The Detection Events widget provides an overview of the individual events that the NSX Network Detection and Response application detected.

An event represents a security-relevant activity that has occurred in the monitored network. An event may involve multiple data flows (for example, TCP connections), but it represents a single type of activity occurring over a short period of time (at most one hour).

If the selected time range includes today (the default), the widget updates its list of events every 5 minutes. New events are highlighted in green; the color fades away after a few seconds.

The Quick search field above the list provides fast, as-you-enter search. It filters the rows in the list, displaying only those rows that have text, in any field, that matches the query string.

Manually refresh the events list by clicking the Update Now button.

Customize the number of rows to be displayed. By default, 30 entries are shown. Up to 1000 events can be displayed, however, there may be a noticeable delay for the system to retrieve a large number of events. Use the angle-left arrowhead and angle-right arrowhead icons to navigate through multiple pages.

Each row displays a summary of an event. Click anywhere on an entry row to access the Event Summary sidebar.

The list of events contains the following columns.

Column Name

Description

Timestamp

Indicates the start time of the event. The time is shown in the currently selected time zone.

The list is sorted by timestamp, by default in decreasing order (latest event at the top). You can use the icons to sort the list in increasing order (oldest event at the top) or toggle back to the default.

Click the sort list icon icon to sort the list by timestamp.

Host

The host in the monitored network that is involved in this event. This column will display the IP address, host name, or label of the host, depending on your current Display settings. Click the Edit icon next to the host to open the Label/Silence host pop-up.

Other IP

IP address and port of the host that is related to this event. For example, 203.0.113.115:80 indicates that the IP address 203.0.113.115 was contacted on port 80.

The system attempts to geo-locate the IP address. If it succeeds, a small flag icon indicates the country that possibly hosts that IP address. A Local Network icon is used for local hosts.

Other Host

The host name or IP address of the malicious/suspicious entry.

Threat

Name of the detected threat or security risk.

Threat Class

Name of the detected threat class.

Impact

The impact value indicates the critical level of the detected threat and ranges from 1 to 100:

  • Threats that are 70 or above are considered to be critical.

  • Threats that are between 30-69 are considered to be medium-risk.

  • Threats that are between 1-29 are considered to be benign.

If the stop icon icon appears, it indicates the artifact has been blocked.

Click the sort list icon icon to sort the list by impact.