Threats detected by NSX Network Detection and Response are represented by threat cards on the Threats tab of the Host Profile page.

A threat card displays the calculated threat score, the threat name and class, the detection outcome (if available), the threat status, and other actions. If available, the campaign to which this threat is connected is displayed. Expand the card to see its related evidence.

Use the Sort by drop-down menu to sort the threat cards. You can select from Most recent, Earliest, Highest impact (the default), and Lowest impact.

The Search threats text box provides fast, as-you-enter search. It filters the rows in the list, displaying only those rows that have text, in any field, that matches the query string that you provided.

Toggle the Show closed threats button to filter the displayed threat cards by threat status. The default is to show all threats.

Managing the Threat Cards

The Threat cards show all the threats associated with the selected host and their corresponding threat levels. Each card displays the calculated threat impact, the threat name, the threat class, and if available, the detection outcome. It also shows the status of the threat: Open or Closed.

Click Next steps and select an action from the drop-down menu.

  • Select Close to close the threat. Select Open to reopen a closed threat.

  • Select Manage Alert to create an alert management rule from the threat.

The Evidence Summary section contains an overview of the evidence and other data detected for the threat. Click the right arrowhead or almost anywhere else in the card to expand the evidence details.

If campaign data connected to this threat is available, Campaign with a link to the Campaign summary sidebar is displayed.

Evidence details

The Evidence column displays the file downloads, signatures, and other categories of evidence type, along with a timestamp of when the evidence was seen. When you click the evidence type link, the corresponding Evidence Summary sidebar for that type is displayed on the right side of the page. The Evidence Summary sidebar is available for the following evidence types.

  • Anomaly

  • File download

  • Signature

The Network interactions & network IOCs column displays the IP address or domain name of external hosts. Clicking the link expands the Network Interaction sidebar.

The Supporting data column provides a link to the detection events, as well as a link to the threat details.

Detection outcomes

Threat detection event outcomes have the following possible values, listed in order of severity.

Detection Outcome

Description

Succeeded

The threat was verified to have reached its goal. This could be its check-in attempt to the C&C server completed and data was received from the malicious endpoint.

Failed

The threat failed to reach its goal. This could be caused by the C&C server being offline, the attacker made coding errors, and so on.

Blocked

The threat was blocked by the NSX Network Detection and Response application or by a third-party application.

If the event outcome is unknown, this field is not displayed.

Network Interaction Sidebar

You expand the Network interaction sidebar by clicking the IP address or domain name link for a specific host in the Network interactions & network IOCs column of the Threats tab.

The impact and IP address of the selected host are displayed at the top of the sidebar.

WHOIS summary

The WHOIS summary section displays key fields from the WHOIS record for the selected IP address or domain name. Click the whois icon icon to access the WHOIS pop-up window for more details about the IP address or domain. See WHOIS Pop-Up Window for details.

Open in

The Open in... section contains links to third-party providers such as DomainTools, VirusTotal, Google, and others. If there are more providers than fit in the view, you can click Expand for more angle-down arrowhead to see them.

Anomaly Evidence Summary Sidebar

The Evidence Summary sidebar for an evidence type of Anomaly displays when you click an Anomaly evidence link in the Evidence column of the Threats tab.

Click Ref Event andle-right arrowhead to access the Event profile page and the full details of the associated event.

A brief description of the evidence is provided.

Threat details

The following details about the threat are provided.
  • Threat – Name of the detected security risk.
  • Threat class – Name of the detected security risk class.
  • First seen bidirectional arrow icon for array Last seen – A graph with the timestamp from when the evidence was first and last seen. The duration is displayed below the graph.

Detector summary

A summary of the detector is displayed. For more details, click the More details right-angled arrowhead link to view the Detector Pop-Up window. See Detector Documentation Pop-Up Window for details.
  • Detector name – The name of the detector.
  • Goal – Short description of the goal of the detector.
  • ATT&CK categorization – If applicable, a link to the MITRE ATT&CK technique is provided. Otherwise, N/A is displayed.

Anomaly details

Details about the anomaly are provided.
Detail Description
Description

A brief description of the anomaly detailing how it deviates from baseline behavior or why it should be considered suspicious.

State type

The type of anomaly. For example, Outlier.

Anomaly

The anomalous item seen on the host. For example, access to an unusual port.

