The Event profile page is accessed from the Details button at the top of the Event Summary sidebar.

There are a number of controls and buttons along the top of the view:

  • Click Similar Events to view a drop-down list of similar features. Click the icon beside each to select Destination, Destination port, Source IP, Transport protocol, Threat class, and Threat type. Then click View Events chain icon to view the selected events in a new tab.

  • Click Manage Alert to launch the Manage alert sidebar. Use this feature to suppress or demote harmless events, such as the system Test or Blocking events, or to apply custom scores to specific events. See Working with the Manage Alert Sidebar for details.

  • Click the icon to collapse all fields or the icon to expand all fields.

Event Overview

The top section provides a visual overview of the threat or malware that the NSX Network Detection and Response application detected, and displays the threat class and the threat impact score.

Event Summary

The Event summary section provides an explanation as to why the NSX Network Detection and Response application flagged this event, identifies the threat or malware associated with this event, briefly describes the detected activity, and displays supporting data.

If available from the NSX Advanced Threat Prevention cloud service, a detailed explanation of the event and why it is considered malicious is displayed at the top of the Event summary section.

Server Block

The Server block displays the following data.

Data

Description

Host name

If available, the FQDN of the server.

IP address

The IP address of the server. A geo-located flag might be displayed. If the chain link icon icon is present, click the link to view more details in the Host profile page.

If available, click the tag icon icon to see the reputation tags of the client.

If available, click the globe icon icon to view registration information and other data about the host in the WHOIS pop-up window.

MAC address

If available, the MAC address of the server. This address is obtained from monitoring DHCP traffic and is one of the data points the system uses to generate a unique HostID entry that it maps to a specific host in the network, regardless of its IP address.

Client Block

The Client block displays the following data.

Data

Description

Host name

If available, the FQDN of the client.

IP address

The IP address of the client. A geo-located flag might be displayed. If available, click the address or the chain link icon icon to view the Host profile page .

If available, click the tag icon icon to see reputation tags of the client.

If available, click the globe icon icon to view registration information and other data about the host in the WHOIS pop-up window.

MAC address

If available, the MAC address of the client. This address is obtained from monitoring DHCP traffic and is one of the data points the system uses to generate a unique HostID entry that it maps to a specific host in the network, regardless of its IP address.

Event Metadata

The Event metadata section displays the following data.

Data

Description

Verification outcome

Indicates the event outcome. The following are the possible values.

  • Blocked: The threat was blocked by the NSX Network Detection and Response application or by a third-party application.

  • Failed: The threat failed to reach its goal. This could be caused by the C&C server being offline, the attacker made coding errors, etc.

  • Succeeded: The threat was verified to have reached its goal. This could be its check-in attempt to the C&C server completed and data was received from the malicious endpoint.

If the event outcome is unknown, this field is not displayed.

Verifier name

The name of the event verifier. Click the link to access the Verifier Documentation pop-up window.

Verifier message

A message from the verifier which provides further information about the outcome, for example, which third party application blocked the threat.

Sensor

The sensor that detected the event.

Connections

The number of connections included in the event.

Action

A list of actions taken by the sensor (for example, any blocking activities, whether the event is logged, whether traffic was captured, or a malware download was extracted).

Users logged in

A list of the users detected in the logged records.

Outcome

The outcome of the event. In most cases, the outcome is DETECTION.

For INFO events and events that were promoted from INFO status, an additional label provides the reason for its status/status change. A pop-up is displayed when you hover over the label, providing additional details about the reason.

Related incident

A permalink to a correlated incident. Clicking the chain link link opens the Incident profile page in a new browser tab.

This event might be one of a number of closely related events that have been automatically correlated into an incident.

Event ID

View the event in the Network event details page. The link opens in a new browser tab.

Start time

A timestamp for the beginning of the event.

End time

A timestamp for the end of the event.

Captured Malware

The Captured malware section provides information from the dynamic analysis that was performed on the malicious software instance that is related to the event.

You can access detailed in-depth technical information on what the malware does, how it operates, and what kind of a risk it poses. For more information on the displayed information, see Using the Analysis Report.

Note:

If no malicious software was detected for the event, this section will not appear.

Event Evidence

The Event evidence section provides details of the actions observed while analyzing the event.

Actions can include malicious file download, network traffic matching the network signature for known threats, performing a domain name resolution of a blocked malware domain, a known bad URL path, and so on.

If available, click the Detector link to view the Detector documentation pop-up window. Also see the About Evidence for more details.

Host Reputation

The Host reputation section provides information about known malicious hosts or URL reputation entries seen in the event.

Note:

If the host has no known history, this section will not appear.

Anomaly Data

This section displays the netflow or passive DNS records that caused the anomaly event to be raised.

It will be titled DNS anomaly data or Netflow anomaly data, depending upon the anomaly seen.

Additional information may be provided, such as the IP addresses or ports that have been classified as anomalous. If a large number of items are involved, you can click the plus icon# to expose all the items.

Note:

If no anomalies were seen for the event, this section will not appear.

Threat Description

The Threat description section provides a detailed description of the threat associated with the event.

Mitigation

The Mitigation section provides detailed instructions for the removal of any malicious software and other recommended processes to clean up after the event.

Note:

If there is no known mitigation process for the event, this section will not appear.