Campaign Details: Evidence Tab

The Evidence tab in the Campaign Details page of the NSX Network Detection and Response UI displays a list of the evidence detected for the currently selected campaign.

Each row is a summary of the evidence for the campaign. Click (or anywhere on an entry row) to expand the row to view the Signature evidence information.

The evidence list includes the following columns.

Evidence Columns	Description
IP Address	The IP address of the host that is the source of the threat.
First Seen	Timestamp showing the start time of campaign.
Last Seen	Timestamp showing the most recent activity of the campaign.
Threat	Name of the detected security risk.
Threat Class	Name of the detected security risk class.
Impact	The impact value indicates the critical level of the detected threat and ranges from 1-100: Threats that are 70 or above are considered to be critical. Threats that are between 30-69 are considered to be medium-risk. Threats that are between 1-29 are considered to be benign. If the [block icon] appears, it indicates the artifact has been blocked.
Evidence	The derived value of the evidence for the campaign. See About Evidence for details.
Subject	Additional information from the campaign. This may be an IP address or an HTTP response code, or some other data.
Reference	Click the link to access the Network event details page. The link opens in a new browser tab. See Event Profile Page for details.
Incident ID	A permalink to a correlated incident. The link will open in a new browser tab. See Managing the Incidents Page.

Click the icon to change which columns to display. The default is to display all available columns.

When you click (or anywhere on an evidence row), the following information is shown.

Information Name	Description
Threat	Name of the detected security risk.
Threat class	Name of the detected security risk class.
Impact	The impact score of the campaign.
Detector	If present, displays the NSX Network Detection and Response module that identified the threat. Click the link to view the Detector pop-up window.
View network detection	If present, displays the NSX Network Detection and Response module that identified the threat. Click the link to view the Detector pop-up window.
View Incident	Click the link to access the Network event details page. The link opens in a new browser tab. See Event Profile Page.
First seen	Timestamp showing the start time of campaign.
Last seen	Timestamp showing the most recent activity of the campaign.
Severity	An estimate of how critical the detected threat is. For example, a connection to a command and control server is typically considered high severity as the connection is potentially damaging.
Confidence	Indicates the probability that the detected individual threat is indeed malicious. As the system uses advanced heuristics to detect unknown threats, in some cases, the detected threat may have a lower confidence value if the volume of information available for that specific threat is limited.