Events

The Events widget provides an overview of the individual events.

If the selected time range includes today (the default), the widget updates its list of events every 5 minutes. New events are highlighted in green; the color fades away after a few seconds.

The quick search field above the list provides fast, as-you-type search. It filters the rows in the list, displaying only those rows that have text, in any field, that matches the query string.

Manually refresh the events list by clicking the Update now redo button.

The columns to be displayed in the list can be customized by clicking the additional content icon.

Customize the number of rows to be displayed. By default, 30 entries are shown. Up to 1000 events can be displayed however there may be a noticeable delay for the system to retrieve a large number of events. Use the left arrow (back) and right arrow (forward) icons to navigate through multiple pages.

Each row displays a summary of an event. Click anywhere on an entry row to access the event summary sidebar.

The list of events contains the following columns:

Timestamp

Indicates the start time of the event. The time is shown in the currently selected timezone.

The list is sorted by timestamp, by default in decreasing order (latest event at the top). Click the angle up icon to sort the list in increasing order (oldest event at the top), then click the angle down icon to toggle back to the default.

Host

The host in the monitored network that is involved in this event. This column will display the IP address, host name, or label of the host, depending on your current Display settings pop-up. Click the edit (edit) icon next to the host to open the Label/Silence host pop-up.

Sensor

Name of the sensor that generated the event.

Other IP

IP address and port of the host that is related to this event. For example, 203.0.113.115:80 indicates that the IP address 203.0.113.115 was contacted on port 80.

The system attempts to geo-locate the IP address. If it succeeds, a small flag icon indicates the country that possibly hosts that IP address. A Local Network icon is used for local hosts.

Other Host

The host name or IP address of the malicious/suspicious entry.

Threat

Name of the detected threat or security risk.

Threat Class

Name of the detected threat class.

Impact

The impact value indicates the critical level of the detected threat and ranges from 1 to 100:

  • Threats that are 70 or above are considered to be critical.

  • Threats that are between 30 and 69 are considered to be medium-risk.

  • Threats that are between 1 and 30 are considered to be benign.

If the stop icon appears, it indicates the artifact has been blocked.

Click the sort icon to sort the list by impact.

Verification outcome

Indicates the event outcome. Possible values:

  • Blocked: The threat was blocked by the VMware NSX Network Detection and Response or by a third party application.

  • Failed: The threat failed to reach its goal. This could be caused by the C&C server being offline, the attacker made coding errors, etc.

  • Succeeded: The threat was verified to have reached its goal. This could be its check-in attempt to the C&C server completed and data was received from the malicious endpoint.

If the event outcome is unknown, this field is blank.

Host tags

The tags assigned to the host in the monitored network.