found on the host.
    NUM_VULNERABILITIES_FIX_SEVERITY_3Number of Medium and Fixable vulnerabilities found on the host.
    NUM_VULNERABILITIES_FIX_SEVERITY_4Number of Low and Fixable vulnerabilities found on the host.
    NUM_VULNERABILITIES_FIX_SEVERITY_5Number of Info and Fixable vulnerabilities found on the host.
    LAST_EVAL_TIMEThe last time the host was evaluated for vulnerabilities.
    MIDThe Machine ID for the host.
    OS_NAMESPACEThe operating system namespace in <os>:<version> format (for example: ubuntu:18.04).
    EOL_DATEThe EOL Date for the operating system on the Linux host.
    COLLECTOR_TYPEThe collector type for the host.
    COVERAGE_TYPESThe Coverage type(s) for the host.
    PUBLIC_FACINGDeprecated - see INTERNET_EXPOSURE.
    INTERNET_EXPOSUREWhether the host has been exposed to the internet or not.
    INTERNET_EXPOSURE_LAST_UPDATEDThe last time internet exposure was determined on the host.
    OSThe operating system of the host.
    UPDATES_DISABLEDWhether Windows Server Update Services is disabled on a Windows host. Lacework recommends enabling Windows Server Update Services on hosts to ensure that the latest product and security updates are automatically installed.
    REBOOT_REQUIREDWhether the Windows host requires a reboot to ensure that all patches are installed correctly.
    OS_OUT_OF_DATELacework internal.
    CAA_ENABLEDWhether active package detection is enabled on the agent running on the host.

  • CVE, Package Name, and Package Namespace tabs: The CSV is indexed by Vulnerability (CVE) ID and provides details on the vulnerability and affected package or Windows application.

    CSV ColumnDescription
    Age of public exploitThe age of the public exploit related to the vulnerability.
    Vulnerability IDThe identifier for the vulnerability.
    PACKAGEDetails about the vulnerability for the affected package or Windows application.
    PACKAGE_TAGSSame as PACKAGE.
    LAST ASSESSMENTThe time and date when the vulnerability was last found on an affected host during a scan.
    Impact ScoreLW Risk Score for the vulnerability.
    Exploit availableWhether there is a public exploit available for this vulnerability or not.
    Age of public exploit tooltipThe date that the public exploit was published for this vulnerability in MM/DD/YY format.

Detailed CSV

note

The report always contains at least 3 days of data prior to the end time (unless the start time/date is older than 3 days).

Your active filters or tags control which Hosts are listed in the CSV report.

The Detailed CSV is indexed by Machine ID (MID) and lists details on all the CVEs applicable to the Host in each row.

CSV ColumnDescription
MIDThe Machine ID for the host.
HOSTNAMEThe internal hostname of the machine.
VULN_IDThe identifier for the vulnerability.

If \N is displayed, then the package on the specified filepath has no vulnerability associated with it.
SEVERITYThe severity of the vulnerability.
STATUSStatus of the vulnerability:
New - Vulnerability was detected for the first time during the last assessment.
Active - Vulnerability was detected in consecutive assessments.
Reopened - Vulnerability was fixed, but has been detected again.
Fixed - Vulnerability was not detected in consecutive assessments.
Exception - A vulnerability exception has been applied to this vulnerability, or the vulnerability was found on an inactive kernel.
FIX_AVAILABLEWhether a fix is available for the vulnerability:
"1" = Fix available.
"0" = No fix available.
PACKAGE_NAMEThe package or Windows application name where the vulnerability was found.
PACKAGE_NAMESPACEThe package or Windows application namespace where the vulnerability was found.
PACKAGE_ACTIVEThe package status on the host:
Active
Unknown
Inactive
N/A (No agent available)
PACKAGE_PATHThe package file path on the host (if available).
VERSION_INSTALLEDThe current version of the affected package or Windows application.
FIXED_VERSIONThe fixed version of the affected package or Windows application.
EXTERNAL_IPThe external IP of the host (if applicable).
INTERNAL_IPThe internal IP of the host.
HOST_TYPEThe Machine Status of the host.
INTERNET_EXPOSUREWhether the host has been exposed to the internet or not.
INTERNET_EXPOSURE_LAST_UPDATEDThe last time internet exposure was determined on the host.
UP_TIME_MINSThe uptime of the host in minutes.
COLLECTOR_TYPEThe collector type for the host.
COVERAGE_TYPESThe Coverage type(s) for the host.
ACCOUNTThe cloud account identifier associated with the host.
EOL_DATEThe EOL Date for the operating system on the host.
RISK_SCORELW Risk Score for the host.
MACHINE_TAGSThe Machine Tags of the host.
EVAL_GUIDLacework internal.
START_TIMEThe start time of the latest scan of the host.
END_TIMEThe end time of the latest scan of the host.
EVAL_STATUSWhether the host was successfully evaluated or not (equivalent to Scan Status).

