Threat Event Monitoring

This tab provides key insights about the current state of various security issues in your data center. These features help security teams understand what is happening in the network and where to focus.

Campaigns

A campaign is a set of related threat events that use specific MITRE tactics and techniques. The threat events can be mapped to MITRE ATT&CK stages to define an attack story. Campaigns can range from a single group of detection events over a short period of time to complex multi-pronged attacks over an extended amount of time. A campaign lets you view the full threat event timeline so you can respond and triage it quickly.

If the VMware NSX^® Network Detection and Response™ feature is activated, this widget shows the following campaign statistics.

• The total number of campaigns that NSX Network Detection and Response has identified during the time period and that are currently active in your network.
• The total number of high impact campaigns that are in-progress during the selected time period.
• The total number of open high impact campaigns during the selected time period.
• The total number of VMs affected by the campaigns identified during the selected time period.

Click Go to Campaigns to see more details from the Campaigns page of the NSX Network Detection and Response user interface. To learn more about the NSX Network Detection and Response feature, see NSX Network Detection and Response.

IDS/IPS

The IDS/IPS event monitoring page displays the following summaries for a maximum of last 14 days:

• IDPS Summary

  Entry	Description
  Intrusion Events	Displays the total number of intrusion events as a clickable link, and number of intrusions that resulted in alerts or prevention.
  Unique Intrusion Signatures	Displays a graph with number of intrusions detected in each severity category.
  Events By Top Attack Types	Displays a graph based on attack types.

• Distributed IDS/IPS Summary

  Entry	Description
  Trending by Intrusion Severity	Displays a graph with the trending severity with the number of intrusion events by time.
  Distribution	Displays a radar chart to show distribution based on Attack Type, Attack Target, or Severity over a period of 48 hours to 14 days.
  Top VMs	Displays top VMs on which intrusion was attempted. You can also view top VMs based on the Vulnerability Severity criteria.

• Gateway IDS/IPS Summary

  Entry	Description
  Trending by Intrusion Severity	Displays a graph with the trending severity with the number of intrusion events by time.
  Distribution	Displays a radar chart to show distribution based on Attack Type, Attack Target, or Severity over a period of 48 hours to 14 days.
  Top IPs	Displays top IPs on which intrusion was attempted. You can also view top VMs based on the Vulnerability Severity criteria.

FQDN Analysis

The FQDN analysis summary screen displays:

• The total number of URLs inspected, and their severity level.
• The top URL categories that have the greatest number of inspected FQDNs.
• The highest severity URLs, with the date and the time.

URL Filtering

Select a specific gateway, or all gateways to view following information:

• Distribution of URLs by severity rating.
• Severity level of allowed URLS and displays the top five categories that have the greatest number of inspected URLs.
• Highlights the top five URL categories that have the greatest number of blocked URLs.
• Unique site distribution displays the top five sites that have the greatest number of allowed URLs. Highlights the top five sites that have the greatest number of blocked URLs.

Malicious IPs

For Distributed Firewall, you can setup Malicious IP Feed to download a list of known malicious IPs. You can block access to these IPs through firewall rules and monitor the system for any exceptions. The monitoring screen shows three charts with the following information.

• Top blocked IPs along with the total number of times the IPs are blocked.

• Top VMs accessing or accessed by malicious IPs along with the total count of malicious IPs that accessed or are accessed by the VMs.

• Top blocked categories along with the total number of times the categories are blocked.

The system also displays top 5 items of each data group.

Clicking any data point on the chart opens the Filtering and Analysis page with the detailed information about that data point. Note that the filter on the page is set to the data point you clicked. You can remove the filter and view the list of all malicious IPs.

Malware Prevention

Shows the following file events statistics for a selected time period in a graphical format:

• Total number of inspected file events, malicious file events, suspicious file events, and blocked files.
• Number of file inspections for different ranges of threat score.
• Top five recently inspected files in the data center sorted by the timestamp.
• Top five malicious files detected in the data center.
• Trend of malicious file events, suspicious file events, and suppressed file events in the data center.
• Distribution of file inspections based on the malware family to which the files belong.
• Breakdown of file inspections by the type of analysis performed (local file analysis, cloud file analysis).

Suspicious Traffic

If VMware NSX^® Intelligence™ is activated, this tab displays the following statistics (in graphical format) about suspicious or anomalous events detected during the selected time period.

• A circle shows the total number of anomalies detected during the selected time period. The circle is composed of colored segments representing the number of detected anomalous events and the MITRE adversarial tactics and technique used to detect the events.
• A list of detected suspicious events categorized in the same MITRE tactics and techniques used in their detection, and the number of times they occurred during the selected time period.
• A bar graph showing the number of anomalies detected, categorized by their severity.

Click View All to see more information about the detected suspicious events using the Suspicious Traffic page. To learn more about the NSX Suspicious Traffic feature, see the Using and Managing VMware NSX Intelligence documentation for version 3.2 and later at https://docs.vmware.com/en/VMware-NSX-Intelligence/index.html.

TLS Inspection

TLS inspection and decryption provides a secure way to target the influx of threats present in Enterprise web traffic. The feature uses TLS proxy to intercept encrypted traffic transparently over TLS connections and allow NSX security services such as layer 7 firewalls, IDS, and URL filtering to inspect content and enforce your security policies. You can use a wizard or manually follow the workflow to set your policy and rules.

The Security Overview dashboard shows the following TLS connection and certificate details when activated.

• The donut chart shows the TLS Connection Summary details including:
  • Bypassed due to failures
  • Decrypted
  • Connection failures
  • Bypassed due to rules
• Connections & Rules
  • Total connections
  • Open connections
  • CPS
  • Rule hits
• The donut chart shows the Certificate Caching details including:
  • Cache hits
  • Cached certificates
  • Cache misses
• Traffic
  • Throughput details including Client to server and Server to Client
  • Total traffic details including Client to server and Server to Client

Configuration

This page also provides detailed views of security settings for:

Gateway Firewall widget

Highlights gateway firewall security settings. Click the links to view the gateways on which the following security features are activated:

• IDS/IPS
• Malware Prevention
• TLS Inspection

To view the gateways with these security features, at least one of the above security features must be deployed in your data center.

Distributed Firewall widget

Highlights the total distributed firewall policies using graphics. Click to view details such as policy groupings, top services consumed by East-West security policies as well as their actions (allow, drop, and reject), and total distributed firewall rules.

Endpoint Protection widget

Shows a summary of the configuration of endpoint protection for virtual machines. You can view VM distribution by service profile, components having issues, and configured VMs running file introspection.

Identity Firewall User Sessions widget

Displays the number of IDFW active user sessions.

Malware Prevention widget

This UI widget shows issues when any of the components for the NSX Distributed Malware Prevention service is down or not working.

For example:

• The Bar chart shows an issue when the Security Hub on the NSX Malware Prevention service virtual machine (SVM) is down. Point to the bar to view the following details:
  • Number of NSX Malware Prevention SVMs that are impacted.
  • Number of workload VMs on the host that have lost malware security protection due to the Security Hub going down.
• The Donut chart shows the following details:
  • Number of workload VMs where the NSX File Introspection driver is running.
  • Number of workload VMs where the NSX File Introspection driver is not running.

  For both these metrics, only the workload VMs on the host clusters that are activated for NSX Distributed Malware Prevention are considered.

Capacity

Capacity information is available only in the Manager mode of the NSX Manager UI. The information displayed on this dashboard depends on the security features that are deployed and activated in your data center.