Manage alert sidebar

The Manage alert sidebar allows you to create a rule that is matched against all subsequent events detected by the VMware NSX Network Detection and Response. Any events that match have the rule action applied. There are a number ways to access the sidebar:

From the Network event details page, select a specific event and click Manage Alert. The sidebar is then prepopulated with relevant filters. You can edit these entries.
From any tab on the Host profile page, click the Host actions button then select Manage alert from the pull-down menu. As above, the sidebar is then prepopulated with relevant filters.

From a Host profile threat card, click the Next steps button then select Manage alert from the pull-down menu.
From the Incident details view, select a specific incident and click the Manage alert button.
From the Alert management rules tab, click the icon and add filter entries manually.

The Manage alert sidebar consists of three tabs: Filters, Actions, and Review rule.

At any time, you can close the Manage alert sidebar by clicking . If you have made any changes, you will have to confirm closing the sidebar in a pop-up.

Create or edit filters

The Filters tab has two edit modes: Basic (the default) and Advanced:

Click the Advanced link at the top of the sidebar to toggle the create/edit mode to Advanced mode.
Click the Basic link to toggle back to the Basic mode (but see the note below).

Basic filters

In Basic mode, create or edit the filters.

To add a filter, perform the following steps:

Click the Add a new filter button.
Select a filter from the filter entries pull-down menu.
- source items: Client IP, Host in homenet, Other host IP, Other host name, Other host tag, Other host in homenet, Relevant host IP, Relevant host tag, Relevant host silenced, Server IP, Server port, and Transport protocol.
- url items: Full URL, Normalized URL, and Resource path.
- detection items: Custom IDS rule ID, Detector, Event outcome, Event type, LLANTA rule ID, Operation, Threat, and Threat class.
- file items: Anti virus class, File category, File MD5, File SHA1, File size, File type, Malware, and Malware activity.
Depending on the rule type selected, set its value. This may involve clicking a toggle, entering a value, selecting an item from a pull-down menu, or others.

To edit the filters, scroll through the list, select a filter, and modify the appropriate values (see 3). Delete an unwanted filter by clicking . You can also select additional filters (see 2).

Advanced filters

In Advanced mode, fill in the Matching expression textbox, add or edit a filter using the alert rules syntax. For example:

(network_event.relevant_host_ip: 10.154.115.91 OR network_event.relevant_host_ip: 10.1.1.1-10.255.255.255) AND NOT (network_event.server_port: 53 OR network_event.server_port: 65535) OR (network_event.other_host_hostname: block.lastline.com) AND (network_event.threat: Lastline blocking test)

Important:

Normally you can toggle between the two sidebar edit modes, however if the matching expression filter you created or edited is not supported by Basic mode, the Basic link is disabled and the Filters tab defaults to the Advanced editor.

Complete filters

When you have completed adding and editing the filters needed for your rule, click Define action to go to the next step.

Define the action

Use the second tab of the Manage alert sidebar to define the rule actions. The Actions tab has two edit modes: Basic actions (the default) and Advanced actions:

Click the Advanced actions link at the top of the sidebar to toggle the create/edit mode to Advanced mode.
Click the Basic actions link to toggle back to the Basic mode.

Basic actions

There are two toggles on the Actions tab in Basic actions mode: Suppress alert and Custom impact (1-100).

Suppress action

Click the Suppress alert toggle. Select Demote to INFO event (the default) or Suppress from the pull-down menu.

The Demote action converts subsequent network events that match the rule into INFO events. Demoted INFO events can be viewed in the User Portal. Note that you must select INFO with the Event outcome filter.

The Suppress action deletes the matching events from the User Portal.

Warning:

Any event that is suppressed can no longer be accessed.

Custom impact

Click the Custom impact (1-100) toggle. Click the radio buttons to select Defined range or Single value. If you selected Defined range, enter minimum and maximum values in the respective textboxes. If you selected Single value, enter the value in the textbox.

Advanced actions

In the textbox, add or edit an action using the alert rules syntax. For example:

demote:outcome=TEST

Or:

impact:min_impact=12,impact:max_impact=22

Complete actions

After you have selected the action, click Review rule to go to the next step.

To correct the selected filters, click Edit filters to go back to the previous tab.

Rule summary

The Rule summary tab allows you to verify your alert rule. First name the rule, optionally select a license, then save the rule.

Enter a name in the Rule name.

If you are editing an existing rule, you cannot change the name.
Optionally select the License. Use the pull-down menu to select a license. This pull-down menu is disabled if you launched the sidebar from the Alert management rules tab tab or if you are editing an existing rule.

The Rule summary displays the selected filters of the rule.

If the Filters tab was left in Basic mode, the summary consists of a list of the selected filters. Each filter is displayed with its name and values. For example:

Rule summary

Server IP
12.6.6.6/32

Relevant host silenced
1

Threat(s)
Torn rat

Threat Class
Malicious file execution

If the Filters tab was left in Advanced mode, the summary displays the matching expression. For example:

Rule summary

(network_event.server_ip: 12.6.6.6/32) AND
(network_event.relevant_host_whitelisted: 1)
AND (network_event.threat: Torn RAT) AND
(network_event.threat_class: Malicious File
Execution)

If the Actions tab was left in Basic actions mode, the summary displays the action. For example:

Suppression Alert
Demote to INFO event

If the Actions tab was left in Advanced actions mode, the summary displays the action. For example:

Action
impact:min_impact=12,impact:max_impact=22

When you are done, click Create rule to complete the rule.

When you are editing an existing rule, the button is Update rule .

To correct the selected rule types, click Edit rule to go back to the previous page.