The Overview tab in the Campaign Details page displays a summary of the campaign and an interactive graphical blueprint.

The following information describes the three sections on this tab.

Campaign Threats and Hosts

The Threats and hosts section displays the Threats and Hosts widgets.

The Threats widget displays the current threats that the NSX Network Detection and Response application detected in the selected campaign. The severity of the threat is indicated by the color code: red for high, yellow for medium, and blue for low. Point to the name of the listed threats and a pop-up window displays the IP addresses of the affected hosts. Click View threats details and the Timeline tab displays detailed information about the campaign.

The Hosts widget displays the hosts affected by the selected campaign. The severity of the threat is indicated by the color code: red for high, yellow for medium, and blue for low.

Point to the IP address of an affected host and a pop-up window displays the names of the threats affecting the host. Click View hosts details and the Hosts tab displays detailed information about the hosts.

Campaign Attack Stages

The Attack stages widget displays the attack stages, highlighting the current campaign attack stages. Point to a highlighted activity and a pop-up window displays more information about the attack stage. See Campaign Properties for details about attack stages.

Campaign Blueprint

The Campaign blueprint widget provides an interactive graphical representation of the campaign. It displays the hosts involved in the campaign (both internal and external to your network), the threats that affected them, and additional information that completes the campaign description.

The following is an example of a blueprint graph.
A sample intrusion graph described by the surrounding content

This blueprint graph shows the following activities.

  • A malicious binary file is downloaded to the host node with label 172.30.4.99. This activity is consistent with a user on that host opening an email (for example, visiting a URL or opening an attachment contained in that email).

  • The host node with label 172.30.4.99 is connected to the hostname node with label kharkiv.biz.ua. The analysis report 3958ec33 shows that a download was made from the URL http://kharkiv.biz.ua/hPpD/. The analysis report also shows that what is downloaded is a PE executable application, 32-bit, Intel i386 file.

  • The host node with label 172.30.4.99 is connected to an Emotet command and control. The server is the blocked entry 75.112.62.42.

  • The host node with label 172.30.4.99 is connected to host node with label 172.30.6.2 with a suspicious data upload and to host nodes with labels 172.30.5.200 and 172.30.5.200 with a suspicious remote task scheduling, all activities associated with lateral movement.

  • The host node with label 172.30.6.2 is connected to the host node with label 172.30.5.200 with a suspicious Kerberos encryption, an activity consistent with data exfiltration.

Node key

The following node types can appear in the blueprint graph.

Icon

Node type

Description


analysis icon

Analysis report

This node type represents the results of detonating a sample (file or URL) in the NSX Network Detection and Response sandbox.

  • Analysis report nodes are labeled with a shortened version of the corresponding analysis task UUID.

  • The score range of the analysis run is expressed using the color-coded badge on the top-right of the node.

downloaded file icon

Downloaded file

This node type represents a file that was downloaded in the network.

  • Downloaded file nodes are labeled with a shortened version of the corresponding file's SHA1 hash.

host icon

Host

This node type represents a network device.

  • Host nodes are labeled with the IP address of the corresponding host.

  • The host node indicates whether a host is internal or external. Internal hosts display a home icon icon next to their IP address. The determination of whether a host is internal is based according to the private IP ranges configuration.

  • The maximum impact of incidents affecting the corresponding host is expressed using the color-coded badge on the top-right of the node.

info icon

Info

This node type represents a detection of an info-level activity. This node only appears in the Network analysis blueprint graph.

  • An info event is created in the presence of activities or behaviors that are not necessarily malicious but provide additional, useful information.

  • The maximum impact of events detected for the corresponding threat is expressed using the color-coded badge on the top-right of the node.

threat icon

Threat

This node type represents a detection.

  • Threat nodes are labeled with the threat name associated with the detected event.

  • The maximum impact of events detected for the corresponding threat is expressed using the color-coded badge on the top-right of the node.

About Edges

The lines that connect the nodes are called edges.

A host node is connected to threat or analysis report nodes with a dotted line to indicate that the host corresponding to the host node was exposed to the threat represented by the threat or analysis report node.

Other connections are represented with a solid line to express that some activity (for example, a network connection, a DNS look-up, or a web request) put the entities corresponding to two nodes in relation.

