The Evidence tab in the Campaign Details page of the NSX Network Detection and Response UI displays a list of the evidence detected for the currently selected campaign.

Each row is a summary of the evidence for the campaign. Click plus icon (or anywhere on an entry row) to expand the row to view the Signature evidence information.

The evidence list includes the following columns.

Evidence Columns

Description

IP Address

The IP address of the host that is the source of the threat.

First Seen

Timestamp showing the start time of campaign.

Last Seen

Timestamp showing the most recent activity of the campaign.

Threat

Name of the detected security risk.

Threat Class

Name of the detected security risk class.

Impact

The impact value indicates the critical level of the detected threat and ranges from 1-100:

  • Threats that are 70 or above are considered to be critical.

  • Threats that are between 30-69 are considered to be medium-risk.

  • Threats that are between 1-29 are considered to be benign.

If the blocked icon[block icon] appears, it indicates the artifact has been blocked.

Evidence

The derived value of the evidence for the campaign. See About Evidence for details.

Subject

Additional information from the campaign. This may be an IP address or an HTTP response code, or some other data.

Reference

Click the link to access the Network event details page. The link opens in a new browser tab. See Event Profile Page for details.

Incident ID

A permalink to a correlated incident. The link will open in a new browser tab. See Managing the Incidents Page.

Click the 3-horizontal bars icon icon to change which columns to display. The default is to display all available columns.

When you click plus icon (or anywhere on an evidence row), the following information is shown.

Information Name

Description

Threat

Name of the detected security risk.

Threat class

Name of the detected security risk class.

Impact

The impact score of the campaign.

Detector

If present, displays the NSX Network Detection and Response module that identified the threat. Click the link to view the Detector pop-up window.

View network detection

If present, displays the NSX Network Detection and Response module that identified the threat. Click the link to view the Detector pop-up window.

View Incident

Click the link to access the Network event details page. The link opens in a new browser tab. See Event Profile Page.

First seen

Timestamp showing the start time of campaign.

Last seen

Timestamp showing the most recent activity of the campaign.

Severity

An estimate of how critical the detected threat is. For example, a connection to a command and control server is typically considered high severity as the connection is potentially damaging.

Confidence

Indicates the probability that the detected individual threat is indeed malicious. As the system uses advanced heuristics to detect unknown threats, in some cases, the detected threat may have a lower confidence value if the volume of information available for that specific threat is limited.