Network tab

The Network tab consists of a number of widgets that are used to inspect, manage, and prioritize the network detection events reported by the VMware NSX Network Detection and Response.

Detected threats

The Detected threats widget provides a visualization of all types of threat classes and threats that have been discovered in your network. By clicking on a specific threat class, you can drill down to see the threats it contains within the same visualization. When you select a specific threat, the system displays details about that particular threat and its activity in your network.

Note:

The Events list is pruned by your selections as you drill down into the individual threats. Conversely, if you use the Filters to narrow the displayed list of events, this also filters the threats presented by the Detected threats widget.

Threat class

The initial view shows the threat classes that have been detected on your network. The rectangles are scaled based on the number of events for each detected threat class. The colors indicate the severity of the threat.

The list on the right side of the widget shows the Top detected threats. When you hover your mouse over an item in the list, a pop-up gives further information about the threat, its class, and the number of events and affected hosts.

A pop-up is displayed when you hover over a specific threat class. It shows the Class, the number of Unique threats, and a breakdown of the number of Events and participating hosts. Click the pop-up or the rectangle to drill down into the unique threats that make up the selected threat class.

Unique threats

The subsequent view shows the threats that make up the selected threat class. The rectangles are scaled based on the number of events for each detected threat and the colors indicate the severity of the threat.

A pop-up is displayed when you hover over a specific threat. It shows the Threat and a breakdown of the number of Events and participating hosts. Click the pop-up or the rectangle to select the threat. The Threat details is displayed on the right side of the widget.

Threat details

The Threat details section lists the following information:

  • Threat The name of the threat.

  • Class The name of the threat class.

  • Max impact The maximum impact of events detected for the threat.

  • Events The number of detected events.

  • Hosts The number of targeted hosts. Click the link to view the Hosts list.

  • First seen/Last seen A bar graph showing the timestamps seen for the threat. The Duration is displayed underneath.

Global event map

The Global event map provides a visual overview of aggregated geo-located events. It marks the approximate location of the other host. The marker color represents the event impact. The marker size represents the number of impacted hosts.

Events with no specific location are excluded from this map.

Click a marker to learn more about the threats and hosts represented at that particular location. In the Location Details pop-up, you can view the Approximate location, the Threats, and the Destination hosts of the selected event. Click filter beside each entry to apply filters to the Events list.

Filters

An easy-to-use filtering mechanism is provided that allows you to focus on the information that you are interested in. Click the plus icon to expand the Filters widget.

Note:

The use of filters is optional.

Click Filter by and select an item from the pull-down menu. Select from Event mode, Event outcome, Home network, Host IP, Host name, Host tag, Incident ID, Minimum impact, Other host, Port, Priority, Threat, Threat class, or Transport.

You can combine multiple filters to narrow the focus. You can also deploy multiple instances of some filters.

Delete an individual filter by clicking the Remove minus button next to its entry. Delete all the selected filters by clicking the cancel/close icon. This also collapses the Filters widget.

Click Apply reload to apply the selected filters.

Event mode

Select All or Test from the pull-down menu.

The default is to display events that are determined to be real. Selecting Test will include only those events that are known to be testing events. Selecting All will include all events.

Event outcome

Select All or Info from the pull-down menu.

The default is to display events that are determined to be malicious. Selecting Info will include only those events that themselves are not necessarily malicious (for details, see INFO events promotion). By tracking these events, you can gain further insight into the activity in your network.

Home network

Restrict displayed events by the Home network setting using the pull-down menu. Select Home network only for events within your defined home network. Select Unidentified networks only for events from unknown hosts.

Host IP

Restrict displayed events to a specific source IP address, IP address range, or CIDR block.

Host name

Restrict displayed events to a specific source Host name. The full host name or label needs to be provided.

Host tag

Restrict displayed events to hosts labeled with the specified host tags.

Incident ID

Display events that belong to the specified Incident. An Incident ID is a numeric entry, for example, 73142.

Minimum impact

Display events that scored the minimum impact level. The range is 1 to 100.

Other host

Restrict the displayed events to a specific host. The host can be entered as a host name or IP address. The IP address can be entered as one or more IP addresses, CIDR blocks (such as 192.168.0.0/24) or IP address ranges (such as 1.1.1.5-1.1.1.9).

Port

Display events using a specific TCP/UDP port. To further filter the displayed events, you can combine this with Transport.

Priority

Restrict displayed events by the Priority status. Select Infection, Watchlist, or Nuisances from the pull-down menu.

See the infections list for details.

Threat

Restrict displayed incidents by a specific Threat. Select a threat from the pull-down menu. The menu is prepopulated with a list of cataloged threats.

Use the search function at the top of the menu to quickly find a threat name.

Threat class

Restrict display to a specific class of events. Select the threat class from the pull-down menu. The menu is prepopulated with a catalog of classes.

Transport

Display events using a specific transport layer protocol. Select TCP or UDP from the pull-down menu.

