Overview of NSX Network Detection and Response

The main objective of the NSX Network Detection and Response feature is to collect key abnormal activity or malicious events from every activated event source in your NSX environment. Following the MITRE ATT&CK^® model, NSX Network Detection and Response processes the detection events that are generated from an NSX-managed network. NSX Network Detection and Response aggregates and correlates these security-related events to present users a visualization of the specific threats based on the tactics and techniques described in the MITRE ATT&CK framework.

NSX Network Detection and Response correlates related events into campaigns. It organizes threat events in a campaign into a timeline that is available for a security analyst to view and triage threat campaigns by correlating threat signals.

NSX Network Detection and Response Terminology and Key Concepts

The following table provides the key terminology that is used in the NSX Network Detection and Response.


Term / Key Concept	Definition
Campaign	A campaign refers to a series of security-related events in the monitored network that are detected and correlated by the NSX Network Detection and Response service. These security events may include IDS signature matches, suspicious traffic events, or malicious file transfer events. NSX Network Detection and Response uses machine learning and advanced analytics to identify security threats and automatically generate campaigns that provide security teams with a comprehensive view of potential threats. Each campaign is assigned an impact score based on the risk posed by the security events that make up the campaign. Once a campaign is detected, NSX Network Detection and Response provides detailed information about the detection events that make up the campaign, including the workloads involved, the nature of the activities, and the potential impact on the network. This information enables you to quickly investigate and respond to security threats, helping to prevent data breaches and other security incidents.
Campaign Impact Score	The Campaign Impact Score is a metric that can help you quickly assess the urgency of a potential security threat and can help you to prioritize the triage and resolution accordingly. By focusing on campaigns with higher impact scores, you can quickly address the most critical threats and minimize the risk of security incidents. The Campaign Impact Score is calculated from the set of detection events that are in the campaign using a combination of factors such as the confidence, severity, and impact of the event. The score is presented on a scale of 0-100, with higher scores indicating a greater potential impact. A score of 0 indicates that the campaign has no impact, while a score of 100 indicates that the campaign poses an immediate and severe threat. For more details, see Campaigns.
Destination	A destination refers to the destination of a flow, which is more commonly referred to as the `server`.
Detection or Detection Event	Detections or detection events represent the security-relevant activity that has occurred in the network as detected by NSX Network Detection and Response. When new detection data is received from sites, that data is aggregated with already received events to determine if it refers to the same threat detection. Otherwise, a new detection event is created. Each detection is assigned a classification based on the MITRE ATT&CK framework, a threat and an impact score. A detection event can be correlated into a campaign if it is considered to be related to the detections in the campaign. The event will not be included in a campaign if events are not considered related to the current event.
Detection Impact Score	The Detection Impact Score is a metric that is a combination of the severity or "badness" of the threat, and confidence in the accuracy of the detection. The Detection Impact Score is calculated by combining severity and confidence. A score ranges from 0-100, with 100 being the most dangerous detection. For more details, see Detections in NSX Network Detection and Response.
MITRE ATT&CK^®	MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. NSX Network Detection and Response uses the MITRE ATT&CK framework as the detection events are mapped to the MITRE ATT&CK tactics and techniques. For more information about the MITRE ATT&CK knowledge base, see the official site.
MITRE ATT&CK Tactic	Tactics represent the "why" of an ATT&CK technique or sub-technique. It is the adversary's tactical goal: the reason for performing an action. For example, an adversary may want to achieve credential access. The events in NSX Network Detection and Response are mapped to the MITRE ATT&CK tactics to help understand the intent of the detected activity. In addition to the MITRE ATT&CK tactics, the NSX Network Detection and Response system uses two custom tactics categories as follows: Vulnerability: Associated with the detection of potential vulnerabilities or security posture issues in a network, including policy violations. The MITRE ATT&CK framework by design does not cover this case, as it is focused on attacks, not on vulnerabilities. Undetermined: Associated with detections for which NSX Network Detection and Response system was not able to determine a MITRE ATT&CK tactic. For more information about the MITRE ATT&CK tactics, see https://attack.mitre.org/tactics/enterprise/.
MITRE ATT&CK Technique	Techniques represent the “how”—how attackers carry out a tactic in practice. For more information about the MITRE ATT&CK tactics and techniques, see https://attack.mitre.org/techniques/enterprise/.
SIEM	A Security Information and Event Management (SIEM) is a security product or service that collects, manages, and analyzes security and other event data. SIEM provides real-time security monitoring and analysis.
Signature	A signature is a pattern-matching expression which is compared against traffic with the goal of detecting potentially malicious activity, such as exploit attempts, command and control traffic, lateral movement and exfiltration.
Source	A source refers to the source of the network flow, which is more commonly called as the `client`.
Threat	A threat, in general, refers to any suspicious activity or behavior that could potentially indicate a security breach or attack on the network. In NSX Network Detection and Response, every detection event is assigned a "threat". In addition to MITRE ATT&CK, threat is one other way to classify detections, Threat tends to be a more specific categorization of the detected badness, such as a specific malware name or CVE ID. When these specific categorizations are not available, threat can be a more generic categorization.

Detection Type in NSX Network Detection and Response

Detections in NSX Network Detection and Response are of different types, depending on the detection technology involved in detecting them. The current supported detection types are:

Intrusion Detection System (IDS) events: These are IDS signature matches, detected by matching IDS signatures against network traffic in the protected network.
Network Traffic Anomaly (NTA) events: NSX Suspicious Traffic feature generates network threat analytics on the east-west network traffic flow data that NSX Intelligence collects from your eligible NSX workloads (hosts or clusters of hosts).
Malicious file transfer events: NSX Malware Prevention feature sends malicious file events that occurred at the gateway to NSX Network Detection and Response for analysis. Suspicious or malicious file events (scoring 30 or above) are sent to NSX Network Detection and Response.
Malicious file detection events: NSX Malware Prevention feature sends malicious file detected within a workload. Files created in the file system of the workload are analyzed, and those file events (scoring 30 or above) are sent to NSX Network Detection and Response.

Event Types and Event Sources

The following table lists the event types that NSX Network Detection and Response can collect and the sources that generate those events. For any of the event sources to send the events to NSX Network Detection and Response, you must activate the corresponding NSX feature mentioned for the event type.

Event Type	Event Source
IDS events	Distributed IDS and Edge, if you activate the Distributed NSX IDS/IPS feature.
Network Traffic Anomaly (NTA) events	If you turn on the NSX Suspicious Traffic detectors.
Malicious file transfer events	Malicious file transfer events detected within a workload, if you activate the NSX Malware Prevention feature.
Malicious file detection events	Malicious file events detected on the host, if you activate the NSX Malware Prevention feature.

Important: To maximize the NSX Network Detection and Response feature, activate one or more of the NSX features whose events it consumes. Although you can activate the NSX Network Detection and Response feature on its own, if you do not activate any of the NSX features mentioned in the previous table, NSX Network Detection and Response does not have any events to analyze and, thus, cannot give any of the benefits it has to offer.