Overview of NSX Network Detection and Response

The main objective of the NSX Network Detection and Response feature is to collect key abnormal activity or malicious events from every activated event source in your NSX environment.

Collected Events

NSX Network Detection and Response submits any collected events that require further analysis to the VMware NSX^® Advanced Threat Prevention cloud service for correlation and visualization. You can view and manage the analysis results using the NSX Network Detection and Response user interface (UI).

NSX Network Detection and Response correlates events that it determines to be related into campaigns. It organizes threat events in a campaign into a timeline that is available for a security analyst to view and triage using the NSX Network Detection and Response UI.

Event Types and Event Sources

The following table lists the event types that NSX Network Detection and Response can collect and the sources that generate those events. In order for any of the event source to send the events to NSX Network Detection and Response, you must activate the corresponding NSX feature mentioned for the event type.

Event Type	Events Source
Malicious file events	Edge appliance, if you activate the VMware NSX^® Malware Prevention feature.
IDS events	Distributed IDS, if you activate the Distributed NSX IDS/IPS feature.
Network traffic anomaly events	VMware NSX^® Intelligence™, if activated, and if you turn on the NSX Suspicious Traffic detectors.

Important: To maximize the NSX Network Detection and Response feature, activate one or more of the NSX features whose events it consumes. Although you can activate the NSX Network Detection and Response feature on its own, if you do not activate any of the NSX features mentioned in the previous table, NSX Network Detection and Response does not have any events to analyze and, thus, cannot give any of the benefits it has to offer.

Activating and Using the Feature

Before you can start using the NSX Network Detection and Response feature, you must meet specific license requirements and software requirements, and you must activate the feature. To start using NSX Network Detection and Response to manage the different event types that you can monitor in your NSX environment, you must also activate and configure the corresponding NSX features.

For more information on the next steps, see NSX Network Detection and Response Activation and Usage Workflow.

Activating Other NSX Features

For information about how to activate and configure the NSX features whose detection events NSX Network Detection and Response consumes, refer to the following table.

NSX Feature to Activate	Documentation Name and Location	Topic Title
NSX IDS/IPS	NSX Administration Guide for version 3.2 or later.	Getting Started with NSX IDS/IPS and NSX Malware Prevention
NSX Malware Prevention	NSX Administration Guide for version 3.2 or later.	Activate NSX Malware Prevention
NSX Intelligence	Activating and Upgrading VMware NSX Intelligence for version 3.2 or later delivered with the VMware NSX Intelligence Documentation set.	Activate NSX Intelligence
NSX Suspicious Traffic	Using and Managing VMware NSX Intelligence for version 3.2 or later delivered with the VMware NSX Intelligence Documentation set.	Activate the NSX Suspicious Traffic Detectors