Events

The Events widget provides an overview of the individual events.

If the selected time range includes today (the default), the widget updates its list of events every 5 minutes. New events are highlighted in green; the color fades away after a few seconds.

The quick search field above the list provides fast, as-you-type search. It filters the rows in the list, displaying only those rows that have text, in any field, that matches the query string.

Manually refresh the events list by clicking the Update now redo button.

The columns to be displayed in the list can be customized by clicking the additional content icon.

Customize the number of rows to be displayed. By default, 30 entries are shown. Up to 1000 events can be displayed however there may be a noticeable delay for the system to retrieve a large number of events. Use the left arrow (back) and right arrow (forward) icons to navigate through multiple pages.

Each row displays a summary of an event. Click anywhere on an entry row to access the event summary sidebar.

The list of events contains the following columns:

Timestamp

Indicates the start time of the event. The time is shown in the currently selected timezone.

The list is sorted by timestamp, by default in decreasing order (latest event at the top). Click the angle up icon to sort the list in increasing order (oldest event at the top), then click the angle down icon to toggle back to the default.

Host

The host in the monitored network that is involved in this event. This column will display the IP address, host name, or label of the host, depending on your current Display settings pop-up. Click the edit (edit) icon next to the host to open the Label/Silence host pop-up.

Sensor

Name of the sensor that generated the event.

Other IP

IP address and port of the host that is related to this event. For example, 203.0.113.115:80 indicates that the IP address 203.0.113.115 was contacted on port 80.

The system attempts to geo-locate the IP address. If it succeeds, a small flag icon indicates the country that possibly hosts that IP address. A Local Network icon is used for local hosts.

Other Host

The host name or IP address of the malicious/suspicious entry.

Threat

Name of the detected threat or security risk.

Threat Class

Name of the detected threat class.

Impact

The impact value indicates the critical level of the detected threat and ranges from 1 to 100:

  • Threats that are 70 or above are considered to be critical.

  • Threats that are between 30 and 69 are considered to be medium-risk.

  • Threats that are between 1 and 30 are considered to be benign.

If the stop icon appears, it indicates the artifact has been blocked.

Click the sort icon to sort the list by impact.

Verification outcome

Indicates the event outcome. Possible values:

  • Blocked: The threat was blocked by the VMware NSX Network Detection and Response or by a third party application.

  • Failed: The threat failed to reach its goal. This could be caused by the C&C server being offline, the attacker made coding errors, etc.

  • Succeeded: The threat was verified to have reached its goal. This could be its check-in attempt to the C&C server completed and data was received from the malicious endpoint.

If the event outcome is unknown, this field is blank.

Host tags

The tags assigned to the host in the monitored network.

Event summary sidebar

The event summary sidebar is expanded by clicking an entry in the Events.

Top section

At the top of the sidebar are a number of items:

  • Click the cancel/close to close the sidebar.

  • Click the Network pages icon Explore angle down button then select one of the options from the pull-down menu:

    • Investigate all host activity for this event

    • Investigate network traffic for this event

    These options are deep links into the Network explorer page (Kibana interface), providing access to all the information related to the event.

  • Click the Details angle right button to view the event in the Network event details page.

  • If available, a brief description of the event is provided that includes an explanation as to why the system flagged this event, identifies the threat or malware associated with this event, and briefly describes the detected activity.

Subsequent sections of the sidebar display supporting data. Some sections are displayed only if relevant data is available.

Threat details

Threat

Name of the detected security risk.

Threat class

Name of the detected security risk class.

Event detector

The name of the event detector. Click the link to view the Detector pop-up.

If there is no detector for the event, this section is not shown.

Impact

The impact value indicates the critical level of the detected threat and ranges from 1 to 100:

  • Threats that are 70 or above are considered to be critical.

  • Threats that are between 30 and 69 are considered to be medium-risk.

  • Threats that are between 1 and 30 are considered to be benign.

Action

A list of actions taken by the sensor (for example, any blocking activities, whether the event is logged, whether traffic was captured, or a malware download was extracted).

Outcome

The outcome of the event. In most cases, this is DETECTION.

For INFO events and events that were promoted from INFO status, an additional label provides the reason for its status/status change. A pop-up is displayed when you hover over the label, providing additional details about the reason.

First seen array Last seen

A graph with the timestamp from when the evidence was first and last seen.

The Duration is displayed below the graph.

Event verification

The Event verification section displays the following data:

Verification outcome

Indicates the event outcome. Possible values:

  • Blocked: The threat was blocked by the VMware NSX Network Detection and Response or by a third party application.

  • Failed: The threat failed to reach its goal. This could be caused by the C&C server being offline, the attacker made coding errors, etc.

  • Succeeded: The threat was verified to have reached its goal. This could be its check-in attempt to the C&C server completed and data was received from the malicious endpoint.

If the event outcome is unknown, this field is not displayed.

