Analyzing the NSX Suspicious Traffic Detection Events

As the NSX Suspicious Traffic feature generates network threat analytics on the collected network traffic flow data, it reports about suspicious events it detected using the Detection Events page. You can view the detection events in either a bubble chart, a grid, or both.

Prerequisites

NSX Intelligence 3.2 or later application must be activated and the NSX Suspicious Traffic detectors must be turned on. See Getting Started with Detecting Suspicious Network Traffic in NSX-T Data Center.
You must be logged in to NSX Manager using one of the following NSX-T roles.
- Enterprise Admin
- Security Admin

Managing Detection Events

By default, when you navigate to Security > Suspicious Traffic > Detection Events, you see the detection events displayed in both the bubble chart and grid formats, as shown in the following image. The table that follows the image describes the numbered sections highlighted in the image.

Screenshot of the Detection Events tab in the Suspicious Traffic UI page.

Section	Description
1	Gives the total number of suspicious event detections that the NSX Suspicious Traffic feature made during the selected time period.
2	In this section, you select the time period that the system uses to determine which historical data about the detected events are reported by NSX Suspicious Traffic on this UI page. The time period is relative to the current time and some time period in the past. The default time period is Last 1 hour. To change the selected time period, click the current selection and select another from the drop-down menu. The available selections are Last 1 Hour, Last 12 Hours, Last 24 Hours, Last 1 Week, Last 2 Weeks, and Last 1 Month.
3	The Graph toggle determines if the bubble chart is displayed or not. When the Graph toggle is turned off, only the grid displays information about the detection events. By default, it is toggled to On.
4	If the NSX Network Detection and Response feature is activated, when you are viewing the NSX Suspicious Traffic user interface, the application launcher icon is visible in the upper-right corner of the UI. To view more details about the detected anomalous events using the NSX Network Detection and Response UI, click the icon and select NSX Network Detection and Response. From the NSX Network Detection and Response UI, click the application launcher icon again and select NSX-T to return to the NSX Suspicious Traffic UI.
5	This bubble chart provides a visual timeline of when the detected events occurred during the selected time period. Each event is plotted based on the severity of the detection event. The following are the severity categories and their corresponding severity scores. Critical: 75-100 High: 50-74 Medium: 25-49 Low: 0-24
6	The filter area enables you to narrow down the detection events that are displayed for the selected time period. Click Filter Detection Events and select from the drop-down menu the filters you want applied and specific items in the additional drop-down menu that is displayed. The available filters include the following. Confidence Score - The score the system assigns based on how confident it is that an event is anomalous using the proprietary algorithms that the NSX Suspicious Traffic feature use. Detector - A sensor designed for detecting anomalous events in your network traffic flow. A detector maps to a single MITRE ATT&CK category or technique. Impact Score - A score calculated by a proprietary algorithm which uses a combination of the confidence score for the detection event and its severity, if correctly detected. Tactics - Represent the reason why an adversary performed an action using an ATT&CK tactic. Techniques - Represent how an adversary tries to achieve a tactical goal of their attack using specific techniques/sub-techniques. VMs - The VMs that participated in the detected events that occurred during the selected time period.
7	Click Legend to list the different types of bubbles that can appear in the bubble chart. The following list describes each bubble and the type of detection event it represents. Persistence - The adversary is trying to maintain their hold on the systems in your network. Credential Access - The adversary is trying to steal account names and passwords. Discovery - The adversary is trying to learn about your network environment. Command and Control - The adversary is trying to communicate with jeopardized systems and control them. Lateral Movement - An adversary is trying to move through your network environment. Collection - An adversary is attempting to gather information that would be helpful in their final goal. Exfiltration - The adversary is trying to steal data from your network. Other - The detector cannot be associated to a specific tactic as defined in the MITRE ATT&CK Framework. Multiple events - More than one detection event occurred around the same time segment. Moving the time window slider to the right changes the scope of what type of bubbles are displayed, so a Multiple Events bubble can be broken up into multiple and other types of bubbles.
8	Each bubble in the chart represents a detection event or multiple events that occurred during the selected time period. The color or type of bubble represents the tactic used by the adversary during the detected attack. See the descriptions in Legend for more information.
9	The time window slider allows you to view detection events that occurred within a subset of the selected time period. The highlighted blue area represents what is displayed in the bubble chart. As you slide the slider to the right or left, the bubble chart gets updated with the detection events that occurred during the period highlighted in the slider. If there are detection events that occurred around the same time, a Multiple Events bubble represents those detection events. When you move the slider to the right, you will notice that the Multiple Events bubble expands into the multiple bubbles that represent the different detection events that occurred around that time period.
10	The grid displays information about each detection event that the NSX Suspicious Traffic feature identified during the selected time period. When not expanded, a row shows the following key event data. Impact - The impact score that the NSX Suspicious Traffic feature calculated for the detection event Severity - Indicates how bad the event is. Possible values are Low, Medium, High, and Critical. These values correspond with the ones used in the bubble chart. Time Detected- The date and time the event was detected. Detector - The name of the detector that the NSX Suspicious Traffic feature used to detect the event. When you click the detector name, a dialog box displays additional information about the detector, such as its goal, ATT&CK category, and an abstract about the detector. The ATT&CK Category section includes a link to the MITRE ATT&CK web site that gives more details about that particular ATT&CK category used in the detection event. Type - Lists the tactic and technique used in the detection event Affected Objects - Lists the source VMs and target VMs involved in the detection event. The example screenshot also shows an expanded row. When expanded, a row displays additional event information. The details include a summary of the event that was detected and an explanation for the visualization or additional event data displayed in the expanded row. For example, in the above screenshot, the expanded row displays a summary of the detected event and what the visualization represents. Not all the detection events will have visualization. Others only have additional detailed data.
11	An expanded row might also display one or more links in the bottom-right corner. When clicked, a link takes your view to another UI page where more information about the detected event is provided. The following are the available links, when applicable for the detection event. The following link might be enabled, even if the NSX Network Detection and Response feature is not activated. View affected VMs and their current traffic - When you click this link, the system displays the visualization canvas in the Plan & Troubleshoot tab. It shows the compute entities that were involved in the detection event. See Working with the Computes View for more information. If the NSX Network Detection and Response application is activated, the following links might also be available if applicable for the event. Campaign - If the NSX Advanced Threat Prevention cloud service identified this detection event to be part of a campaign, this link is enabled. When you click the link, details about the campaign are displayed on the Campaigns page of the NSX Network Detection and Response user interface. For more information, see the "Managing the Campaigns Page" topic in the NSX Network Detection and Response section of the Security chapter of the NSX-T Data Center Administration Guide. You can find NSX-T Data Center Administration Guide version 3.2 and later at https://docs.vmware.com/en/VMware-NSX/index.html. Event Details - When you click this link, a new browser tab is opened and more details about the detection event are displayed in the Event Profile page of the NSX Network Detection and Response user interface. For more information, see the "Working with the Events Page" topic in the NSX Network Detection and Response section of the Security chapter of the NSX-T Data Center Administration Guide. You can find NSX-T Data Center Administration Guide version 3.2 and later at https://docs.vmware.com/en/VMware-NSX/index.html.