The NSX Network Detection and Response application provides a filtering mechanism that allows you to focus on specific events information that is of interest to you. The use of filters is optional.
Procedure
- From the Events page, click to expand the Filters widget.
- Click anywhere in the Filter on text box and select an item from the drop-down menu.
You can select from the following available filters. To further narrow the focus of the displayed information, you can combine multiple filters.
Filter Name
Description
Event outcome
Select All or Info from the drop-down menu.
The default is to display events that are determined to be related to a threat. Selecting Info includes only those events that themselves are informational. By tracking these events, you can gain further insight into the activity in your network.
Home network
Restrict displayed events by the Home network setting using the drop-down menu. Select Home network only for events within your defined home network. Select Unidentified networks only for events from unknown hosts.
Host IP
Restrict displayed events to a specific source IP address, IP address range, or CIDR block. Enter a valid value in the Host IP text box.
Host name
Restrict displayed events to a specific source Host name. The full host name or label needs to be provided.
Incident ID
Display events that belong to the specified Incident. An Incident ID is a numeric entry, for example,
73142
. A valid incident ID must be provided.Minimum impact
Display events that scored the minimum impact level. The range is 1–100.
Other host
Restrict the displayed events to a specific host name.
Other host IP
Restrict the displayed events to a specific host IP address. The IP address can be entered as one or more IP addresses, CIDR blocks (such as
192.168.0.0/24
) or IP address ranges (such as1.1.1.5-1.1.1.9
).Port
Display events using a specific TCP/UDP port. To further filter the displayed events, you can combine this with the Transport filter.
Priority
Restrict displayed events by the Priority status. Select Infections, Watchlist, or Nuisances from the drop-down menu.
See Infections Over Time for details.
Threat
Restrict displayed incidents by a specific Threat. Select a threat from the drop-down menu. The menu is prepopulated with a list of cataloged threats.
Use the search function at the top of the menu to quickly find a threat name.
Threat class
Restrict display to a specific class of events. Select the threat class from the drop-down menu. The menu is prepopulated with a catalog of classes.
Transport
Display events using a specific transport layer protocol. Select TCP or UDP from the drop-down menu.
- To apply the selected filters, click Apply.
The system applies the selected filters and updates the Events list.
- (Optional) To delete an individual filter, click the REMOVE– button next to its entry. To delete all the selected filters, click the X icon located on the right side of the Filter widget.
The Filters widget collapses when you delete all the selected filters.