All URLs tab

URLs over time widget

The URLs over time widget provides an overview of the URLs that were visited over the Web and were analyzed by the system. The graph is a daily columns chart of URLs, grouped by maliciousness.

There are three different types of threats:

• Malicious URLs have been determined to be critical. These URLs are displayed in red.

• Suspicious URLs have been determined to be of medium risk. The threats they contain, while indicating a potential risk, do not need immediate attention. These URLs are displayed in orange.

• Benign URLs are considered low or no risk. These URLs are displayed in blue.

Filters

Click Filter by and select an item from the pull-down menu. Select from Analysis status, Analysis tags, Analyst UUID, Contacted IP, Home network, Host IP, HTTP Host, MD5 hash, Minimum score, URL, or Silenced.

Include not analyzed subjects

If set to Include, the search will also match URLs that were deemed benign and therefore have not been analyzed. The default behavior is to skip such pages.

Analysis tags

Restrict displayed URLs by their analysis tags> These are labels assigned to a file or URL by the analysis. They can identify a threat or threat class, or refer to specific malicious behavior that was detected.

Analyst UUID

Restrict displayed URLs to the VMware NSX Network Detection and Response analysis UUID. This is an internal unique identifier for the analysis of a URL.

Contacted IP

Restrict displayed URLs to the IP address from which the file was downloaded. Like the Host IP filter, this supports IP addresses, CIDR blocks, or IP address ranges.

Home network

Restrict the search to either include only unidentified networks or home networks. Ensure that the home network is configured properly for each sensor or sensor group.

Host IP

Restrict displayed URLs to the IP address of the host in the network that visited the page. This filter supports selecting one or more IP addresses, CIDR blocks (for example, 192.168.0.0/24), or IP address ranges (for example, 1.1.1.5-1.1.1.9).

HTTP Host

Restrict displayed URLs to the host name(s).

Note:

This value is extracted from the HTTP Host header in the HTTP request that downloaded the file. Therefore, it is under the control of the client and can be spoofed by a malicious software, such as a malware binary already running on an infected host.

MD5 hash

Restrict displayed URLs to the MD5 hash of the visited page.

Minimum score

Restrict displayed URLs to those assigned a score greater than your chosen value (from 1 to 100) by the VMware NSX Network Detection and Response analysis.

URL

Restrict display to the provided URL.

Silenced

Restrict displayed URLS to those silenced.

URLs list

The URLs list displays the URLs that have been viewed by hosts in the network and processed by the analysis tools.

The quick search field above the list provides fast, as-you-type search. It filters the rows in the list, displaying only those rows that have text, in any field, that matches the query string.

The columns to be displayed in the list can be customized by clicking the icon.

Customize the number of rows to be displayed. The default is 20 entries. Use the and icons to navigate through multiple pages.

Each row is a summary of an analyzed URL. Click the icon (or anywhere on an entry row) to access a detailed view of the URL.

The list is sorted by detection and includes the following fields:

Detection

Date and time of the detection.

Timestamp

Date and time when the page has been visited.

Host

The internal host that visited the page.

Sensor

The appliance that recorded the traffic.

Contacted IP

The host that served the page.

URL

The full URL used to access the page.

Referrer

The value extracted from the HTTP Referer header, representing the page that linked to the current one, when available (None otherwise).

Score

The score attributed to the page after analysis.

If the icon appears, it indicates the artifact has been blocked.

Click to sort the list by score.