Skip to main content

Exposure Polygraph

Overview

Watch Video Summary >>

The Exposure Polygraph provides an additional layer of risk context to help with investigation. Each instance or container image can have an Exposure Polygraph to provide visual context that shows the path from the internet to the asset. The Exposure Polygraph also illustrates risks such as known vulnerabilities, compliance violations, internet exposure, and discovered secrets. Lacework bundles all information in a single view to ensure responders can respond quickly and with full context.

View Exposure Polygraphs in Alerts

Alerts that have assets exposed to the internet have an Exposure Polygraph. The Exposure tab displays details about reachability, critical vulnerabilities, exposed secrets, misconfigurations, and more.

  1. Select Alerts.
  2. If the Internet Exposure filter is not visible, click Show more to display additional filters.
  3. For the Internet Exposure filter, select Yes, and click Show results.
    The results now show only alerts associated with instances or container images that are exposed to the internet.
  4. Click the desired alert and then the Exposure tab.

Internet Exposure Filter Definitions

  • Internet exposure = yes: Lacework found this asset in resource management and found a path to it from the internet.
  • Internet exposure = no: Lacework found this asset in resource management but didn't find a path to it from the internet.
  • Internet exposure = unknown: Lacework didn't find this asset in resource management.

See Datasource Metadata for resource management information.

When there isn't an Exposure Polygraph because Internet exposure = no or unknown, but the asset is part of an attack path, click View attack path to go to the Path investigation page.

EC2 Instance

This section provides tabs with the following contextualized information.

  • Machine details - Separate tables for machine properties (hostname, IP address, and any associated vulnerabilities) and machine tag summary (tag name, tag value)
  • Vulnerabilities - CVEs, severity, CVSS score, vulnerability impact score, and package name
  • Secrets - Secret type (can be SSH key, API key, or password), identifier, file path, and number of connected resources
  • Compliance violations - Failed policy, ID, status, and severity
  • Users - Separate tables for user login activity, user authentication summary, and bad (failed) logins

Secrets Detection

Secrets detection is available only when agentless workload scanning (AWLS) integration is enabled.

Lacework logs details about any secret credentials and associated file metadata. The files are identified as secrets if they adhere to a common format (the format depends on the type of credential). The actual content of any secret credentials is not logged. For types of credentials detected and example filesystem locations, see Attack Path Secrets Detection.

Security Group

This section provides contextualized information related to security group configuration and CloudTrail logs. This provides full details for the security group to give additional context on exposed services. Separate tables for inbound and outbound rules contain the following information: type, protocol, port range, source, and description.

Load Balancer

This section provides contextualized information related to load balancer configuration and CloudTrail logs.