NSX Network Detection and Response provides a filtering mechanism that allows you to focus on specific information about downloaded files that are of interest to you. The use of filters is optional.

Procedure

  1. From the Files Downloaded page, click plus icon to expand the Filters widget.
  2. Click anywhere in the Filter on text box and select an item from the drop-down menu.

    You can select from the following available filters. To further narrow the focus of the displayed information, you can combine multiple filters.

    Filter Name

    Description

    Analysis tags

    Restrict displayed files by their analysis tags. These are labels assigned to a file or URL by the system analysis. They can identify a threat or threat class, or refer to specific malicious behavior that was detected.

    Analyst UUID

    Restrict displayed files to the system analysis UUID for the downloaded file. This is an internal unique identifier for the analysis of a file.

    Application protocol

    Restrict displayed files transferred over one of the specified protocols. Supported values are HTTP/HTTPS, FTP, and SMB.

    Contacted IP

    Restrict displayed files to the IP address from which the file was downloaded. Like the Host IP filter, this supports IP addresses, CIDR blocks or IP address ranges.

    File type filter

    Restrict displayed files to one or more high-level file types. See the list of file types (above).

    Files

    Select Malicious to restrict displayed files to malicious files. These are files that were assigned a score of 70 or more (out of 100) by the system analysis.

    Host IP

    Restrict displayed files to the IP address of the host in the network that downloaded the file. This filter supports selecting one or more IP addresses, CIDR blocks (for example, 192.168.0.0/24) or IP address ranges (for example, 192.168.1.5-192.168.1.9).

    HTTP Host

    Restrict displayed files to the host name(s) from which the file was downloaded.

    Note:

    This value is extracted from the HTTP Host header in the HTTP request that downloaded the file. Therefore, it is under the control of the client and can be spoofed by a malicious software, such as a malware binary already running on an infected host.

    MD5

    Restrict displayed files to the MD5 hash of the downloaded file.

    Minimum score

    Restrict displayed files to those assigned a score greater than your chosen value (from 1-100) by the system analysis.
  3. To apply the selected filters, click Apply.
  4. (Optional) To delete an individual filter, click the REMOVE– button next to its entry. To delete all the selected filters, click the X icon located on the right side of the Filters widget.

    The Filters widget collapses when you delete all the selected filters.