Incident profile page

The Incident profile page displays an expanded view of the Incident details in a new browser tab/window.

There are a number of buttons along the top of the incident details:

  • Click the archive button to close the incident.

  • Use the Action pull-down menu to perform an action on the incident:

    • If the incident is not yet closed, select Close incident archive , otherwise select Open incident.

    • If the incident is not yet read, select Mark as read, otherwise select Mark as unread.

    • Select Ignore threat. The threat details are listed in the menu item. Selecting this item indicates that the presence of this particular threat on the host is not of interest. Therefore, all incidents where this threat is detected on this host are closed automatically.

    • Select Mark host <host> as cleaned. The system marks the host that is involved in the incident as cleaned. As a result, all incidents on that host are closed.

  • Click the checkbox Label/Silence host button to create a label and silence IP address range in the Silenced IP ranges pop-up.

  • Click details View incident details displays the contents of the incident details view plus some additional evidence in a new page.

  • Click the Manage alert button to launch the Manage alert sidebar. Use this feature to suppress or demote harmless events associated with the specified incident, such as the system Test or Blocking related incidents.

  • Click comment/feedback Comments to view or add comments.

  • Click unread Mark as read to mark the incident. The button toggles to read Mark as unread which allows you to revert its read status.

Incident summary

The top section provides a visual overview of the detected threat and displays its impact score.

Incident details

The incident details widget displays detailed network information about the incident. It includes the following data:

  • Source IP The IP address of the incident source. Click the details icon to view the Activity for host page. Click the Investigations pages icon icon to view the source in the Network analysis page page.

  • Source host If available, the FQDN of the incident source.

  • Events The number of events that make up this incident.

  • Incident ID A permalink to the Incident profile page. The link opens in a new browser tab/window.

  • Campaign ID A permalink to the campaigns page. The link opens in a new browser tab.

  • Impact The Impact score applied by the system to this incident.

  • Start time A timestamp for the beginning of the incident.

  • End time A timestamp for the last recorded event of the incident.

  • Status Shows if the incident has been closed.

Evidence

The Evidence list widget displays the events detected by the system.

Customize the number of rows to be displayed. The default is 10 entries. Use the left arrow (back) and right arrow (forward) icons to navigate through multiple pages.

The columns to be displayed in the list can be customized by clicking the additional content icon.

Each row is a summary of an evidence entry. Click the plus icon (or anywhere on an entry row) to access the evidence details.

The list includes the following fields:

First seen

Timestamp from when this event was first seen.

Last seen

Timestamp from when this event was last seen.

Threat

Name of the detected security risk.

Threat class

Name of the detected security risk class.

Impact

The Impact score applied to this incident.

Evidence

The evidence category of this incident. The title of the evidence details block is derived from the category name.

Subject

The artifact, typically a file, that is being analyzed.

Reference

A permalink to the event page. The link opens in a new browser tab.

Evidence details

The title of the evidence details block is derived from the Evidence, for example, Reputation evidence.

This section displays detailed information about the evidence. It includes the following data:

  • Threat Name of the detected security risk.

  • Threat class Name of the detected security risk class.

  • Impact The Impact score applied to this incident.

  • Detector If present, displays the VMware NSX Network Detection and Response module that identified the threat. Click the link to view the Detector pop-up.

  • View network event A permalink to the event page. The link opens in a new browser tab.

  • First seen Timestamp from when this event was first seen.

  • Last seen Timestamp from when this event was last seen.

  • Severity An estimate of how critical the detected threat is. For example, a connection to a command and control server is typically considered high severity as the connection is potentially damaging.

  • Confidence Indicates the probability that the detected individual threat is indeed malicious. As the system uses advanced heuristics to detect unknown threats, in some cases, the detected threat may have a lower confidence value if the volume of information available for that specific threat is limited.

  • Subject If present, displays the artifact, typically a file, that is being analyzed.

See About evidence for further details.

Events

The Events section displays detailed information about the events. It includes the following data:

Timestamp

Indicates the start time of the event. The time is shown in the currently selected timezone.

The list is sorted by timestamp, by default in decreasing order (latest event at the top). Click the angle up icon to sort the list in increasing order (oldest event at the top), then click the angle down icon to toggle back to the default.

Host

The host in the monitored network that is involved in this event. This column will display the IP address, host name, or label of the host, depending on your current Display settings pop-up. Click the edit (edit) icon next to the host to open the Label/Silence host pop-up.

Sensor

Name of the sensor that generated the event.

Other IP

IP address and port of the host that is related to this event. For example, 203.0.113.115:80 indicates that the IP address 203.0.113.115 was contacted on port 80.

The system attempts to geo-locate the IP address. If it succeeds, a small flag icon indicates the country that possibly hosts that IP address. A Local Network icon is used for local hosts.

Other Host

The host name or IP address of the malicious/suspicious entry.

Threat

Name of the detected threat or security risk.

Threat Class

Name of the detected threat class.

Impact

The impact value indicates the critical level of the detected threat and ranges from 1 to 100:

  • Threats that are 70 or above are considered to be critical.

  • Threats that are between 30 and 69 are considered to be medium-risk.

  • Threats that are between 1 and 30 are considered to be benign.

If the stop icon appears, it indicates the artifact has been blocked.

Click the sort icon to sort the list by impact.

Verification outcome

Indicates the event outcome. Possible values:

  • Blocked: The threat was blocked by the VMware NSX Network Detection and Response or by a third party application.

  • Failed: The threat failed to reach its goal. This could be caused by the C&C server being offline, the attacker made coding errors, etc.

  • Succeeded: The threat was verified to have reached its goal. This could be its check-in attempt to the C&C server completed and data was received from the malicious endpoint.

If the event outcome is unknown, this field is blank.

Host tags

The tags assigned to the host in the monitored network.

Threat description

The Threat description section provides a detailed description of the threat associated with the incident.