The NSX Network Detection and Response maps and defends against MITRE ATT&ACK techniques. It provides a cloud-based architecture that enables detectors to gain comprehensive visibility into network traffic that crosses the network perimeter (north/south), and traffic that moves laterally inside the perimeter (east/west).
The main objective of the NSX Network Detection and Response feature is to collect key abnormal activity or malicious events from every event source that is activated in your NSX-T Data Center environment. The collected events that are determined to require further analysis are then submitted to the VMware NSX® Advanced Threat Prevention cloud service for correlation and visualization. You can view and manage the results using the NSX Network Detection and Response user interface (UI).
NSX Network Detection and Response correlates events that are determined to be related into campaigns. The threat events in a campaign are organized into a timeline that is available for a security analyst to view and triage using the NSX Network Detection and Response UI.
Event Types and Event Sources
|Event Type||Events Source|
|Malicious file events||Edge appliance, if you activate the VMware NSX® Malware Prevention feature.|
|IDS events||Distributed IDS, if you activate the Distributed NSX IDS/IPS feature.|
|Network traffic anomaly events||VMware NSX® Intelligence™, if activated, and if you turn on the NSX Suspicious Traffic detectors.|
Activating and Using the Feature
Before you can start using the NSX Network Detection and Response feature, specific license and software requirements must be met, and you must activate the feature. As mentioned earlier, you must also activate and configure the corresponding NSX features to start using NSX Network Detection and Response to manage the different event types that you can monitor in your NSX-T Data Center environment.
For more information on the next steps, see NSX Network Detection and Response Activation and Usage Workflow.
Activating Other NSX Features
|NSX Feature to Activate||Documentation Name and Location||Topic Title|
|NSX IDS/IPS||NSX-T Data Center Administration Guide for version 3.2 or later at https:// docs.vmware.com/en/VMware-NSX-T-Data-Center/index.html||Getting Started with NSX IDS/IPS and NSX Malware Prevention|
|NSX Malware Prevention||NSX-T Data Center Administration Guide for version 3.2 or later at https:// docs.vmware.com/en/VMware-NSX-T-Data-Center/index.html||Activate NSX Malware Prevention|
|NSX Intelligence||Activating and Upgrading VMware NSX Intelligence for version 3.2 or later at https://docs.vmware.com/en/VMware-NSX-Intelligence/index.html||Activate NSX Intelligence|
|NSX Suspicious Traffic||Using and Managing VMware NSX Intelligence for version 3.2 or later at https://docs.vmware.com/en/VMware-NSX-Intelligence/index.html||Activate the NSX Suspicious Traffic Detectors|