Verifier name

The name of the event verifier. Click the link to access the Verifier pop-up.

Verifier message

A message from the verifier which provides further information about the outcome, for example, which third party application blocked the threat.

Note:

If the event could not be verified, this section will not appear.

Event traffic

The Event traffic widget provides an overview of the traffic observed between the hosts involved in the event. At least one host involved in the event is a monitored host. The communicating host may be a monitored host or an external system. A link to view the Captured traffic is displayed, if the data is available.

The arrow indicates the traffic direction between the hosts.

For each host, the IP address is displayed. If the host is local, the address is a link that you can click to view the Host profile page. A geo-located flag, home , or network icon may be displayed. More than one may be displayed. If available, a host name is displayed. If available from DHCP traffic monitoring, the MAC address of the host is displayed. Any host tags applied to the host are displayed. Click the Intelligence pages icon icon to view host details in Intelligence. If available, click the globe icon to view host details in the WHOIS pop-up.

Event evidence

The Event evidence section lists various actions observed while analyzing the event. For more details, click the Event details angle right link to view the Event evidence.

Actions include Signature, Reputation, Unusual behavior, File download, URL path match, Verification, Anomaly, etc. If provided, click the link to view the corresponding Detector pop-up. A Confidence value is displayed for each action.

Malware identification

A summary of the detected malware is displayed. For more details, click the Analyst report angle right link to view the Analysis report.

Antivirus class

A label defining the antivirus class of the downloaded file.

Antivirus family

A label defining the antivirus family of the downloaded file.

Malware

A label defining the malware type of the downloaded file. If the label has a tag icon, you can click it for a pop-up description.

Behavior overview

The detected behaviors of the downloaded file. If there is a lot of data, a partial list is displayed by default. Click Expand for more angle down to view more. Toggle it closed again by clicking Collapse for less angle up .

Event URLs

The Event URLs section displays all the URLs detected in the event.

Event metadata

The Event metadata section displays the following data:

Sensor

The sensor that detected the event.

Related incident

Click the link ( link ) to view the related incident if one is available.

Connections

The number of connections included in the event.

Related campaign

Click the link ( link ) to view the related campaign if one is available.

Detected users

The Detected users section displays a list of the Users logged on if there are any records of logged users available.

WHOIS pop-up

The WHOIS pop-up displays registration information and other details about the IP address and/or hostname of the host you are examining. It has two tabs: Summary and Raw record.

Summary

The Summary tab displays the following information about the IP address and/or hostname:

  • An initial section contains any relevant Intelligence tags.

  • Date information The date the domain was registered, the date that the domain record was updated, and if available, the expiration date of the domain.

  • Organization The name of the organization, the organization email addresses, the organization country (country code), the organization phone numbers, the registrar name, and the contact list.

  • Network The network name, IP address range, AS list,authoritative name servers, and parent networks.

Raw record

The Raw record tab displays WHOIS data in its raw form.

Information unavailable

If the WHOIS pop-up displays a warning that information for the given IP address and/or hostname is unavailable, you can try using a 3rd party. Click the View in external tool button to look-up the host.

Note:

The button to the 3rd party provider is always available.

Detector pop-up

The Detector documentation pop-up provides detailed information about the detector that provided the event evidence. The intent is to assist you in determining the confidence you can place in this detector.

The documentation displays at least some of the following fields:

  • Goal Short description of the goal of the detector.

  • ATT&CK categorization If applicable, a link to the MITRE ATT&CK technique is provided.

  • Detector abstract A detailed technical description of the detector and its operation.

  • IDS rule A high level representation of the detection logic used by a VMware NSX Network Detection and Response network signature. The rule syntax is loosely related to the Suricata signature language defined in https://suricata.readthedocs.io/en/latest/rules/index.html. A rule consists of one or more clause sets, typically a single clause, each containing key/value pairs. If there is more than one clause in a rule, each is numbered, the first clause prefaced "If:" and each subsequent clause "And then if:". The different clause sets will be evaluated sequentially on data belonging to the same flow. Hover over any key/value pair to view a relevant help pop-up.

  • False positives A description of the possibility of the detector to generate false positives.

  • False negatives The assumptions that might result in the detector causing false negatives.

Verifier pop-up

The Verifier documentation pop-up provides detailed information about the verifier that provided the event evidence. The documentation contains at least some the following fields:

  • Verification outcome Indicates the event outcome. Possible values:

    • Blocked: The threat was blocked by the VMware NSX Network Detection and Response or by a third party application.

    • Failed: The threat failed to reach its goal. This could be caused by the C&C server being offline, the attacker made coding errors, etc.

    • Succeeded: The threat was verified to have reached its goal. This could be its check-in attempt to the C&C server completed and data was received from the malicious endpoint.

  • Verifier message A message from the verifier which provides further information about the outcome, for example, which third party application blocked the threat.

  • Verifier abstract Short description of the verifier.