Incident details

The incident details view is expanded within the incident list.

There are a number of buttons along the top of the incident details:

  • Click the archive button to close the incident.

  • Use the Action pull-down menu to perform an action on the incident:

    • If the incident is not yet closed, select Close incident archive , otherwise select Open incident.

    • If the incident is not yet read, select Mark as read, otherwise select Mark as unread.

    • Select Ignore threat. The threat details are listed in the menu item. Selecting this item indicates that the presence of this particular threat on the host is not of interest. Therefore, all incidents where this threat is detected on this host are closed automatically.

    • Select Mark host <host> as cleaned. The system marks the host that is involved in the incident as cleaned. As a result, all incidents on that host are closed.

  • Click the checkbox Label/Silence host button to create a label and silence IP address range in the Silenced IP ranges pop-up.

  • Click details View incident details displays the contents of the incident details view plus some additional evidence in a new page.

  • Click the Manage alert button to launch the Manage alert sidebar. Use this feature to suppress or demote harmless events associated with the specified incident, such as the system Test or Blocking related incidents.

  • Click comment/feedback Comments to view or add comments.

  • Click unread Mark as read to mark the incident. The button toggles to read Mark as unread which allows you to revert its read status.

Incident summary

The top section provides a visual overview of the detected threat and displays its impact score.

Incident details

The incident details widget displays detailed network information about the incident. It includes the following data:

  • Source IP The IP address of the incident source. Click the details icon to view the Activity for host page. Click the Investigations pages icon icon to view the source in the Network analysis page page.

  • Source host If available, the FQDN of the incident source.

  • Events The number of events that make up this incident.

  • Incident ID A permalink to the Incident profile page. The link opens in a new browser tab/window.

  • Campaign ID A permalink to the campaigns page. The link opens in a new browser tab.

  • Impact The Impact score applied by the system to this incident.

  • Start time A timestamp for the beginning of the incident.

  • End time A timestamp for the last recorded event of the incident.

  • Status Shows if the incident has been closed.

Evidence

The Evidence list widget displays the events detected by the system.

Customize the number of rows to be displayed. The default is 10 entries. Use the left arrow (back) and right arrow (forward) icons to navigate through multiple pages.

The columns to be displayed in the list can be customized by clicking the additional content icon.

Each row is a summary of an evidence entry. Click the plus icon (or anywhere on an entry row) to access the evidence details.

The list includes the following fields:

First seen

Timestamp from when this event was first seen.

Last seen

Timestamp from when this event was last seen.

Threat

Name of the detected security risk.

Threat class

Name of the detected security risk class.

Impact

The Impact score applied to this incident.

Evidence

The evidence category of this incident. The title of the evidence details block is derived from the category name.

Subject

The artifact, typically a file, that is being analyzed.

Reference

A permalink to the event page. The link opens in a new browser tab.

Evidence details

The title of the evidence details block is derived from the Evidence, for example, Reputation evidence.

This section displays detailed information about the evidence. It includes the following data:

  • Threat Name of the detected security risk.

  • Threat class Name of the detected security risk class.

  • Impact The Impact score applied to this incident.

  • Detector If present, displays the VMware NSX Network Detection and Response module that identified the threat. Click the link to view the Detector pop-up.

  • View network event A permalink to the event page. The link opens in a new browser tab.

  • First seen Timestamp from when this event was first seen.

  • Last seen Timestamp from when this event was last seen.

  • Severity An estimate of how critical the detected threat is. For example, a connection to a command and control server is typically considered high severity as the connection is potentially damaging.

  • Confidence Indicates the probability that the detected individual threat is indeed malicious. As the system uses advanced heuristics to detect unknown threats, in some cases, the detected threat may have a lower confidence value if the volume of information available for that specific threat is limited.

  • Subject If present, displays the artifact, typically a file, that is being analyzed.

See About evidence for further details.