NSX Network Detection and Response provides a filtering mechanism that allows you to focus on specific incident information that is of interest to you. The use of filters is optional.
- From the Incidents page, click to expand the Filters widget.
- Click anywhere in the Filter on text box and select an item from the drop-down menu.
You can select from the following available filters. To further narrow the focus of the displayed information, you can combine multiple filters.
Filter Name Description Campaign UUID
Restrict the displayed entries by the Campaign UUID. This is a 32-character hexadecimal string, for example,
Alternatively, enter the string
nullto select records that do not belong to any campaign.
Restrict the displayed entries by the Home network setting. Select Home network only or Unidentified networks only from the drop-down menu.
Restrict the displayed entries to a specific source IP address, IP address range, or CIDR block. Enter the value in the text box.
Restrict the displayed entries by the Host name. The full host name or label needs to be provided.
Restrict the displayed entries by the Priority status. Select Infections, Watchlist, or Nuisances from the drop-down menu.
Restrict the displayed entries by their Read status. Select Read or Unread from the drop-down menu.
Restrict the displayed entries by their status. Select Closed or Open from the drop-down menu.
Restrict the displayed entries by a specific threat. Select a threat from the drop-down menu. The menu is prepopulated with a list of cataloged threats.
Use the search function at the top of the menu to quickly find a threat name.
Restrict the displayed entries to a specific class of threats. Select the threat class from the drop-down menu. The menu is prepopulated with a catalog of classes, some of which are listed below. Use the search function at the top of the menu to quickly find a class name.
- adware: Malware that displays or downloads advertisements to an infected computer.
- click-fraud: Click-fraud targets pay per click online advertising.
- command & control: An infected machine belongs to a botnet and the machine can be remotely controlled by an attacker.
- drive-by: An attacker attempted to exploit a vulnerability on the machine in order to install additional malware on the target system.
- exploit toolkit: Detection of an exploit toolkit that attempted a drive-by download attack
fake-av: Fake antivirus software or other kinds of rogue security software designed to trick or mislead your users.
- inactive C&C: The command & control server for this specific botnet is inactive.
- VMware blocking test: The domain block.lastline.com is used to test blocking of network connections and the selected events belong to this class.
- VMware test: The domain test.lastline.com is used to test the functionality of the setup and the selected events belong to this class.
- Malicious File Download, Malware Distribution, and malware download: The IP address or domain hosts malicious executables.
- sinkhole: A sinkhole is operated by a legitimate organization, so it does not pose a threat. However, hosts that try to contact such a host may be infected.
- spyware: Malware that attempts to steal sensitive information.
- suspicious-dns: Suspicious DNS domains are domains that are contacted by malware running on infected machines. Our proprietary techniques were able to proactively identify these domains as malicious.
- unknown: An unknown security risk was detected.
- To apply the selected filters, click Apply.
- (Optional) To delete an individual filter, click the Remove – button next to its entry. To delete all the selected filters, click the icon located on the right side of the Filter widget.
The Filters widget collapses when you delete all the selected filters.