Familiarize yourself with the following key terminologies that are used with the NSX Network Detection and Response feature.

Terminology Definition
Campaign A correlated set of incidents that affect one or more workloads over a period of time.
Event Represents a security-relevant activity that has occurred in the monitored network. An event can involve multiple data flows (for example, TCP connections), but it represents a single type of activity occurring between a specific pair of IP addresses over a short period of time. Multiple events are automatically aggregated into incidents.
Incident Represents a security-relevant activity that has occurred in the monitored network. An incident can consist of a single event or several events that have been automatically aggregated into an incident.
Infection An incident that has been determined to be critical. Infections should be dealt with without delay.
Nuisance An incident of low risk. This typically corresponds to potentially unwanted/risky activity that does not necessarily indicate a compromise or infection on the monitored network. Nuisances are tracked since they contribute to provide a more comprehensive network situational awareness.
Event Impact Score The overall impact score calculated for an event detected by the NSX Network Detection and Response feature. A score ranges from 0-100, with 100 being the most dangerous detection. The following levels of event impact are used.
  • Low: Impact 1-29
  • Medium: Impact 30-69
  • High: Impact 70-100
Watchlist

An incident that has been determined to be of medium risk. Such incidents, while indicating a potential risk, do not need immediate attention. They are kept under close watch in case new evidence appears that modifies their status.

For example, an incident involving an inoperative command and control infrastructure is classified as watchlisted.