Events tab

The Events tab displays detection and info events information.

Detection events

The Detection events list shows the events associated with the selected host. These events make up some of the incidents also listed for the host.

Customize the number of rows to be displayed. The default is 30 entries. Use the left arrow (back) and right arrow (forward) icons to navigate through multiple pages.

The columns to be displayed in the list can be customized by clicking the additional content icon.

Each row displays a summary of an event. Click anywhere on an entry row to access the event summary sidebar.

The Detection events list contains the following columns:

Timestamp

Indicates the start time of the event. The time is shown in the currently selected timezone.

The list is sorted by timestamp, by default in decreasing order (latest event at the top). Click the angle up icon to sort the list in increasing order (oldest event at the top), then click the angle down icon to toggle back to the default.

Host

The host in the monitored network that is involved in this event. This column will display the IP address, host name, or label of the host, depending on your current Display settings pop-up. Click the edit (edit) icon next to the host to open the Label/Silence host pop-up.

Sensor

Name of the sensor that generated the event.

Other IP

IP address and port of the host that is related to this event. For example, 203.0.113.115:80 indicates that the IP address 203.0.113.115 was contacted on port 80.

The system attempts to geo-locate the IP address. If it succeeds, a small flag icon indicates the country that possibly hosts that IP address. A Local Network icon is used for local hosts.

Other Host

The host name or IP address of the malicious/suspicious entry.

Threat

Name of the detected threat or security risk.

Threat Class

Name of the detected threat class.

Impact

The impact value indicates the critical level of the detected threat and ranges from 1 to 100:

  • Threats that are 70 or above are considered to be critical.

  • Threats that are between 30 and 69 are considered to be medium-risk.

  • Threats that are between 1 and 30 are considered to be benign.

If the stop icon appears, it indicates the artifact has been blocked.

Click the sort icon to sort the list by impact.

Verification outcome

Indicates the event outcome. Possible values:

  • Blocked: The threat was blocked by the VMware NSX Network Detection and Response or by a third party application.

  • Failed: The threat failed to reach its goal. This could be caused by the C&C server being offline, the attacker made coding errors, etc.

  • Succeeded: The threat was verified to have reached its goal. This could be its check-in attempt to the C&C server completed and data was received from the malicious endpoint.

If the event outcome is unknown, this field is blank.

Host tags

The tags assigned to the host in the monitored network.

Info events

The Info events list shows INFO events associated with the selected host. The Info events list contains the same columns as the Detection events list.