The Detector Definitions tab in the Suspicious Traffic page displays all of the detectors currently supported by the NSX Suspicious Traffic feature in NSX Intelligence.

A detector is turned off by default. You must manually turn each detector before it can start monitoring the network traffic flows in your NSX environment. See Activate the NSX Suspicious Traffic Detectors for details.

Each NSX Suspicious Traffic detector listed on the Detector Definitions tab typically includes the following.

  • Detector name and description
  • On/Off toggle button
  • Likelihood (sensitivity) slider

    The slider allows you to set the likelihood a detector generates an alert. For a detection that falls below the threshold of likelihood, the system discards the suspicious traffic event. This slider is not included for all detectors.

  • Exclusions

    A VM exclusion is a static list of VMs that the NSX Suspicious Traffic feature excludes from being monitored by the detector. For a Group exclusion, whether the detector excludes a member depends on when the system runs the detector. If the Group does not exist at the time the system runs the detector, the system might generate a warning in the system logs. If the VM does not exist at the time the system runs the detector, the detector silently ignores the exclusion setting. Group exclusion is not supported by all of the NSX Suspicious Traffic detectors.

Modify Some Property Values of a Detector Definition

To modify some of the default property values for select NSX Suspicious Traffic detector definitions, use the Detector Definitions tab.

The following image shows an example of a detector definition that is in edit mode.
Screenshot of the Horizontal Port Scan detector definition card in Edit mode..

Prerequisites

  • The NSX Intelligence 3.2 or later must be activated.
  • You must be logged in to NSX Manager using one of the following NSX roles.
    • Enterprise Admin
    • Security Admin

Procedure

  1. From your browser, log in with the required privileges to an NSX Manager appliance at https://<nsx-manager-ip-address>.
  2. Navigate to the Security > Suspicious Traffic > Detector Definition tab.
  3. Locate the detector whose definition you want to modify and click Edit (pencil icon).
  4. If a slider is included in the definition, move the slider to the desired value that the detector uses for identifying a suspicious traffic event.

    Setting the slider to a smaller value means there is a greater likelihood of that detector identifying a suspicious traffic event.

  5. Define the Exclusion list.
    1. Click Add/Edit Exclusion and in the drop-down menu, select Groups or VMs for the Source. Some detectors only have VMs available for selection.
    2. Define your exclusion list by selecting from the list of available groups or VMs.
    3. Click Save.
  6. Click Save Settings.