Host, AMI ID, Account, and Zone Tab View

In the Host, AMI ID, Account, and Zone tabs, the list displays the following information:

  • Hostname

    • The Windows Server Update Services is disabled on the host icon next to a Windows Server hostname indicates that Windows Server Update Services is disabled on the host. Lacework recommends enabling Windows Server Update Services to ensure that the latest product and security updates are automatically installed.
    • The Host is running Windows Server 2012 R2 version older than April 2016 icon next to a Windows Server hostname indicates that the host is running a Windows Server 2012 R2 version older than April 2016. Lacework does not support vulnerability detection on Windows Server 2012 R2 versions older than April 2016. Hence, you must upgrade the OS to ensure accurate vulnerability detection.

  • Uptime

    • The Reboot required icon indicates that you must reboot the Windows Server host to ensure that all patches are installed correctly.

  • Host Risk

  • Chart displaying the number of vulnerabilities found on the host.

    • Failure displays if the assessment failed. Potential reasons for failure include the following: host is unavailable, package data not found. For the reasons why package data may not be found, see Package Data Not Found.
    • Unsupported displays if the host is running an unsupported operating system.

  • Number of vulnerabilities

info

The Monitored by CAA label is applied when active package detection is enabled on the Lacework Agent running on the host, and the agent detected some package activity on the host within the last 24 hours.

Host Assessment Drawer

Click a hostname to display its risk assessment where you can see an expandable view of host details and any vulnerabilities in the CVE tab (click the < icon to expand this view to full screen).

  • The Windows Server Update Services is disabled on the host icon indicates that Windows Server Update Services is disabled on the host. Lacework recommends enabling Windows Server Update Services to ensure that the latest product and security updates are automatically installed.
  • The Host is running Windows Server 2012 R2 version older than April 2016 icon indicates that the host is running a Windows Server 2012 R2 version older than April 2016. Lacework does not support vulnerability detection on Windows Server 2012 R2 versions older than April 2016. Hence, you must upgrade the OS to ensure accurate vulnerability detection.
  • The Reboot required icon next to a Windows Server hostname indicates that you must reboot the host to ensure that all patches are installed correctly.
Host Assessment - Details

The Details tab contains descriptive information about the host. Click on any of the tags to filter the vulnerabilities list with that tag.

Host Assessment - CVE (default)

The CVE tab displays a list of vulnerabilities for the host with additional information in columns. This table lets you refresh data, download a report in CSV or PDF format, select which columns to display, filter, and search.

Click the filter icon to view the active filters on the table.

You can search for, add, and remove filters to adjust the list of vulnerabilities displayed in the table.

