Threats tab

On the Threats tab, detected threats are represented by threat cards. A threat card displays the calculated threat score, the threat name and class, the detection outcome (if available), the threat status, and other actions. If available, the campaign to which this threat is connected is displayed. Expand the card to see its related evidence.

Sort the threat cards with the pull-down menu. Select from Most recent, Earliest, Highest impact (the default), and Lowest impact.

The quick search field above the list provides fast, as-you-type search. It filters the rows in the list, displaying only those rows that have text, in any field, that matches the query string.

Toggle the Show closed threats button to filter the displayed threat cards by threat status. The default is to show all threats.

Threat cards

The Threat cards show all the threats associated with the selected host and their corresponding threat levels.

Each card displays the calculated threat impact, the threat name, the threat class, and if available, the detection outcome. It also shows the status of the threat: Open or Closed.

Click the Next steps button and select an action from the pull-down menu. Select from Close to close the threat (Open to reopen a closed threat) or Manage alert to create an alert management rule from the threat.

Evidence summary: section contains an overview of the evidence and other data detected for the threat. Click the icon (or almost anywhere else in the card) to expand the evidence details.

If campaign data connected to this threat is available, Campaign: with a link to the Campaign summary sidebar is displayed.

Evidence details

The Evidence column displays the file downloads, signatures, and other categories of evidence type along with a timestamp of when the evidence was seen.

If the evidence type is Anomaly, click the link to expand the Evidence: Anomaly sidebar.
If the evidence type is File download, click the link to expand the Evidence: File download sidebar.
If the evidence type is Reputation, click the link to expand the Evidence: Reputation sidebar.
If the evidence type is Signature, click the link to expand the Evidence: Signature sidebar.
If the evidence type is Verification, click the link to expand the Evidence: Verification sidebar.

The Network interactions & network IOCs column displays the IP address or domain name of external hosts. Click the link to expand the Network interaction sidebar. Click the icon to view the host in Intelligence.

The Supporting data column provides a link to the detected events as well as a link to the threat details.

Detection outcomes

Threat detection event outcomes have four possible values, listed in order of severity:

Succeeded — The threat was verified to have reached its goal. This could be its check-in attempt to the C&C server completed and data was received from the malicious endpoint.
Failed — The threat failed to reach its goal. This could be caused by the C&C server being offline, the attacker made coding errors, etc.
Blocked — The threat was blocked by the VMware NSX Network Detection and Response or by a third party application.

If the event outcome is unknown, this field is not displayed.