The Detector Definitions tab in the Suspicious Traffic page displays all of the detectors currently supported by the NSX Suspicious Traffic feature.
A detector is turned off by default. You must manually turn each detector before it can start monitoring the network traffic flows in your NSX-T environment. See Activate the NSX Suspicious Traffic Detectors for details.
Each NSX Suspicious Traffic detector listed on the Detector Definitions tab typically includes the following.
Detector name and description
Enable/disable toggle button
Likelihood (sensitivity) slider
The slider allows you to set the likelihood a detector generates an alert. For a detection that falls below the threshold of likelihood, the system discards the detection event. This slider is not included for all detectors.
Exclusions
A VM exclusion is a static list of VMs that the NSX Suspicious Traffic feature excludes from being monitored by the detector. For a Group exclusion, whether the detector excludes a member depends on when the system runs the detector. If the Group does not exist at the time the system runs the detector, the system might generate a warning in the system logs. If the VM does not exist at the time the system runs the detector, the detector silently ignores the exclusion setting. Group exclusion is not supported by all of the NSX Suspicious Traffic detectors.
Modify Some Property Values of a Detector Definition
To modify some of the default property values for select NSX Suspicious Traffic detector definitions, use the Detector Definitions tab.
Prerequisites
- The NSX Intelligence 3.2 or later application must be activated.
- You must be logged in to NSX Manager using one of the following NSX-T roles.
- Enterprise Admin
- Security Admin