The Detector Definitions tab in the Suspicious Traffic page displays all of the detectors currently supported by the NSX Suspicious Traffic feature.

A detector is turned off by default. You must manually turn each detector before it can start monitoring the network traffic flows in your NSX-T environment. See Activate the NSX Suspicious Traffic Detectors for details.

Each NSX Suspicious Traffic detector listed on the Detector Definitions tab typically includes the following.

  • Detector name and description

  • Enable/disable toggle button

  • Likelihood (sensitivity) slider

    The slider allows you to set the likelihood a detector generates an alert. For a detection that falls below the threshold of likelihood, the system discards the detection event. This slider is not included for all detectors.

  • Exclusions

    A VM exclusion is a static list of VMs that the NSX Suspicious Traffic feature excludes from being monitored by the detector. For a Group exclusion, whether the detector excludes a member depends on when the system runs the detector. If the Group does not exist at the time the system runs the detector, the system might generate a warning in the system logs. If the VM does not exist at the time the system runs the detector, the detector silently ignores the exclusion setting. Group exclusion is not supported by all of the NSX Suspicious Traffic detectors.

Modify Some Property Values of a Detector Definition

To modify some of the default property values for select NSX Suspicious Traffic detector definitions, use the Detector Definitions tab.

The following image shows an example of a detector definition that is in edit mode.
A screenshot of the Horizontal Port Scan detector definition card in Edit mode.

Prerequisites

  • The NSX Intelligence 3.2 or later application must be activated.
  • You must be logged in to NSX Manager using one of the following NSX-T roles.
    • Enterprise Admin
    • Security Admin

Procedure

  1. From your browser, log in with the required privileges to an NSX Manager appliance at https://<nsx-manager-ip-address>.
  2. Navigate to the Security > Suspicious Traffic > Detector Definitions tab.
  3. Locate the detector whose definition you want to modify and click Edit (pencil icon).
  4. To turn on or turn off the detector, click the toggle button.
  5. If a slider is included in the definition, move the slider to the desired value that the detector uses for generating a detection event.

    Setting the slider to a smaller value means there is a greater likelihood of that detector generating a detection event.

  6. Define the Exclusion list.
    1. Click Apply Filter and in the drop-down menu, select Groups or VMs for the Source.
    2. Make your selection from the list of available Groups or VMs.
    3. Click Apply.
  7. Click Save.