  • For Linux hosts, the CVE tab displays the following columns:

    ColumnDescription
    VulnerabilitiesDisplays the common vulnerabilities and exposures (CVE) code assigned to this vulnerability by the CVE Numbering Authority. Click the More Info icon More Info to view additional details about the CVE. If there is a CVSS v3 score available for the vulnerability, information derived from CVSS Metrics will also be displayed (such as Attack Vector, Access Complexity, etc). Click the Vulnerability ID in the column or in the More Info window to open an external link to the tracker page for the vulnerability (if one is available).
    SeverityDisplays the CVE’s severity ranking, which is assigned by the vendor or computed from CVSS v3 or CVSS v2 scores (in that order of precedence).
    CVSS scoreDisplays the CVSS (Common Vulnerability Scoring System) severity rankings score for the vulnerability. Hover over the score for the CVSS version. For both CVSS v3 and CVSS v2, the severity ranking is a scale from 0 - 10, where 10 is the highest severity. Defaults to CVSS v3 scores or CVSS v2 if v3 scores are not available.
    Vulnerability impactDisplays the Lacework risk score for the vulnerability.
    Package nameDisplays the operating system package or language package that the vulnerability was found in. Click the package name to reload and filter the vulnerability list for this package.
    Package namespaceDisplays the namespace of the vulnerable package.
    Current versionDisplays the current version of the package found on the host.
    Fix version/ArticleDisplays the version of the package where the issue is fixed.
    Package statusDisplays active if there was an active process linked to this package. Only Agent assessments can determine whether a package is active or not. Agentless assessments will mark all packages as inactive.
    Kernel statusDisplays Active if the vulnerability was found on a running kernel. See Kernel Status for other possible values.
    File path (hidden by default)If applicable, displays the filesystem path to the vulnerable package source.
    First seenThe first time the vulnerability was found on this machine (MID) with the specific package name and version.
    Last status updateDisplays the last time the Vulnerability status was updated.
    Time to resolve (hidden by default)Displays how long it took for the vulnerability to be fixed. This is the time between when the vulnerability was First Seen and the Last Status Update.
    Vulnerability status (hidden by default)Displays the status of the vulnerability. The status can be one of the following:
    New - Vulnerability was detected for the first time during the last assessment.
    Active - Vulnerability was detected in consecutive assessments.
    Reopened - Vulnerability was fixed, but has been detected again.
    Fixed - Vulnerability was not detected in consecutive assessments.
    Exception - A vulnerability exception has been applied to this vulnerability, or the vulnerability was found on an inactive kernel.

  • For Windows Server hosts, the CVE tab displays the following columns:

    ColumnDescription
    VulnerabilitiesDisplays the common vulnerabilities and exposures (CVE) code assigned to this vulnerability by the CVE Numbering Authority. Click the More Info icon to view additional details about the CVE. If there is a CVSS v3 score available for the vulnerability, information derived from CVSS Metrics will also be displayed (such as Attack Vector, Access Complexity, etc). In the More Info window, click the vulnerability ID to open an external link to the tracker page for the vulnerability (if one is available).
    SeverityDisplays the CVE’s severity ranking, which is assigned by the vendor or computed from CVSS v3 or CVSS v2 scores (in that order of precedence).
    CVSS ScoreDisplays the CVSS (Common Vulnerability Scoring System) severity rankings score for the vulnerability. Hover over the score for the CVSS version. For both CVSS v3 and CVSS v2, the severity ranking is a scale from 0 to 10, where 10 is the highest severity. Defaults to CVSS v3 scores or CVSS v2 if v3 scores are not available.
    Vulnerability impactDisplays the Lacework risk score for the vulnerability.
    Package NameDisplays the operating system package or language package that the vulnerability was found in.

