The goal of the NSX Suspicious Traffic feature is to detect suspicious or anomalous network traffic behaviors in your NSX-T Data Center environment.

How It Works

After you have satisfied the prerequisites, the NSX Suspicious Traffic feature can start generating network threat analytics on the east-west network traffic flow data that the NSX Intelligence application has collected from your eligible NSX-T workloads (hosts or clusters of hosts). The NSX Intelligence application stores the collected data and persists that data for 30 days. The NSX Suspicious Traffic feature analyzes the data and flags suspicious activities using the supported detectors. You can view the information about the detected threat events using the Detection Events tab of the NSX Suspicious Traffic UI page.

If activated, the NSX Network Detection and Response feature sends the suspicious events to the VMware NSX® Advanced Threat Prevention cloud service for deeper analysis. If the NSX Advanced Threat Prevention service determines that certain suspicious events are related, it correlates those suspicious events into a campaign. The service then organizes the events in that campaign into a timeline and visualizes it on the NSX Network Detection and Response user interface. All threat events are visualized using the NSX Network Detection and Response user interface. The individual threat events and campaigns can be further investigated by your network security team. The NSX Advanced Threat Prevention cloud service fetches periodic updates on the previously detected threats and updates the visualization UI screens when needed.

Supported Detectors

The following table lists the supported detectors that the NSX Suspicious Traffic feature uses to classify the detected suspicious network traffic. The detections generated by these detectors might be associated to specific techniques or tactics in the MITRE ATT&CK® Framework.

These detectors are turned off by default and you must explicitly turn on each detector that you want to use in your NSX-T environment. See Activate the NSX Suspicious Traffic Detectors for more details on any prerequisites and how to turn on the detectors.

You can manage the exclusion lists and the likelihood value for some of the definitions of these supported detectors using the Detector Definitions tab. See Managing the NSX Suspicious Traffic Detector Definitions for details.

Table 1. Detector Categories Used to Detect Suspicious Traffic

Detector Name


Data Upload/Download

Detect unusually large data transfers (uploads/downloads) for a host.

Destination IP Profiler

Detect attempts by internal devices to perform unusual connections toward other internal hosts.

DNS Tunneling

Detect attempts by an internal device to communicate covertly with an external server by abusing DNS traffic.

Domain Generation Algorithm (DGA)

Detect anomalies in the DNS lookups performed by an internal host that might be caused by DGA malware.

Horizontal Port Scan

Detect if an intruder tries to scan one or more ports or services across multiple systems (Sweeping).

LLMNR/NBT-NS Poisoning and Relay

Detect if a VM shows an unusual response pattern to LLMNR/NBT-NS requests.

Netflow Beaconing

Detect beaconing behavior from an internal host.

Network Traffic Drop

Detect if an unusually high amount of traffic is dropped by a distributed firewall rule.

Port Profiler

Detect when an internal client host communicates with an external host on an unusual port.

Server Port Profiler

Detect when an internal host is connected to by another internal host on an unusual port.

Remote Services

Detect suspicious behavior for remote connections, such as telnet, SSH, and VNC.

Uncommonly Used Port

Detect L7 Application ID Traffic mismatch with the standard assigned port/protocol. For example, SSH traffic runs on a non-standard port instead of the standard Port 22.

Unusual Network Traffic Pattern

Detect anomalies in the time series profile of a host.

Vertical Port Scan

Detect if an intruder tries to attack multiple open ports or services of a single system (Scanning).