An incident represents a security-relevant activity that NSX Network Detection and Response detected has occurred in the monitored network. An incident may consist of a single event, or a number of events that have been automatically correlated, and that have been determined to be closely related. The incidents list shows the registered incidents with their corresponding threat levels.

You can see all reported incidents that have been determined to be critical, those that you should keep an eye on, or those that are considered to be nuisances in your network. Critical incidents must be handled without delay. Failing to deal with critical incidents is highly risky, and increases the probability that other hosts in your network may be compromised as well.

Incidents that you have not examined yet are marked as unread, while those that you have already examined are marked as read. You have the option of selecting incidents and to perform actions on them such as marking them as read or unread. You can also close or open selected incidents.

The Quick search text box above the list provides fast, as-you-enter search. It filters the rows in the list, displaying only those rows that have text, in any field, that matches the query string.

Use the SELECT drop-down menu for a fine-tuned selection. Its options allow you to select All visible incidents or to Clear selection. You can also select Read (current page) or Unread (current page) incidents. You can also click the Edit icon in the title row to select all visible messages.

Use the ACTION drop-down menu to update the selected incidents: Mark as read, Mark as unread, Close, or Open.

Customize the number of rows to be displayed. The default is 20 entries. Use the left arrowhead and right arrowhead icon icons to navigate through multiple pages.

The columns to be displayed in the list can be customized by clicking the additional content icon.

Each row is a summary of an incident. Click the Plus icon (or anywhere on an entry row) to access the incident details. To select a message row, click the Edit icon.

The list is sorted by Impact and includes the following columns.

Column

Description

Host

The host affected by this incident. This column displays the IP address, host name, or label of the host, depending on the current Display settings pop-up.

Click the search icon in dark circle icon to view the Host profile page, showing details about the host.

Click the sort icon icon to sort the list by host information.

Detection Events

Number of events that comprise this incident. This is a link displaying an event count and the search icon in dark circle icon. Clicking this link loads the Events page, filtered to show only events for this incident.

Click the sort icon icon to sort the list by events.

Start

Start time of incident.

Click the sort icon icon to sort the list by start time.

End

End time of incident.

Click the sort icon icon to sort the list by end time.

Threat

Name of the detected security risk.

Click the sort icon icon to sort the list by threat.

Threat class

Name of the detected security risk class.

Click the Sort icon to sort the list by threat class.

Impact

The impact value indicates the critical level of the detected threat and ranges from 1 to 100:

  • Threats that are 70 or above are considered to be critical.

  • Threats that are between 30 -69 are considered to be medium-risk.

  • Threats that are between 1- 29 are considered to be benign.

If the stop icon appears, it indicates the artifact has been blocked.

The list is sorted by decreasing order of impact (most critical incidents at the top). Click the sort up in order icon to sort the list in increasing order (least critical incidents at the top), then click the angle downsort down in order icon to toggle back to the default.

Incident Details

When you click anywhere in an incident row, the Incident Details view is expanded within the incident list.

There are a number of buttons along the top of the incident details:

  • Click thearchive icon button to close the incident.

  • Use the Action drop-down menu to perform an action on the incident:

    • If the incident is not yet closed, select Close incident archive icon. Otherwise, select Open incident.

    • If the incident is not yet read, select Mark as read. Otherwise, select Mark as unread.

    • Select Ignore threat. The threat details are listed in the menu item. Selecting this item indicates that the presence of this particular threat on the host is not of interest. Therefore, all incidents where this threat is detected on this host are closed automatically.

    • Select Mark host <host> as cleaned. The system marks the host that is involved in the incident as cleaned. As a result, all incidents on that host are closed.

  • Clicking magnifying glass icon View Incident Details displays the contents of the Incident Profile page in a new browser tab.

  • Clicking Manage Alert launches the Manage alert sidebar. Use this feature to suppress or demote harmless events associated with the specified incident, such as the system Test or Blocking related incidents. See Working with the Manage Alert Sidebar for more details.

  • Click summaary iconMark as read to mark the incident. The button toggles to Mark as unread which allows you to revert its read status.

Incident summary

The top section provides a visual overview of the detected threat and displays its impact score.

Incident Details

The Incident Details widget displays detailed network information about the incident. It includes the following data.
Column Description
Source IP The IP address of the incident source. Click the magnifying glass icon icon to view the Activity for host page. Click the network analysis icon icon to view the source in the Network analysis page.
Source host If available, the FQDN of the incident source.
Events The number of events that make up this incident.
Incident ID A permalink to the Incident profile page. The link opens in a new browser tab/window.
Campaign ID A permalink to the campaigns page. The link opens in a new browser tab.
Impact The impact score applied by the system to this incident.
Start time A timestamp for the beginning of the incident.
End time A timestamp for the last recorded event of the incident.
Status Shows if the incident has been closed.

Evidence

The Evidence widget when expanded displays the list of events detected by NSX Network Detection and Response.

The columns to be displayed in the list can be customized by clicking the three horizontal bars icon icon.

Each row is a summary of an evidence entry and includes the following columns.
Column Description
First seen

Timestamp from when this event was first seen.

Last seen

Timestamp from when this event was last seen.

Threat

Name of the detected security risk.

Threat class

Name of the detected security risk class.

Impact

The impact score applied to this incident.

Evidence

The evidence category of this incident. The title of the evidence details block is derived from the category name.

Subject

The artifact, typically a file, that is being analyzed.

Reference

A permalink to the event page. The link opens in a new browser tab.

Evidence Details

Click the icon with plus sign in a circle icon (or anywhere on an incident entry row) to display the evidence details block.

The title of the evidence details block is derived from the type of evidence. For example, Reputation Evidence.

This section displays more detailed information about the evidence. It includes the following data.
Data Description
Threat Name of the detected security risk.
Threat class Name of the detected security risk class.
Impact The Impact score applied to this incident.
Detector If present, displays the NSX Network Detection and Response module that identified the threat. Click the link to view the Detector pop-up window. See Detector Documentation Pop-Up Window.
View network event A permalink to the event page. The link opens in a new browser tab.
View network event A permalink to the event page. The link opens in a new browser tab.
First seen Timestamp from when this event was first seen.
Last seen Timestamp from when this event was last seen.
Severity An estimate of how critical the detected threat is. For example, a connection to a command and control server is typically considered high severity as the connection is potentially damaging.
Confidence Indicates the probability that the detected individual threat is indeed malicious. As the system uses advanced heuristics to detect unknown threats, in some cases, the detected threat may have a lower confidence value if the volume of information available for that specific threat is limited.
Subject If present, displays the artifact, typically a file, that is being analyzed.

See About Evidence for further details.