Network event details page

The Network event details page is accessed from the Details angle right button at the top of the Event summary sidebar.

There are a number of controls and buttons along the top of the view:

  • Click the Similar events button to view a drop-down list of similar features. Click the checkbox icon beside each to select Sensor, Destination, Destination port, Source IP, Source hostname, Transport protocol, Threat class, and/or Threat type. Then click View events link to view the selected events in a new tab.

  • Click comment/feedback Comments to view or add comments.

  • Click the Manage Alert button to launch the Manage alert sidebar. Use this feature to suppress or demote harmless events, such as the system Test or Blocking events, or to apply custom scores to specific events.

  • Click the Network pages icon Explore angle down button then select one of the options from the pull-down menu:

    • Investigate all network traffic for this event

    • Investigate web traffic for this event

    • Investigate DNS queries that failed for this event

    • Investigate Encrypted Traffic destinations for this event

    These options are deep links into the Network explorer page (Kibana interface), providing access to all the information related to the event.

  • Click the minus icon to collapse all fields or the plus icon to expand all fields.

Event overview

The top section provides a visual overview of the detected threat or malware and displays its impact score.

Event summary

The Event summary section provides an explanation as to why the system flagged this event, identifies the threat or malware associated with this event, briefly describes the detected activity, and displays supporting data.

If available from the VMware backend, a detailed explanation of the event and why it is considered malicious is displayed at the top of the Event summary section.

The Client block displays the following data:

  • Host name If available, the FQDN of the client.

  • IP address The IP address of the client. A geo-located flag may be displayed. If available, click the address or link icon to view the Host profile page.

    If available, click the tag icon to see reputation of the client.

    If available, click the Intelligence pages icon icon to view the client in Intelligence.

    If available, click the globe icon to view registration information and other data about the host in the WHOIS pop-up.

  • MAC address If available, the MAC address of the client. This address is obtained from monitoring DHCP traffic and is one of the data points the system uses to generate a unique HostID entry that it maps to a specific host in the network, regardless of its IP address.

The Server block displays the following data:

  • Host name If available, the FQDN of the server.

  • IP address The IP address of the server. A geo-located flag may be displayed.

    If available, click the tag icon to see reputation of the server.

    If available, click the Intelligence pages icon icon to view the server in Intelligence.

    If available, click the globe icon to view registration information and other data about the host in the WHOIS pop-up.

  • MAC address If available, the MAC address of the server. This address is obtained from monitoring DHCP traffic and is one of the data points the system uses to generate a unique HostID entry that it maps to a specific host in the network, regardless of its IP address.

The Event metadata section displays the following data:

  • Verification outcome Indicates the event outcome. Possible values:

    • Blocked: The threat was blocked by the VMware NSX Network Detection and Response or by a third party application.

    • Failed: The threat failed to reach its goal. This could be caused by the C&C server being offline, the attacker made coding errors, etc.

    • Succeeded: The threat was verified to have reached its goal. This could be its check-in attempt to the C&C server completed and data was received from the malicious endpoint.

    If the event outcome is unknown, this field is not displayed.

  • Verifier name The name of the event verifier. Click the link to access the Verifier pop-up.

  • Verifier message A message from the verifier which provides further information about the outcome, for example, which third party application blocked the threat.

  • Sensor The sensor that detected the event.

  • Connections The number of connections included in the event.

  • Action A list of actions taken by the sensor (for example, any blocking activities, whether the event is logged, whether traffic was captured, or a malware download was extracted).

  • Users logged in A list of the users detected in the logged records.

  • Outcome The outcome of the event. In most cases, this is DETECTION.

    For INFO events and events that were promoted from INFO status, an additional label provides the reason for its status/status change. A pop-up is displayed when you hover over the label, providing additional details about the reason.

  • Related incident A permalink to a correlated incident. The link will open in a new browser tab.

    This event may be one of a number of closely related events that have been automatically correlated into an incident.

  • Event ID View the event in the Network event details page. The link opens in a new browser tab.

  • Start time A timestamp for the beginning of the event.

  • End time A timestamp for the end of the event.

Captured malware

The Captured malware section provides information from the dynamic analysis that was performed on the malicious software instance that is related to the event. You can access detailed in-depth technical information on what the malware does, how it operates, and what kind of a risk it poses. For more information on the displayed information, see Analysis report.

Note:

If no malicious software was detected for the event, this section will not appear.

Event evidence

The Event evidence section provides details of the actions observed while analyzing the event. Actions may include malicious file download, network traffic matching the network signature for known threats, performing a domain name resolution of a blocked malware domain, a known bad URL path, etc.

If available, click the Detector: link to view the Detector documentation pop-up. Also see About evidence for further details.

Host reputation

The Host reputation section provides information about known malicious hosts or URL reputation entries seen in the event.

Note:

If the host has no known history, this section will not appear.

Captured traffic

The Captured traffic section provides access to download packet captures associated with the event. You can also view the printable characters present in that packet capture.

Click the View traffic capture link to view the content of this section in a new browser tab.

If present, the URLs subsection displays the method and URL of each request and response. Click the plus to open the subsection.

The quick search field above the list provides fast, as-you-type search. It filters the rows in the list, displaying only those rows that have text, in any field, that matches the query string.

Enter a URL in the Filter by URL textbox.

Captured traffic list

The traffic capture list displays a number of columns. Some columns are not displayed dependent on the type of traffic captured:

Links

Click the cloud download icon to download the traffic capture to your local disk.

Click the link icon to view the traffic capture in a new browser tab.

Timestamp

The time when the traffic capture started.

Source IP

The IP address of the traffic source.

Source Port

The source port number of the traffic.

Destination IP

The IP address of the traffic destination.

Destination Port

The destination port of the traffic.

Bytes Sent

The number of bytes of traffic sent by the source.

Bytes Received

The number of bytes of traffic received by the destination.

URLs

A numbered list of observed URLs, if applicable.

Protocol

The protocol of the traffic capture, if available.

Info

A brief description of the detected activity.

Captured traffic tabs

There are a number of tabs under the captured traffic list. Click on the titles to view IP, Raw, or protocol data. By default, the protocol data is displayed. The available protocols displayed are HTTP, TLS, RDP, DNS, etc. An Open Intel tab may be displayed if relevant data is available.

Note:

If no network traffic was captured for the event, this section will not appear.

Anomaly data

This section displays the netflow, passive DNS, or webrequest records that caused the anomaly event to be raised. It will be titled DNS anomaly data, Netflow anomaly data, or Webrequest anomaly data, depending upon the anomaly seen.

Additional information may be provided, such as the IP addresses or ports that have been classified as anomalous. If a large number of items are involved, you can click the plus # to expose all the items.

Note:

If no anomalies were seen for the event, this section will not appear.

Threat description

The Threat description section provides a detailed description of the threat associated with the event.

Mitigation

The Mitigation section provides detailed instructions for the removal of any malicious software and other recommended processes to clean up after the event.

Note:

If there is no known mitigation process for the event, this section will not appear.