Manage Sensors

The Sensors page is your central hub for monitoring and managing all enrolled sensors across your environment. From here you can view sensor status, inspect collected data, link sensors to assets, and troubleshoot connectivity issues.

INFO

Requires Posture Manager role or higher to manage sensors. Viewer role can view sensor data in read-only mode.

Sensor List

Navigate to Sensors in the left sidebar to see all enrolled sensors.

The sensor list displays the following columns:

Column	Description
Hostname	The hostname of the machine the sensor is running on.
Status	Current status: Online, Offline, or Pending.
Operating System	The OS detected on the endpoint (e.g., Ubuntu 22.04, Windows Server 2022, macOS 14).
Architecture	Processor architecture (amd64 or arm64).
Version	The currently running sensor version.
Last Seen	The timestamp of the most recent check-in from the sensor.
Linked Asset	The asset this sensor is bound to, if any.

Filtering and Searching

Search: Filter sensors by hostname using the search bar.
Status filter: Show only Online, Offline, or Pending sensors.
OS filter: Filter by operating system type (Linux, Windows, macOS).

Sensor Statuses

Status	Icon	Meaning
Online	Green circle	The sensor has checked in within the expected interval and is actively reporting data.
Offline	Red circle	The sensor has not checked in within the expected interval. The machine may be powered off, the sensor service may have stopped, or there may be a network issue.
Pending	Yellow circle	The sensor has enrolled but has not yet completed its first data collection cycle. This is normal for newly deployed sensors and typically resolves within minutes.

Sensor Detail

Click on any sensor in the list to open its detail view.

The detail view contains the following sections:

Overview

General information about the sensor and its host machine:

Sensor ID: The unique identifier assigned during enrollment.
Hostname: The machine's hostname.
IP Address: The IP address reported by the sensor.
Operating System: Full OS name and version.
Architecture: Processor architecture.
Sensor Version: The currently installed sensor version.
Status: Current status with the last seen timestamp.
Enrolled At: When the sensor first registered with AttackLens.
Enrollment Token: The name of the token used during enrollment.

Collected Data

A summary of the most recent data collected by the sensor:

Installed Packages: Count and list of detected packages.
Running Services: Count and list of active services.
Security Policies: Detected security policy settings.
User Accounts: Local user accounts discovered on the endpoint.
Network Configuration: Interfaces, listening ports, firewall rules.

Update Status

Shows whether a newer sensor version is available:

Current Version: The version currently running on the endpoint.
Latest Available: The newest version available from the backend.
Update Status: Up to date, Update available, or Update in progress.

See Sensor Auto-Update for details on how updates are delivered.

Linking a Sensor to an Asset

Linking a sensor to an asset establishes a relationship between the physical/virtual endpoint and the logical asset record in AttackLens. This enables:

Inventory data from the sensor to populate the asset's inventory.
Vulnerability correlation based on the sensor's package data.
Posture evaluation using the sensor's configuration data.
Attack graph enrichment with real endpoint details.

How to Link

Open the sensor detail view.
In the Linked Asset section, click Link to Asset.
Search for and select the asset you want to link to.
Click Confirm.

TIP

If a matching asset does not exist yet, AttackLens can automatically create one based on the sensor's hostname and metadata. Check the auto-create option in the link dialog.

How to Unlink

Open the sensor detail view.
In the Linked Asset section, click the Unlink button next to the linked asset.
Confirm the unlink action.

Unlinking a sensor does not delete any previously collected data from the asset. It only stops future data from this sensor from flowing to that asset.

Deleting a Sensor

To remove a sensor record from AttackLens:

Open the sensor detail view.
Click the Delete button.
Confirm the deletion.

WARNING

Deleting a sensor record removes it from AttackLens but does not uninstall the sensor software from the endpoint. If the sensor is still running on the machine, it will attempt to check in and will receive an authentication error. Uninstall the sensor from the endpoint first, or the logs will fill with connection errors.

Troubleshooting

Sensor shows Offline

Check if the machine is running: The most common reason for an Offline status is that the host machine is powered off or rebooted.
Check the sensor service: Verify the sensor service is running on the endpoint (systemd on Linux, Windows Service, launchd on macOS).
Check network connectivity: Ensure the endpoint can reach the AttackLens backend over HTTPS. Test with curl or Invoke-WebRequest.
Check logs: Review the sensor logs on the endpoint for error messages.

Sensor stays in Pending

The sensor may be having trouble completing its first collection cycle. Check the logs on the endpoint for permission errors or collection failures.
Ensure the sensor has sufficient permissions (root/administrator) to read system configuration files.

Data is not appearing in Inventory

Verify the sensor is linked to an asset. Unlinked sensors collect data but it does not populate asset inventory until a link is established.
Check the sensor's Last Seen timestamp to confirm it is actively reporting.

Manage Sensors ​

Sensor List ​

Filtering and Searching ​

Sensor Statuses ​

Sensor Detail ​

Overview ​

Collected Data ​

Update Status ​

Linking a Sensor to an Asset ​

How to Link ​

How to Unlink ​

Deleting a Sensor ​

Troubleshooting ​

Sensor shows Offline ​

Sensor stays in Pending ​

Data is not appearing in Inventory ​