The Networks dossier displays information about network connections, open ports, and DNS lookups.
To navigate to the Networks Workload dossier in the Lacework Console, click Workload > Networks. See Workload Dossier Navigation and Filters for information about filtering dossier data.
By default this dossier displays all hosts and their associated information for the current day, beginning at midnight.
These charts aggregate data for machines and network traffic. Available charts display unique machines and users, total connections, etc.
The timeline displays events that match the date/time filter and any specified optional parameter filters set at the top of the page.
Polygraphs display network connections. Available Polygraphs include Application Communication, Machine Communication, Machine DNS Lookup, and Insider Behavior.
This table displays the number of successful and failed lookups for each domain name.
Active Listening Ports
This table displays the number of machines and applications for each listening port number.
This table displays machine properties such as name and IP address.
This table displays user properties such as UID, groups, home directory, etc.
Server Ports with no Connection
This table displays open/listening ports without any active connections. This information can alert you to potentially unwanted open ports, or it could just indicate low usage. Note that any blocks, whether host-level (firewalld, iptables) or a security group/ACL/NACL are not reflected; this is strictly a list of open ports on the server. Both IPv4 and IPv6 are displayed, if supported by the OS. Also note that the listening interface is listed; in many cases, only the loopback is listening.
List of Listening Servers
This table displays servers with open ports on an interface other than the loopback.
List of External Facing Server Machines
This table displays servers that have an interface with a non-RFC1918 address. The open port/protocol is displayed as well.
Client Machines Making External Connections
This table displays a list of hosts with connections to “remote” hosts.
TCP - Client Machines Making External Connections and UDP - Client Machines Making External Connections
These tables display detailed connection information. Details include both ends of the connection, number of connections, and amount of data transferred in both directions. If a connection is made to a known bad IP/domain, an appropriate Threat Tag is displayed as well.
External UDP Connections
This table displays detailed connection information for external UDP connections. Details the number of connections and amount of data transferred in both directions.
IP Address Summary
This table provides a breakdown of information about all observed connections, using various whois type information to display the geographic distribution of connections and perceived risk.
This table displays a synopsis of lookups done by hosts. Unexpected domain lookups could require further investigation.
Resolved IP Information
This table displays information about used DNS resolvers and the results. Unexpected resolvers or remote hosts might warrant more investigation.