Baseline items

The items that are typically seen on this host.

Profile created at

Timestamp for the creation of the baseline.

Profile updated at

Timestamp for when the anomaly was detected.

Outlier diagram

The diagram illustrates the normal data upload/download for the host for comparison to the data transfer that was flagged as anomalous. The following data might be displayed, depending on the detector

  • The upload/download size that caused the anomaly alert to be triggered.

  • The maximum upload/download size before the anomaly alert was triggered.

  • The average upload/download size for the host.

File Download Evidence Summary Sidebar

The Evidence Summary sidebar for an evidence type of File Download is displayed when you click a File Download evidence link in the Evidence column of the Threats tab.

Click Ref Event andle-right arrowhead to access the Event profile page and the full details of the associated event.

A brief description of the evidence is provided.

File details

The following details are provided about the file.
  • File type – The high-level type of the downloaded file. See Unique Tab for the list of file types.
  • Confidence – Indicates the probability that the downloaded file is indeed malicious. As the system uses advanced heuristics to detect unknown threats, in some cases, the detected threat might have a lower confidence value if the volume of information available for that specific threat is limited.
  • SHA1 – The SHA1 has of the file.

Malware identification

A summary of the detected malware is displayed. For more details, click the Analyst report right arrowhead link to view the Analysis report. See Using the Analysis Report for more details.
  • Antivirus class – A label defining the antivirus class of the downloaded file.
  • Antivirus family – A label defining the antivirus family of the downloaded file.
  • Malware – A label defining the malware type of the downloaded file. If the label has the tag icon icon, click the icon to see the description in a pop-up window.
  • Behavior overview – The detected behaviors of the downloaded file. If there is a lot of data, a partial list is displayed by default. Click Expand for more down arrowhead icon to view more. Toggle it closed again by clicking Collapse for less up arrowhead icon .

Open in ...

To open the downloaded file in a specific service, click one of the icons for the providers. By default, this displays a partial list of providers.

Download details

The details of the downloaded file are displayed. For more details, click the Analyst report right arrowhead icon link to view the Analysis report. See Using the Analysis Report for more details.
Info Description
File name The resource path to the downloaded file.
URL

The full URL to the downloaded file.

First seen

The timestamp from when the downloaded file was first seen. If there have been multiple instances of this file, this will be a range of timestamps.

Downloaded from

The IP address of the source server.

Protocol

The protocol that was used to transfer the downloaded file from the source server.

User agent

If available, the user agent string seen for the download request.

Signature Evidence Summary Sidebar

The Evidence Summary sidebar for an evidence type of Signature is displayed when you click a Signature evidence link in the Evidence column of the Threats tab.

Click Ref Event andle-right arrowhead to access the Event profile page and the full details of the associated event.

A brief description of the evidence is provided.

Threat details

The following details are provided about the threat.

Detail

Description

Threat

Name of the detected security risk.

Threat class

Name of the detected security risk class.

Activity

If available, displays the detected current activity of the threat.

Confidence

Indicates the probability that the detected threat is malicious.

For events that show analysis results, for example, a file download, a score is displayed.

First seen

bidirectional arrow icon for array

Last seen

A graph with the timestamp from when the evidence was first and last seen.

The duration is displayed below the graph.

Traffic details

The Reference event traffic widget provides an overview of the traffic observed between the hosts involved in the referenced event. At least one host involved in the event is a monitored host. The communicating host may be a monitored host or an external system.

The arrow indicates the traffic direction between the hosts.

For each host, the IP address is displayed. If the host is local, the address is a link that you can click to view the Host profile page. A geo-located flag, home icon , or icon for network icon might be displayed. More than one can be displayed. If available, a host name is displayed. Any host tags applied to the host are displayed. If available, click the icon for globe-americas icon to view host details in the WHOIS pop-up window. See WHOIS Pop-Up Window for details.

Detector summary

A summary of the detector is displayed. For more details, click the More details angle-right arrowhead link to view the Detector Pop-Up window. See Detector Documentation Pop-Up Window for details.

  • Detector name – The name of the detector.

  • Goal – Short description of the goal of the detector.

  • IDS Rule – Click the View rule (if available) link to display the Detector Pop-Up window. See Detector Documentation Pop-Up Window for details. It can contain an IDS rule.