The Lacework polygraph detects anomalies, generates appropriate alerts, and provides a tool for users to investigate and triage issues.
Use the polygraph to:
- Monitor your infrastructure.
- Spot IaaS account configurations that violate compliance.
- See security gaps and changes that could put your company at risk.
The polygraph technology dynamically develops a behavioral model of your services and infrastructure. The model understands natural hierarchies including processes, containers, pods, and machines. It then develops behavioral models that polygraph monitors in search of activities that fall outside the model’s parameters. In addition, the polygraph continually updates its models to:
- Pinpoint exactly how a file changes.
- Investigate anomalous events and activities related to FIM signals.
- Provide cloud-wide capabilities for search, file type summaries, and detection of new files.
View the Polygraph
In the Lacework Console, go to Resources > Cloud and select a cloud trail (for example: AWS CloudTrail).
Scroll down to view the Lacework polygraph.
If the number of clustered nodes is greater than 3000, then the polygraph does not appear. Instead, the following message appears:
Add filters at the top of the page to view the polygraph.
To view the polygraph, you should add filters in the filter field at the top of the page.
Example - AWS CloudTrail
This example shows how to add a filter in the AWS CloudTrail page. You can also add filters in the Azure Activity Log page and the GCP Audit Trail page.
- Go to Resource > Cloud > AWS CloudTrail.
- At the top of the page, click the field to add filters.
You can filter using API, Caller Account, Event ID, Principal ID, Region, Service, Source IP, or User.
To filter using an API, scroll down to the CloudTrail Logs section and in the API column, you can get data to create your filter.
For example, you can select the API filter and enter
API includes AssumedRole to display the polygraph that meets this filter criteria.
To filter with User, scroll down to the CloudTrail Logs section and in the UserName column, you can get data to create your filter.
For example, you can select the User filter and enter
User includes AWSService to display the polygraph that meets this filter criteria.
When you apply filters, but the clustered node count is still greater than 3000, the following message appears:
Too much data to load the polygraph. Try changing the filters at the top of the page.