Threats detected by NSX Network Detection and Response are represented by threat cards on the Threats tab of the Host Profile page.
A threat card displays the calculated threat score, the threat name and class, the detection outcome (if available), the threat status, and other actions. If available, the campaign to which this threat is connected is displayed. Expand the card to see its related evidence.
Use the Sort by drop-down menu to sort the threat cards. You can select from Most recent, Earliest, Highest impact (the default), and Lowest impact.
The Search threats text box provides fast, as-you-enter search. It filters the rows in the list, displaying only those rows that have text, in any field, that matches the query string that you provided.
Toggle the Show closed threats button to filter the displayed threat cards by threat status. The default is to show all threats.
Managing the Threat Cards
The Threat cards show all the threats associated with the selected host and their corresponding threat levels. Each card displays the calculated threat impact, the threat name, the threat class, and if available, the detection outcome. It also shows the status of the threat: Open or Closed.
Click Next steps and select an action from the drop-down menu.
Select Close to close the threat. Select Open to reopen a closed threat.
Select Manage Alert to create an alert management rule from the threat.
The Evidence Summary section contains an overview of the evidence and other data detected for the threat. Click the or almost anywhere else in the card to expand the evidence details.
If campaign data connected to this threat is available, Campaign with a link to the Campaign summary sidebar is displayed.
Evidence details
The Evidence column displays the file downloads, signatures, and other categories of evidence type, along with a timestamp of when the evidence was seen. When you click the evidence type link, the corresponding Evidence Summary sidebar for that type is displayed on the right side of the page. The Evidence Summary sidebar is available for the following evidence types.
Anomaly
File download
Signature
The Network interactions & network IOCs column displays the IP address or domain name of external hosts. Clicking the link expands the Network Interaction sidebar.
The Supporting data column provides a link to the detection events, as well as a link to the threat details.
Detection outcomes
Threat detection event outcomes have the following possible values, listed in order of severity.
Detection Outcome |
Description |
---|---|
Succeeded |
The threat was verified to have reached its goal. This could be its check-in attempt to the C&C server completed and data was received from the malicious endpoint. |
Failed |
The threat failed to reach its goal. This could be caused by the C&C server being offline, the attacker made coding errors, and so on. |
Blocked |
The threat was blocked by the NSX Network Detection and Response application or by a third-party application. |
If the event outcome is unknown, this field is not displayed.
Network Interaction Sidebar
You expand the Network interaction sidebar by clicking the IP address or domain name link for a specific host in the Network interactions & network IOCs column of the Threats tab.
The impact and IP address of the selected host are displayed at the top of the sidebar.
WHOIS summary
The WHOIS summary section displays key fields from the WHOIS record for the selected IP address or domain name. Click the icon to access the WHOIS pop-up window for more details about the IP address or domain. See WHOIS Pop-Up Window for details.
Open in
The Open in... section contains links to third-party providers such as DomainTools, VirusTotal, Google, and others. If there are more providers than fit in the view, you can click Expand for more to see them.
Anomaly Evidence Summary Sidebar
The Evidence Summary sidebar for an evidence type of Anomaly displays when you click an Anomaly evidence link in the Evidence column of the Threats tab.
Click Ref Event to access the Event profile page and the full details of the associated event.
A brief description of the evidence is provided.
Threat details
- Threat – Name of the detected security risk.
- Threat class – Name of the detected security risk class.
- First seen Last seen – A graph with the timestamp from when the evidence was first and last seen. The duration is displayed below the graph.
Detector summary
- Detector name – The name of the detector.
- Goal – Short description of the goal of the detector.
- ATT&CK categorization – If applicable, a link to the MITRE ATT&CK technique is provided. Otherwise, N/A is displayed.
Anomaly details
Detail | Description |
---|---|
Description | A brief description of the anomaly detailing how it deviates from baseline behavior or why it should be considered suspicious. |
State type | The type of anomaly. For example, Outlier. |
Anomaly | The anomalous item seen on the host. For example, access to an unusual port. |
Baseline items | The items that are typically seen on this host. |
Profile created at | Timestamp for the creation of the baseline. |
Profile updated at | Timestamp for when the anomaly was detected. |
Outlier diagram | The diagram illustrates the normal data upload/download for the host for comparison to the data transfer that was flagged as anomalous. The following data might be displayed, depending on the detector
|
File Download Evidence Summary Sidebar
The Evidence Summary sidebar for an evidence type of File Download is displayed when you click a File Download evidence link in the Evidence column of the Threats tab.
Click Ref Event to access the Event profile page and the full details of the associated event.
A brief description of the evidence is provided.
File details
- File type – The high-level type of the downloaded file. See Unique Tab for the list of file types.
- Confidence – Indicates the probability that the downloaded file is indeed malicious. As the system uses advanced heuristics to detect unknown threats, in some cases, the detected threat might have a lower confidence value if the volume of information available for that specific threat is limited.
- SHA1 – The SHA1 has of the file.
Malware identification
- Antivirus class – A label defining the antivirus class of the downloaded file.
- Antivirus family – A label defining the antivirus family of the downloaded file.
- Malware – A label defining the malware type of the downloaded file. If the label has the icon, click the icon to see the description in a pop-up window.
- Behavior overview – The detected behaviors of the downloaded file. If there is a lot of data, a partial list is displayed by default. Click Expand for more to view more. Toggle it closed again by clicking Collapse for less .
Open in ...
To open the downloaded file in a specific service, click one of the icons for the providers. By default, this displays a partial list of providers.
Download details
Info | Description |
---|---|
File name | The resource path to the downloaded file. |
URL | The full URL to the downloaded file. |
First seen | The timestamp from when the downloaded file was first seen. If there have been multiple instances of this file, this will be a range of timestamps. |
Downloaded from | The IP address of the source server. |
Protocol | The protocol that was used to transfer the downloaded file from the source server. |
User agent | If available, the user agent string seen for the download request. |
Signature Evidence Summary Sidebar
The Evidence Summary sidebar for an evidence type of Signature is displayed when you click a Signature evidence link in the Evidence column of the Threats tab.
Click Ref Event to access the Event profile page and the full details of the associated event.
A brief description of the evidence is provided.
Threat details
The following details are provided about the threat.
Detail |
Description |
---|---|
Threat |
Name of the detected security risk. |
Threat class |
Name of the detected security risk class. |
Activity |
If available, displays the detected current activity of the threat. |
Confidence |
Indicates the probability that the detected threat is malicious. For events that show analysis results, for example, a file download, a score is displayed. |
First seen Last seen |
A graph with the timestamp from when the evidence was first and last seen. The duration is displayed below the graph. |
Traffic details
The Reference event traffic widget provides an overview of the traffic observed between the hosts involved in the referenced event. At least one host involved in the event is a monitored host. The communicating host may be a monitored host or an external system.
The arrow indicates the traffic direction between the hosts.
For each host, the IP address is displayed. If the host is local, the address is a link that you can click to view the Host profile page. A geo-located flag, , or icon might be displayed. More than one can be displayed. If available, a host name is displayed. Any host tags applied to the host are displayed. If available, click the icon to view host details in the WHOIS pop-up window. See WHOIS Pop-Up Window for details.
Detector summary
A summary of the detector is displayed. For more details, click the More details link to view the Detector Pop-Up window. See Detector Documentation Pop-Up Window for details.
Detector name – The name of the detector.
Goal – Short description of the goal of the detector.
IDS Rule – Click the View rule (if available) link to display the Detector Pop-Up window. See Detector Documentation Pop-Up Window for details. It can contain an IDS rule.