    If the vulnerability was found in more than one package, click the dropdown next to the Vulnerabilities column to view the individual rows for each package affected.
    Package NamespaceThe namespace of the vulnerable package.
    Current VersionDisplays the current version of the package found on the host.
    Fix VersionDisplays the version of the package where the issue is fixed.
    Package statusDisplays active if there was an active process linked to this package. Only Agent assessments with active package detection enabled can determine whether a package is active or not.
    Kernel StatusDisplays Active if the vulnerability was found on a running kernel. See Kernel Status for other possible values.
    Exploit availableWhether there is a public exploit available for the vulnerability.
    File Path (hidden by default)If applicable, displays the filesystem path to the vulnerable package source.
    First SeenThe first time the vulnerability was found on this machine (MID) with the specific package name and version.
    Last Status UpdateDisplays the last time the Vulnerability Status was updated.
    Age of public exploitThe age of the public exploit (if it is known).
    Time to Resolve (hidden by default)Displays how long it took for the vulnerability to be fixed. This is the time between when the vulnerability was First Seen and the Last Status Update.
    Vulnerability Status (hidden by default)Displays the status of the vulnerability. The status can be one of the following:
    New - Vulnerability was detected for the first time during the last assessment.
    Active - Vulnerability was detected in consecutive assessments.
    Reopened - Vulnerability was fixed, but has been detected again.
    Fixed - Vulnerability was not detected in consecutive assessments.
    Exception - A vulnerability exception has been applied to this vulnerability, or the vulnerability was found on an inactive kernel.
Host Assessment - Packages (For Linux Hosts Only)

The Packages tab displays a list of vulnerable packages found on the host with additional information in columns. This table lets you refresh data, download CSV/PDF, add/remove columns, filter, and search.

Click the filter icon to view the active filters on the table. You can search for, add, and remove filters to adjust the list of packages displayed in the table.

The available columns in the Packages tab are listed below:

ColumnDescription
PackagesDisplays the vulnerable operating system package or language package that was found on the host.
Package namespaceDisplays the vulnerable package namespace that was found on the host.
Risk ScoreDisplays the Lacework risk score for the vulnerable package. This score indicates the general risk to the user's environment, not the direct risk to the host itself.
Package statusDisplays active if there was an active process linked to this package. Only Agent assessments with active package detection enabled can determine whether a package is active or not.
Fixable StatusDisplays whether the package is fixable or not (whether there is a new or patched version of the package available).
CVEDisplays the common vulnerabilities and exposures (CVE) code assigned to this vulnerability by the CVE Numbering Authority.

If more than one vulnerability was found in the package, click the dropdown next to the Vulnerabilities column to view the individual rows for each vulnerability found.
Vulnerability StatusDisplays the status of the vulnerability. The status can be one of the following:
New - Vulnerability was detected for the first time during the last assessment.
Active - Vulnerability was detected in consecutive assessments.
Reopened - Vulnerability was fixed, but has been detected again.
Fixed - Vulnerability was not detected in consecutive assessments.
Exception - A vulnerability exception has been applied to this vulnerability.
SeverityDisplays the CVE’s severity ranking, which is assigned by the vendor or computed from CVSS v3 or CVSS v2 scores (in that order of precedence).
CVSS ScoreDisplays the CVSS (Common Vulnerability Scoring System) severity rankings score for the vulnerability. Hover over the score for the CVSS version. For both CVSS v3 and CVSS v2, the severity ranking is a scale from 0 to 10, where 10 is the highest severity. Defaults to CVSS v3 scores or CVSS v2 if v3 scores are not available.
Current VersionDisplays the current version of the package found on the host.
Fix VersionDisplays the version of the package where the issue is fixed (when a patch is available).
File PathIf applicable, displays the file system path to the vulnerable package source.
Host Assessment - Applications (For Windows Server Hosts Only)

The Applications tab displays a list of vulnerable Windows applications found on the host. This table lets you refresh data, download CSV/PDF, add/remove columns, filter, and search.

Click the filter icon to view the active filters on the table. You can search for, add, and remove filters to adjust the list of applications displayed in the table.

note

If there is more than one vulnerability found on an application or operating system, use the dropdown icon Dropdown icon to view each vulnerability found on that application or operating system.

