Evidence: Reputation sidebar

The evidence type of Reputation is displayed at the top of the sidebar.

Click the Explore button then select one of the options from the pull-down menu. These options are deep links into the Network explorer page (Kibana interface), providing access to all the information related to the reputation evidence.

Click the Ref event to access the Network event details page and the full details of the associated event.

If available, a brief description of the evidence is provided.

Threat details

The Reputation sidebar has three different scopes:

Global — The reputation was matched against known malicious events in external databases.
Local — The VMware NSX Network Detection and Response has previously encountered this event in your network.
Custom — The event reputation was determined by data or process maintained in your environment.

The sidebar displays different fields dependent on the scope and if the event reputation is derived from a domain name, an IP address, or a URL.

Domain/IP/URL

The domain name, IP address, or URL associated with the malicious event.

Threat

Name of the detected security risk.

Threat class

Name of the detected security risk class.

Confidence

Indicates the probability that the detected threat is malicious.

Impact

User-defined score for the detected threat.

Comment

User-supplied comment about the detected threat.

Source

User-supplied text describing the source of information about the detected threat.

First seen Last seen

A graph with the timestamp from when the evidence was first and last seen.

The Duration is displayed below the graph.

Traffic details

The Reference event traffic widget provides an overview of the traffic observed between the hosts involved in the referenced event. At least one host involved in the event is a monitored host. The communicating host may be a monitored host or an external system.

The arrow indicates the traffic direction between the hosts.

For each host, the IP address is displayed. If the host is local, the address is a link that you can click to view the Host profile page. A geo-located flag, , or icon may be displayed. More than one may be displayed. If available, a host name is displayed. If available from DHCP traffic monitoring, the MAC address of the host is displayed. Any host tags applied to the host are displayed. Click the icon to view host details in Intelligence. If available, click the icon to view host details in the WHOIS pop-up.

Local callback detection

The Local callback detection displays events on the local network that have been analyzed and determined to be malware. This detection uses local data rather than the system reputation database. Click the link to view the event details.

Intelligence

The Intelligence section displays information from the Knowledge Base about the threats that were found on the host. Click the More details link to access the Intelligence pages.

Each threat shown is followed by a concise summary. Hover over the icon to access a descriptive pop-up containing more details about the threat. The threats are color coded: High risk threats are red, medium risk threats are orange, and low risk threats are green.

Important:

This section does not appear if you do not have a Knowledge Base license.

WHOIS summary

The WHOIS summary section displays key fields from the WHOIS record for the selected IP address or domain name. Click the More details link to access the WHOIS pop-up for more details about the IP address or domain.

Communicating with

The Communicating with section lists the internal hosts communicating with this host. Use the button to select the Analysis report or the Network explorer page to view the communicating host.

For each host, the following is displayed:

The type of host.
The IP address of the host.
The host name or label.
The amount of data transferred between this host and the communicating host.