The Detector documentation pop-up window provides detailed information about the NSX Network Detection and Response detector that provided the event evidence. The intent is to assist you in determining the confidence you can place in this detector.
The documentation displays at least some of the following details.
Detail Name |
Description |
---|---|
Goal |
Short description of the goal of the detector. |
ATT&CK categorization |
If applicable, a link to the MITRE ATT&CK technique is provided. |
Detector abstract |
A detailed technical description of the detector and its operation. |
IDS rule |
A high-level representation of the detection logic used by an NSX Network Detection and Response network signature. The rule syntax is loosely related to the Suricata signature language defined in the Suricata Rules documentation. A rule consists of one or more clause sets, typically a single clause, each containing key/value pairs. If there is more than one clause in a rule, each clause is numbered. The first clause is prefaced "IF:" and each subsequent clause is prefaced with "AND THEN IF:". The different clause sets are evaluated sequentially on data belonging to the same flow. Point to any key/value pair to view a relevant help pop-up window. |
False positives |
A description of the possibility of the detector to generate false positives. |
False negatives |
The assumptions that might result in the detector causing false negatives. |