The NSX Network Detection and Response application provides a filtering mechanism that allows you to focus on specific events information that is of interest to you. The use of filters is optional.

Procedure

  1. From the Events page, click plus icon to expand the Filters widget.
  2. Click anywhere in the Filter on text box and select an item from the drop-down menu.

    You can select from the following available filters. To further narrow the focus of the displayed information, you can combine multiple filters.

    Filter Name

    Description

    Event outcome

    Select All or Info from the drop-down menu.

    The default is to display events that are determined to be related to a threat. Selecting Info includes only those events that themselves are informational. By tracking these events, you can gain further insight into the activity in your network.

    Home network

    Restrict displayed events by the Home network setting using the drop-down menu. Select Home network only for events within your defined home network. Select Unidentified networks only for events from unknown hosts.

    Host IP

    Restrict displayed events to a specific source IP address, IP address range, or CIDR block. Enter a valid value in the Host IP text box.

    Host name

    Restrict displayed events to a specific source Host name. The full host name or label needs to be provided.

    Incident ID

    Display events that belong to the specified Incident. An Incident ID is a numeric entry, for example, 73142. A valid incident ID must be provided.

    Minimum impact

    Display events that scored the minimum impact level. The range is 1–100.

    Other host

    Restrict the displayed events to a specific host name.

    Other host IP

    Restrict the displayed events to a specific host IP address. The IP address can be entered as one or more IP addresses, CIDR blocks (such as 192.168.0.0/24) or IP address ranges (such as 1.1.1.5-1.1.1.9).

    Port

    Display events using a specific TCP/UDP port. To further filter the displayed events, you can combine this with the Transport filter.

    Priority

    Restrict displayed events by the Priority status. Select Infections, Watchlist, or Nuisances from the drop-down menu.

    See Infections Over Time for details.

    Threat

    Restrict displayed incidents by a specific Threat. Select a threat from the drop-down menu. The menu is prepopulated with a list of cataloged threats.

    Use the search function at the top of the menu to quickly find a threat name.

    Threat class

    Restrict display to a specific class of events. Select the threat class from the drop-down menu. The menu is prepopulated with a catalog of classes.

    Transport

    Display events using a specific transport layer protocol. Select TCP or UDP from the drop-down menu.
  3. To apply the selected filters, click Apply.

    The system applies the selected filters and updates the Events list.

  4. (Optional) To delete an individual filter, click the REMOVE– button next to its entry. To delete all the selected filters, click the X icon located on the right side of the Filter widget.

    The Filters widget collapses when you delete all the selected filters.