AppDefense is a security product for protecting your organization’s workloads. Built in to the infrastructure, AppDefense ensures that applications are behaving only as intended, monitoring, and preventing anomalies that can attack on the environment. Unlike traditional application control solutions, AppDefense leverages an offsite verification engine to pre-analyze every deviation so that it only sends alerts that matter to the security team. AppDefense is simple and easy to insert, leveraging existing lifecycle management workflows, resulting in a true agentless experience.

AppDefense provides four basic functions:

  • Application control: AppDefense provides application control by first assigning virtual machines to a scope and a service. A scope is the representation of an application. A scope is made up of multiple services. A service represents an application tier. All VMs within a service are expected to be homogeneous and have the exact same allowed behavior/rules. Scopes and their services are the foundational components that establish what the intended state (allowed behaviors) of an application or virtual machine (VM) in the data center. Scopes can also be integrated and dynamically created from automation tool integrations such as Puppet.
  • Process analysis: Once AppDefense has established the known state and allowed behaviors for the application, AppDefense verifies that the learned behavior is ‘known good’ with an autonomous verification engine.
  • Anomaly detection: After creating the intended state, AppDefense monitors for deviation to that state, alerting and preventing anomalies that can be attacks on the environment. Examples include unknown process execution, unknown command-line arguments, unknown network connections, or open ports.
  • Response and remediation: When an anomalous event occurs and the application's behavior deviates from the known state, AppDefense responds to potential threats by triggering a response. The response is configurable, with responses ranging from a simple alert, to isolating the VM, to shutting it down completely. AppDefense includes an orchestration capability that can remediate threats in real time with no administrator oversight.

AppDefense Manager User Interface (UI)

When you log in to the AppDefense Manager, AppDefense Manager Home page appears. Click the AppDefense () icon and view the Home page. The left navigation pane displays alerts and provisioned or added scopes. Click the filter () icon and narrow down the search results.

UI Description
VMware AppDefense

Dashboard displays:

  • Protection coverage section displays VMs and Containers that are protected by AppDefense.
    • Red color indicates the number of VMs that are available to be protected by AppDefense.
    • Yellow color indicates the number of VMs in Discovery Mode and AppDefense is learning the behavior.
    • Green color indicates the number of VMs in Protected Mode.
  • Alerts section displays the list of Alarms. Click the View All Critical Alerts link and view the Alerts page.
  • Scopes in discovery section displays scopes in Discovery Mode with the number of behaviors, number of VMs assigned, and number of days the scope is in the Discovery Mode.
  • Provisioning events section displays the list of provisioning events. AppDefense can tie into provisioning systems that can help to define appropriate and allowed behaviors. Systems like vRealize Orchestrator, vRealize Automation, Puppet, and Ansible. AppDefense also supports integration with other security vendors such as Splunk, IBM QRadar, Cb Defense, Aqua Security, and so on. Click the View All Events link and view the Provisioning page.
Alerts Click Alerts and view the list of all alerts. Click the filter () icon on each column heading and narrow down search results in the table.
Scopes
  • icon shows that the scope is in Discovery Mode.
  • icon shows that the scope in Protected Mode with alerts.
  • No icon means that the scope is in Protected Mode without any alerts.
  • To view the details, click the name of the scope.
  • To create a scope, click +.
Settings icon The Settings icon appears at the bottom of the left navigation pane. You can go to the following pages using the Settings icon.
  • Events
  • Unassigned Members
  • Inventory
  • Appliances
  • Integrations
  • Global Service
  • Downloads
  • Manage Processes
  • Settings