To get started using the Security Intelligence features, you must activate it and then familiarize yourself with the Security Intelligence user interface.

Overview

Security Intelligence 是托管在 VMware NSX® Application Platform(基于微服务架构的平台)上的现代应用程序。

Security Intelligence provides the following capabilities.

  • A visualization of the security posture of your VMware NSX® environment. The visualization uses the network traffic flows aggregated within the time period specified (the default is 5 minutes)..

  • Assist you with microsegmentation planning by making Security Intelligence firewall rule recommendations that use network traffic analytics with enforcement on security policies.

  • The NSX Suspicious Traffic functionality that uses network traffic analytics to detect suspicious network traffic activities that are occurring in your NSX 3.2 or later environment.

Prerequisites

Before you can use the Security Intelligence features using the NSX Manager UI, the following prerequisites must be met.

  1. Deploy the NSX Application Platform and activate the Security Intelligence feature on that platform.

  2. Configure from which hosts or clusters of hosts Security Intelligence is to collect the network traffic data.

    By default, the Security Intelligence feature collects network traffic data from all known hosts and clusters of hosts in your NSX environment.

For more information, refer to the Activating and Upgrading VMware Security Intelligence guide delivered with the Security Intelligence documentation set.

Start Using Security Intelligence

After you activate and configure the Security Intelligence application, the visualization, recommendation, and suspicious traffic functionalities become available in the NSX Manager UI.

  • The Plan & Troubleshoot > Dashboard displays a summary of the latest security posture, flow trends, summary of detected suspicious traffic events, any pending actions or current settings that might require your attention, and additional insights into the top traffic flows detected. See Using the Security Intelligence Dashboard.

  • To see the visualized NSX entities and the traffic flows that occurred between them, click Plan & Troubleshoot > Discover & Take Action. See Understanding the Views and Flows in Security Intelligence.

  • To obtain distributed firewall (DFW) policy recommendations for microsegmentation planning, use Plan & Troubleshoot > Recommendations. See Working with Security Intelligence Recommendations.

  • To use the NSX Suspicious Traffic feature to perform network traffic analysis and detect suspicious traffic events, click Security > Suspicious Traffic. If the VMware NSX® Network Detection and Response™ feature is also activated, detected suspicious events are flagged and sent to the VMware NSX® Advanced Threat Prevention service. If the service found the detected events to be related, those events are correlated into a campaign that you can investigate further using the NSX Network Detection and Response user interface. See Detecting Suspicious Traffic Events in NSX for details.

Get familiar with the Security Intelligence user interface using the information provided in this section.