Matching results page

The Matching results page displays all the matches triggered by the user-created matching rules.

Filters

An easy-to-use filtering mechanism is provided that allows you to focus on the information that you are interested in. Click the plus icon to expand the Filters widget.

Note:

The use of filters is optional.

Click Filter by and select an item from the pull-down menu. Select from Analyst UUID, Match UUID, Minimum impact, Rule UUID, or Score.

You can combine multiple filters to narrow the focus. You can also deploy multiple instances of some filters.

Delete an individual filter by clicking the Remove minus button next to its entry. Delete all the selected filters by clicking the cancel/close icon. This also collapses the Filters widget.

Click Apply reload to apply the selected filters.

Analyst UUID

Restrict displayed results to the VMware NSX Network Detection and Response analysis UUID for the submission. This is a unique identifier for the analysis.

Match UUID

Restrict displayed results to the match UUID. This is a unique identifier for the match.

Minimum impact

Restrict displayed results to those that scored the minimum impact level. The range is 1 to 100.

Rule UUID

Restrict displayed results to the rule UUID. This is a unique identifier for the rule.

Score

Restrict displayed results to the selected score. Select Malicious, Suspicious, or Benign.

Matches list

The quick search field above the list provides fast, as-you-type search. It filters the rows in the list, displaying only those rows that have text, in any field, that matches the query string.

The columns to be displayed in the list can be customized by clicking the additional content icon.

Customize the number of rows to be displayed. The default is 25 entries. Use the left arrow (back) and right arrow (forward) icons to navigate through multiple pages.

Each row displays a summary of the resulting analysis record triggered by an alerting rule. Click the plus icon (or anywhere on an entry row) to access a detailed view of these results.

The list contains the following columns:

Timestamp

Indicates when the analysis record was created. The time is shown in the currently selected timezone.

The list is sorted by timestamp, by default in decreasing order (latest at the top). Click the angle up icon to sort the list in increasing order (oldest at the top). Click the angle down icon to toggle to the default.

MD5

The MD5 analysis hash of the analysis sample.

Rule title

The reference to the triggering rule.

Type

The type of the analysis sample.

Size

The size of the analysis sample.

Antivirus label

The antivirus classification of the analysis sample.

Score

The analysis score for the sample. Click the link icon to open the analysis report in a new browser tab.

Match details

The matching results details view is expanded within the matches list. It contains a summary of the analysis report and two details blocks:

  • Timestamp The timestamp for the analysis record.

  • Match UUID the unique identifier for the match.

  • Analyst UUID The unique identifier for the analysis report.

  • MD5 The MD5 analysis hash of the analysis sample.

  • SHA1 The SHA1 analysis hash of the analysis sample.

  • Type The type of analysis sample (for details, refer to Supported artifacts).

  • Size The size of the analysis sample.

  • Antivirus label The antivirus classification of the sample.

  • Score The analysis score for the sample.

  • Rule UUID The unique identifier for the rule.

  • Rule Title The name of the matching rule.

  • Rule The full rule.

The Analysis overview and the Threat level blocks from the Analysis report: Overview tab.