An incident represents a security-relevant activity that NSX Network Detection and Response detected has occurred in the monitored network. An incident may consist of a single event, or a number of events that have been automatically correlated, and that have been determined to be closely related. The incidents list shows the registered incidents with their corresponding threat levels.
You can see all reported incidents that have been determined to be critical, those that you should keep an eye on, or those that are considered to be nuisances in your network. Critical incidents must be handled without delay. Failing to deal with critical incidents is highly risky, and increases the probability that other hosts in your network may be compromised as well.
Incidents that you have not examined yet are marked as unread, while those that you have already examined are marked as read. You have the option of selecting incidents and to perform actions on them such as marking them as read or unread. You can also close or open selected incidents.
The Quick search text box above the list provides fast, as-you-enter search. It filters the rows in the list, displaying only those rows that have text, in any field, that matches the query string.
Use the SELECT drop-down menu for a fine-tuned selection. Its options allow you to select All visible incidents or to Clear selection. You can also select Read (current page) or Unread (current page) incidents. You can also click the Edit icon in the title row to select all visible messages.
Use the ACTION drop-down menu to update the selected incidents: Mark as read, Mark as unread, Close, or Open.
Customize the number of rows to be displayed. The default is 20 entries. Use the and icons to navigate through multiple pages.
The columns to be displayed in the list can be customized by clicking the additional content icon.
Each row is a summary of an incident. Click the Plus icon (or anywhere on an entry row) to access the incident details. To select a message row, click the Edit icon.
The list is sorted by Impact and includes the following columns.
Column |
Description |
---|---|
Host |
The host affected by this incident. This column displays the IP address, host name, or label of the host, depending on the current Display settings pop-up. Click the icon to view the Host profile page, showing details about the host. Click the icon to sort the list by host information. |
Detection Events |
Number of events that comprise this incident. This is a link displaying an event count and the icon. Clicking this link loads the Events page, filtered to show only events for this incident. Click the icon to sort the list by events. |
Start |
Start time of incident. Click the icon to sort the list by start time. |
End |
End time of incident. Click the icon to sort the list by end time. |
Threat |
Name of the detected security risk. Click the icon to sort the list by threat. |
Threat class |
Name of the detected security risk class. Click the Sort icon to sort the list by threat class. |
Impact |
The impact value indicates the critical level of the detected threat and ranges from 1 to 100:
If the stop icon appears, it indicates the artifact has been blocked. The list is sorted by decreasing order of impact (most critical incidents at the top). Click the icon to sort the list in increasing order (least critical incidents at the top), then click the angle down icon to toggle back to the default. |
Incident Details
When you click anywhere in an incident row, the Incident Details view is expanded within the incident list.
There are a number of buttons along the top of the incident details:
-
Click the button to close the incident.
-
Use the Action drop-down menu to perform an action on the incident:
-
If the incident is not yet closed, select Close incident . Otherwise, select Open incident.
-
If the incident is not yet read, select Mark as read. Otherwise, select Mark as unread.
-
Select Ignore threat. The threat details are listed in the menu item. Selecting this item indicates that the presence of this particular threat on the host is not of interest. Therefore, all incidents where this threat is detected on this host are closed automatically.
-
Select Mark host <host> as cleaned. The system marks the host that is involved in the incident as cleaned. As a result, all incidents on that host are closed.
-
-
Clicking View Incident Details displays the contents of the Incident Profile page in a new browser tab.
-
Clicking Manage Alert launches the Manage alert sidebar. Use this feature to suppress or demote harmless events associated with the specified incident, such as the system Test or Blocking related incidents. See Working with the Manage Alert Sidebar for more details.
-
Click Mark as read to mark the incident. The button toggles to Mark as unread which allows you to revert its read status.
Incident summary
The top section provides a visual overview of the detected threat and displays its impact score.
Incident Details
Column | Description |
---|---|
Source IP | The IP address of the incident source. Click the icon to view the Activity for host page. Click the icon to view the source in the Network analysis page. |
Source host | If available, the FQDN of the incident source. |
Events | The number of events that make up this incident. |
Incident ID | A permalink to the Incident profile page. The link opens in a new browser tab/window. |
Campaign ID | A permalink to the campaigns page. The link opens in a new browser tab. |
Impact | The impact score applied by the system to this incident. |
Start time | A timestamp for the beginning of the incident. |
End time | A timestamp for the last recorded event of the incident. |
Status | Shows if the incident has been closed. |
Evidence
The Evidence widget when expanded displays the list of events detected by NSX Network Detection and Response.
The columns to be displayed in the list can be customized by clicking the icon.
Column | Description |
---|---|
First seen | Timestamp from when this event was first seen. |
Last seen | Timestamp from when this event was last seen. |
Threat | Name of the detected security risk. |
Threat class | Name of the detected security risk class. |
Impact | The impact score applied to this incident. |
Evidence | The evidence category of this incident. The title of the evidence details block is derived from the category name. |
Subject | The artifact, typically a file, that is being analyzed. |
Reference | A permalink to the event page. The link opens in a new browser tab. |
Evidence Details
Click the icon (or anywhere on an incident entry row) to display the evidence details block.
The title of the evidence details block is derived from the type of evidence. For example, Reputation Evidence.
Data | Description |
---|---|
Threat | Name of the detected security risk. |
Threat class | Name of the detected security risk class. |
Impact | The Impact score applied to this incident. |
Detector | If present, displays the NSX Network Detection and Response module that identified the threat. Click the link to view the Detector pop-up window. See Detector Documentation Pop-Up Window. |
View network event | A permalink to the event page. The link opens in a new browser tab. |
View network event | A permalink to the event page. The link opens in a new browser tab. |
First seen | Timestamp from when this event was first seen. |
Last seen | Timestamp from when this event was last seen. |
Severity | An estimate of how critical the detected threat is. For example, a connection to a command and control server is typically considered high severity as the connection is potentially damaging. |
Confidence | Indicates the probability that the detected individual threat is indeed malicious. As the system uses advanced heuristics to detect unknown threats, in some cases, the detected threat may have a lower confidence value if the volume of information available for that specific threat is limited. |
Subject | If present, displays the artifact, typically a file, that is being analyzed. |
See About Evidence for further details.