The Incidents page displays the incidents and their different threat ratings. You can use the widgets in the page to inspect, manage, and prioritize the incidents reported by the NSX Network Detection and Response application.

The page consists of several widgets that can be managed using the information in Getting Familiar with the NSX Network Detection and Response User Interface.

In the NSX Network Detection and Response application, an incident is an aggregation of detection events from a single threat detected on a single workload in the monitored network.

The NSX Network Detection and Response application does not solely report security events. An incident can consist of a single event, or many events that have been automatically correlated and determined to be closely related by the system threat engine. For example, the Incidents page can report all outgoing connections to the command and control channel of the malware, all suspicious DNS look ups (for example, requests for automatically generated related malware domains), and in-depth descriptions of each registered security event.

The Incidents page allow you to perform the following tasks.

  • Efficiently keep track of all incidents that are occurring.

  • Quickly see a list of affected hosts.

  • Prioritize threats according to their impact and severity levels using different views.

  • Gain an in-depth understanding of the events that have been registered for each incident, and access threat and mitigation descriptions.

  • Close or open incidents.

  • Mark or clear affected hosts as being cleaned.

  • Filter reported threats for specific hosts.

The following image is an example of the Incidents page, with the All tab in display.
Incidents page described by surrounding content.