Event summary sidebar

The event summary sidebar is expanded by clicking an entry in the Events.

Top section

At the top of the sidebar are a number of items:

  • Click the cancel/close to close the sidebar.

  • Click the Network pages icon Explore angle down button then select one of the options from the pull-down menu:

    • Investigate all host activity for this event

    • Investigate network traffic for this event

    These options are deep links into the Network explorer page (Kibana interface), providing access to all the information related to the event.

  • Click the Details angle right button to view the event in the Network event details page.

  • If available, a brief description of the event is provided that includes an explanation as to why the system flagged this event, identifies the threat or malware associated with this event, and briefly describes the detected activity.

Subsequent sections of the sidebar display supporting data. Some sections are displayed only if relevant data is available.

Threat details

Threat

Name of the detected security risk.

Threat class

Name of the detected security risk class.

Event detector

The name of the event detector. Click the link to view the Detector pop-up.

If there is no detector for the event, this section is not shown.

Impact

The impact value indicates the critical level of the detected threat and ranges from 1 to 100:

  • Threats that are 70 or above are considered to be critical.

  • Threats that are between 30 and 69 are considered to be medium-risk.

  • Threats that are between 1 and 30 are considered to be benign.

Action

A list of actions taken by the sensor (for example, any blocking activities, whether the event is logged, whether traffic was captured, or a malware download was extracted).

Outcome

The outcome of the event. In most cases, this is DETECTION.

For INFO events and events that were promoted from INFO status, an additional label provides the reason for its status/status change. A pop-up is displayed when you hover over the label, providing additional details about the reason.

First seen array Last seen

A graph with the timestamp from when the evidence was first and last seen.

The Duration is displayed below the graph.

Event verification

The Event verification section displays the following data:

Verification outcome

Indicates the event outcome. Possible values:

  • Blocked: The threat was blocked by the VMware NSX Network Detection and Response or by a third party application.

  • Failed: The threat failed to reach its goal. This could be caused by the C&C server being offline, the attacker made coding errors, etc.

  • Succeeded: The threat was verified to have reached its goal. This could be its check-in attempt to the C&C server completed and data was received from the malicious endpoint.

If the event outcome is unknown, this field is not displayed.

Verifier name

The name of the event verifier. Click the link to access the Verifier pop-up.

Verifier message

A message from the verifier which provides further information about the outcome, for example, which third party application blocked the threat.

Note:

If the event could not be verified, this section will not appear.

Event traffic

The Event traffic widget provides an overview of the traffic observed between the hosts involved in the event. At least one host involved in the event is a monitored host. The communicating host may be a monitored host or an external system. A link to view the Captured traffic is displayed, if the data is available.

The arrow indicates the traffic direction between the hosts.

For each host, the IP address is displayed. If the host is local, the address is a link that you can click to view the Host profile page. A geo-located flag, home , or network icon may be displayed. More than one may be displayed. If available, a host name is displayed. If available from DHCP traffic monitoring, the MAC address of the host is displayed. Any host tags applied to the host are displayed. Click the Intelligence pages icon icon to view host details in Intelligence. If available, click the globe icon to view host details in the WHOIS pop-up.

Event evidence

The Event evidence section lists various actions observed while analyzing the event. For more details, click the Event details angle right link to view the Event evidence.

Actions include Signature, Reputation, Unusual behavior, File download, URL path match, Verification, Anomaly, etc. If provided, click the link to view the corresponding Detector pop-up. A Confidence value is displayed for each action.

Malware identification

A summary of the detected malware is displayed. For more details, click the Analyst report angle right link to view the Analysis report.

Antivirus class

A label defining the antivirus class of the downloaded file.

Antivirus family

A label defining the antivirus family of the downloaded file.

Malware

A label defining the malware type of the downloaded file. If the label has a tag icon, you can click it for a pop-up description.

Behavior overview

The detected behaviors of the downloaded file. If there is a lot of data, a partial list is displayed by default. Click Expand for more angle down to view more. Toggle it closed again by clicking Collapse for less angle up .

Event URLs

The Event URLs section displays all the URLs detected in the event.

Event metadata

The Event metadata section displays the following data:

Sensor

The sensor that detected the event.

Related incident

Click the link ( link ) to view the related incident if one is available.

Connections

The number of connections included in the event.

Related campaign

Click the link ( link ) to view the related campaign if one is available.

Detected users

The Detected users section displays a list of the Users logged on if there are any records of logged users available.