The Evidence tab in the Campaign Details page of the NSX Network Detection and Response UI displays a list of the evidence detected for the currently selected campaign.
Each row is a summary of the evidence for the campaign. Click (or anywhere on an entry row) to expand the row to view the Signature evidence information.
The evidence list includes the following columns.
Evidence Columns |
Description |
---|---|
IP Address |
The IP address of the host that is the source of the threat. |
First Seen |
Timestamp showing the start time of campaign. |
Last Seen |
Timestamp showing the most recent activity of the campaign. |
Threat |
Name of the detected security risk. |
Threat Class |
Name of the detected security risk class. |
Impact |
The impact value indicates the critical level of the detected threat and ranges from 1-100:
If the [block icon] appears, it indicates the artifact has been blocked. |
Evidence |
The derived value of the evidence for the campaign. See About Evidence for details. |
Subject |
Additional information from the campaign. This may be an IP address or an HTTP response code, or some other data. |
Reference |
Click the link to access the Network event details page. The link opens in a new browser tab. See Event Profile Page for details. |
Incident ID |
A permalink to a correlated incident. The link will open in a new browser tab. See Managing the Incidents Page. |
Click the icon to change which columns to display. The default is to display all available columns.
When you click (or anywhere on an evidence row), the following information is shown.
Information Name |
Description |
---|---|
Threat |
Name of the detected security risk. |
Threat class |
Name of the detected security risk class. |
Impact |
The impact score of the campaign. |
Detector |
If present, displays the NSX Network Detection and Response module that identified the threat. Click the link to view the Detector pop-up window. |
View network detection |
If present, displays the NSX Network Detection and Response module that identified the threat. Click the link to view the Detector pop-up window. |
View Incident |
Click the link to access the Network event details page. The link opens in a new browser tab. See Event Profile Page. |
First seen |
Timestamp showing the start time of campaign. |
Last seen |
Timestamp showing the most recent activity of the campaign. |
Severity |
An estimate of how critical the detected threat is. For example, a connection to a command and control server is typically considered high severity as the connection is potentially damaging. |
Confidence |
Indicates the probability that the detected individual threat is indeed malicious. As the system uses advanced heuristics to detect unknown threats, in some cases, the detected threat may have a lower confidence value if the volume of information available for that specific threat is limited. |