Blueprint interaction

The blueprint graph is interactive: supporting item selection, moving nodes, and zooming in and out.

Node and edges can be selected by clicking on them: additional information about the selected item is found in the sidebar.

Hovering your mouse over a node colors the connecting edges, highlighting the interaction of that node.

Individual nodes can be dragged to new positions on the graph. The entire graph can be panned, effectively changing the point of view.

The graph can be zoomed in and out by scrolling the mouse wheel. More details are shown at higher zoom levels. In particular, the badge used with several node types to convey impact information is enriched with the actual impact score.

Campaign Sidebar

The Campaign sidebar is used to display information that is relative to one or more elements of the blueprint graph. By default, it is minimized.

  • Click the details icon icon to view node or edge information.

  • Click the external link icon icon to view third-party tools.

To minimize the sidebar, click the right arrowhead icon icon.

Node or edge information

The node/edge information tab provides additional information about a selected node or edge in the blueprint graph. To select a node, click on its icon in the graph.

Node type

Information

Analysis report

Additional information about an analysis report.

Report details:

  • Analysis reports – Displays the task UUID and score. Click the chain icon icon to view the analysis report in a new browser tab.

  • MD5 – File hash value.

  • SHA1 – File hash value.

  • Size – File size in bytes.

  • Category – The category the analyzed file belongs to.

  • Type – More detailed information about the file.

Sightings details of the analyzed sample:

  • Number of downloads – The number of times the analyzed file was observed being downloaded.

  • Hosts – IP address of the hosts that downloaded the analyzed file.

  • URLs – The full URL of the downloaded file.

Downloaded file

Additional information about a downloaded file

File details:

  • MD5 – File hash value.

  • SHA1 – File hash value.

  • Size – File size in bytes.

  • Category – The category the analyzed file belongs to.

  • Type – More detailed information about the file.

Sightings details:

  • Number of downloads – The number of times the analyzed file was observed being downloaded.

  • Downloading hosts – IP address of the hosts that downloaded the analyzed file.

  • URLs – The full URL of the downloaded file.

  • Reports – Displays the report status, task UUID, and score. Click the chain icon icon to view the analysis report in a new browser tab.

Host

Additional information about a host.

Host-level details:

  • IP address – Geo-located map or local network icon.

  • Hostnames – Domain name for the host.

  • Services – Any services detected on the host.

Incidents involving the host:

  • Number of incidents – Count of all incidents.

  • Max impact – Indicates the maximum impact of all incidents.

  • Threats – A list of the detected events.

A note indicates if the host is internal or external to the monitored network.

HTTP request

Additional information about an HTTP request.

URL details:

  • Download URLs – The observed URL(s) in the HTTP request.

  • Download IPs – The IP address(es) resolved for the HTTP request. Click the network analysis icon icon to view the request IP address in Network analysis.

Request details

  • Number of requests – The number of times the HTTP request was observed.

  • Hosts – IP address of the hosts issuing the HTTP request.

  • Referers – The "referer" header values observed in the HTTP request.

  • User agents – User-agent values observed in the HTTP request.

Threat

Additional information about a threat

Threat details:

  • Threat class – The name of the detected threat class. For example, command&control.

  • Threat – The name of the detected threat. For example, Loki Bot.

  • Severity – The calculated threat score.

  • Information – a description of the detected threat

When you click an edge, the following information is displayed about the connection:

  • Source node – The source of the connection. This can be a node name, an IP address, a domain name, etc.

  • Target node – The destination of the connection. This can be a node name, an IP address, a domain name, etc.

Under the Source node and Target node is the actual source or target of the connection. Click the expand icon icon to expand the source or target.

Third-party tools

The third-party tools tab links to external tools that may provide additional information about an entity selected in the graph. Currently, the tools supported are DomainTools and VirusTotal.

The following searches are supported:

  • Selecting a host node allows you to search for the corresponding IP address on DomainTools and VirusTotal.

  • Selecting a hostname node allows you to search for the corresponding domain name on DomainTools and VirusTotal.

  • Selecting a downloaded file node allows you to search for the corresponding hash on VirusTotal.

  • Selecting an HTTP request node allows you to search for the request's hostname on DomainTools and VirusTotal.