Appearance
Understanding Findings
Findings are the evaluation results produced when AttackLens evaluates a policy's rulesets against your assets. Each finding represents the outcome of a specific security check on a specific asset.
What Is a Finding?
A finding is a record that tracks whether a particular asset satisfies a particular ruleset check. Findings are created automatically when policies are evaluated and are updated each time a new evaluation occurs.
For example, when AttackLens evaluates the ruleset "Ensure SSH root login is disabled" against a Linux server, it creates a finding that records whether the server passed or failed that check.
Finding Lifecycle
Findings follow this lifecycle:
- Created: A finding is created the first time a ruleset is evaluated against an asset
- Updated: Each subsequent evaluation updates the finding with the latest result
- History preserved: Every evaluation is recorded in the finding's evaluation history
INFO
Findings are never automatically deleted. Even if a policy is deactivated or a ruleset is removed, existing findings remain in the system for audit trail purposes.
Finding Properties
Each finding contains the following information:
| Property | Description |
|---|---|
| Asset | The asset this finding applies to (links to the asset detail page) |
| Policy | The policy that contains the evaluated ruleset (links to the policy detail page) |
| Rule | The specific ruleset that produced this finding (links to the ruleset detail page) |
| Result | The current evaluation result: Pass, Fail, or Error |
| State | The finding's lifecycle state: Active or Resolved |
| Total Evaluations | How many times this finding has been evaluated |
| Last Updated | When the most recent evaluation occurred |
| Last Updated By | Who or what performed the last evaluation (System or User) |
Evaluation Results
| Result | Meaning | Color |
|---|---|---|
| Pass | The asset satisfies the ruleset's requirements | Green |
| Fail | The asset does not meet the ruleset's requirements | Red |
| Error | The evaluation could not be completed (e.g., missing inventory data, evaluation exception) | Orange |
What Causes an Error Result?
Error results occur when:
- The required inventory data is not available for the asset
- The property path specified in the check does not exist in the collected data
- An unexpected exception occurs during evaluation
- The ruleset's prerequisites pass but the check encounters invalid data
Evaluation Actors
Each evaluation records who performed it:
| Actor | Description |
|---|---|
| System | The evaluation was performed automatically by the posture evaluation pipeline during an inventory sync |
| User | A human analyst manually set or overrode the finding result |
TIP
Manual overrides are useful when an automated check produces a false positive or when a manual ruleset requires human judgment. The override is recorded in the evaluation history with the user's identity.
Evaluation History
Every finding maintains a complete evaluation history. Each entry records:
- The result (Pass, Fail, Error)
- The timestamp of the evaluation
- The actor (System or User)
- An optional reason explaining the result
- The scan that triggered the evaluation (if applicable)
The evaluation history provides a full audit trail of how the finding's status has changed over time. This is critical for compliance reporting and demonstrating due diligence.
How Findings Are Generated
Findings are generated through the posture evaluation pipeline:
- A sensor or adapter collects new inventory data for an asset
- The posture evaluation service identifies all active policies applicable to the asset
- For each policy, it traverses the sections and evaluates each assigned ruleset
- Prerequisites and applicability conditions are checked before each ruleset evaluation
- Check results are recorded as findings (new findings are created; existing findings are updated)
Finding Statistics
The findings list page displays aggregate statistics at the top:
| Statistic | Description |
|---|---|
| Passed | Total number of findings with a Pass result |
| Failed | Total number of findings with a Fail result |
| Error | Total number of findings with an Error result |
| Total | Total number of findings across all statuses |
Click on any statistic card to filter the findings list to that result type.
Related Pages
- View Findings: Browse and filter the findings list
- Finding Detail: Understand the finding detail page
- Evaluate a Policy: How evaluation produces findings
- Understanding Rulesets: The checks that generate findings