Incidents page

The Incidents pages contain widgets to inspect, manage, and prioritize the incidents reported by the VMware NSX Network Detection and Response. It consists of a number of tabs:

• The All tab displays the incidents and their different threat ratings.

• The Comments tab displays comments that have been made on the various incidents.

At the top of the page is the portal settings widget.

When reporting threats, the system classifies them as incidents. An incident represents a security-related activity that has occurred in the monitored network. For example, an incident report may contain all the details about a malware infection (such as the ZeuS trojan that targets online banking applications of many financial institutions) and which machines have been infected in the network.

The VMware NSX Network Detection and Response does not solely report security events. An incident may consist of a single event, or a number of events that have been automatically correlated and determined to be closely related by the system threat engine. For example, the incident page may report all outgoing connections to the command and control channel of the malware, all suspicious DNS look ups (for example, requests for automatically generated related malware domains), and in-depth descriptions of each registered security event.

The incident pages allow you to:

• Efficiently keep track of all incidents that are occurring.

• Quickly see a list of affected hosts.

• Prioritize threats according to their impact and severity levels using different views.

• Gain an in-depth understanding of the events that have been registered for each incident, and access threat and mitigation descriptions.

• Close or open incidents.

• Mark or clear affected hosts as being cleaned.

• Filter reported threats for specific hosts.