The available columns in the Applications tab are listed below:

ColumnDescription
ApplicationsDisplays the vulnerable Windows OS or application that was found on the host.
Fixable statusDisplays whether the vulnerability is fixable or not (whether there is a new application version or Microsoft KB article available to fix the vulnerability).
CVEDisplays the common vulnerabilities and exposures (CVE) code assigned to this vulnerability by the CVE Numbering Authority.
Vulnerability statusDisplays the status of the vulnerability. The status can be one of the following:
New - Vulnerability was detected for the first time during the last assessment.
Active - Vulnerability was detected in consecutive assessments.
Reopened - Vulnerability was fixed, but has been detected again.
Fixed - Vulnerability was not detected in consecutive assessments.
Exception - A vulnerability exception has been applied to this vulnerability.
SeverityDisplays the CVE’s severity ranking, which is assigned by the vendor or computed from CVSS v3 or CVSS v2 scores (in that order of precedence).
CVSS scoreDisplays the CVSS (Common Vulnerability Scoring System) severity rankings score for the vulnerability. Hover over the score for the CVSS version. For both CVSS v3 and CVSS v2, the severity ranking is a scale from 0 - 10, where 10 is the highest severity. Defaults to CVSS v3 scores or CVSS v2 if v3 scores are not available.
Current versionDisplays the current application version or Microsoft KB article found on the host that has the vulnerability.
Fix version/ArticleDisplays the application version or KB article you can install to fix the vulnerability (when a patch is available).
Release dateDisplays the release date of the KB article you can install to fix the vulnerability.
File pathIf applicable, displays the file system path to the vulnerable application.

CVE, Package Name, and Package Namespace Tab View

In the CVE, Package Name, Package Namespace, and Application (Windows) tabs, the list displays the following information:

CVE Assessment Drawer

Click a vulnerability ID to display its risk assessment where you can see an expandable view of vulnerability details and affected or unaffected hosts (click the < icon to expand this view to full screen).

If there is a CVSS v3 score available for the vulnerability, additional information will be displayed that is derived from CVSS Metrics (such as Attack Vector, Access Complexity, etc).

CVE Assessment - Details

The Details tab contains descriptive information about the vulnerability. Click on any of the tags to filter the vulnerabilities list with that tag.

CVE Assessment - Hosts

The Hosts tab displays a list of hosts where the vulnerability was found with additional information in columns. This table lets you refresh data, download as a CSV/PDF, select which columns to display, filter, and search.

The available columns in the Hosts tab are listed below:

ColumnDescription
MACHINE ID (hidden by default)Displays the Machine ID for the host.
HostDisplays the hostname for the machine.
UptimeDisplays the uptime for the machine.
Host StatusDisplays the most recent agent status, either Online or Offline, based on the last hour’s agent heartbeat. Online means the Lacework agent sent a heartbeat the last hour. Offline means the Lacework agent did not send a heartbeat the last hour.
Host RiskDisplays the Lacework risk score for the host. A higher score indicates more risk/impact from discovered vulnerabilities.
Vulnerability StatusDisplays the status of the vulnerability. The status can be one of the following:
New - Vulnerability was detected for the first time during the last assessment.
Active - Vulnerability was detected in consecutive assessments.
Reopened - Vulnerability was fixed, but has been detected again.
Fixed - Vulnerability was not detected in consecutive assessments.
Exception - A vulnerability exception has been applied to this vulnerability.
Coverage typeThe Coverage type used to perform the assessment.

Package Data Not Found

Package data not found occurs under two circumstances:

  • Package collection was intentionally disabled
  • Package collection did not occur due to timing

If package collection was not disabled, then timing prevented package collection.

Scans do not occur on the host. An enumeration of packages is sent as a manifest to Lacework and any scanning activity occurs in the Lacework backend based on that host's manifest.

Package collection on a host does not occur immediately after the agent is installed. Package collection is delayed to limit the impact on host resources (CPU, Memory) and occurs after the core HIDS functionality is started. If the host shuts down after it registers with Lacework but before it transports package data, the package data will not be found.

You can use the /scan endpoint to supply a manifest (os, os_ver, package name, package version) and get a response. You can do this 20 times an hour for up to 1k packages each time. This action does not directly result in an assessment in the Lacework Console, but it does help to get an assessment.

Last updated on