The NSX Network Detection and Response maps and defends against MITRE ATT&ACK techniques. It provides a cloud-based architecture that enables detectors to gain comprehensive visibility into network traffic that crosses the network perimeter (north/south), and traffic that moves laterally inside the perimeter (east/west).

Main Objective

The main objective of the NSX Network Detection and Response feature is to collect key abnormal activity or malicious events from every event source that is activated in your NSX-T Data Center environment. The collected events that are determined to require further analysis are then submitted to the VMware NSX® Advanced Threat Prevention cloud service for correlation and visualization. You can view and manage the results using the NSX Network Detection and Response user interface (UI).

NSX Network Detection and Response correlates events that are determined to be related into campaigns. The threat events in a campaign are organized into a timeline that is available for a security analyst to view and triage using the NSX Network Detection and Response UI.

Event Types and Event Sources

The following table lists the event types that NSX Network Detection and Response can collect and the sources that generate those events. In order for any of the event source to send the events to NSX Network Detection and Response, you must activate the corresponding NSX feature mentioned for the event type.
Event Type Events Source
Malicious file events Edge appliance, if you activate the VMware NSX® Malware Prevention feature.
IDS events Distributed IDS, if you activate the Distributed NSX IDS/IPS feature.
Network traffic anomaly events VMware NSX® Intelligence™, if activated, and if you turn on the NSX Suspicious Traffic detectors.
Important: To maximize the NSX Network Detection and Response feature, activate one or more of the NSX features whose events it consumes. Although you can activate the NSX Network Detection and Response feature on its own, if you do not activate any of the NSX features mentioned in the previous table, NSX Network Detection and Response does not have any events to analyze and, thus, cannot give any of the benefits it has to offer.

Activating and Using the Feature

Before you can start using the NSX Network Detection and Response feature, specific license and software requirements must be met, and you must activate the feature. As mentioned earlier, you must also activate and configure the corresponding NSX features to start using NSX Network Detection and Response to manage the different event types that you can monitor in your NSX-T Data Center environment.

For more information on the next steps, see NSX Network Detection and Response Activation and Usage Workflow.

Activating Other NSX Features

For information about how to activate and configure the NSX features whose detection events NSX Network Detection and Response consumes, refer to the following table.
NSX Feature to Activate Documentation Name and Location Topic Title
NSX IDS/IPS NSX-T Data Center Administration Guide for version 3.2 or later at https:// docs.vmware.com/en/VMware-NSX-T-Data-Center/index.html Getting Started with NSX IDS/IPS and NSX Malware Prevention
NSX Malware Prevention NSX-T Data Center Administration Guide for version 3.2 or later at https:// docs.vmware.com/en/VMware-NSX-T-Data-Center/index.html Activate NSX Malware Prevention
NSX Intelligence Activating and Upgrading VMware NSX Intelligence for version 3.2 or later at https://docs.vmware.com/en/VMware-NSX-Intelligence/index.html Activate NSX Intelligence
NSX Suspicious Traffic Using and Managing VMware NSX Intelligence for version 3.2 or later at https://docs.vmware.com/en/VMware-NSX-Intelligence/index.html Activate the NSX Suspicious Traffic Detectors