Detections, also referred to as detection events or events, represent the security-relevant activity that has occurred in the network as detected by NSX Network Detection and Response. Detections enable threat triage and investigation by presenting analysis of all threat events regardless of event type within the NSX environment.

When new detection data is received by the NSX Network Detection and Response system, the data is compared with existing detection events to determine if the new detection can be aggregated with an existing detection event. For details about how detections are aggregated, see Aggregation of Detections.

Detection events can be correlated together to form a campaign. If a detection event has no correlation with any other detection, it will not be included in any campaign.

View the Unified Event List

To see all the detection events generated by NSX Network Detection and Response, navigate to the Threat Detection & Response > Detections page. This page provides a histogram at the top of the page and a list below the histogram. The list is referred to as the unified events list and displays all the detection events. Each row in the list represents one detection event.

Detection page

  • Click Copy URL at the top right of the page to copy the link address with the filters that are currently applied.

Filter the Unified Event List

You can filter the unified event list with the following methods:
Method Details
Check boxes

Click the check boxes above the histogram to filter the unified event list based on the detection impact score of the detection.

For more information about detection impact scores, see About Detection Impact Scores.

Checkboxes of the impact score levels.
Histogram

Click the histogram bars to filter the unified event list based on the MITRE ATT&CK tactic identified in the detection.

Histogram of the detections sorted by MITRE ATT&CK tactics.
Filter field

Click the filter field for more powerful filtering options:

  1. From the drop-down menu, select a filter criterion. The available criteria are:
    • Impact score
    • Type
    • MITRE Tactic
    • MITRE Technique
    • Threat
    • Attack Outcome
    • Affected Workload
    • Campaigns
    • Affected workload by IP

    Filtering options.

  2. Specify whether to include or exclude the results of the selected filter criterion and then click Apply.

    Including specific filter criteria options.

  3. To combine multiple filters, you can:
    • Use OR logic between criteria in the same filter.
    • Use AND logic between filters.

View a Detection Event Summary

Expand the detection row and click More Details to view the detection summary.

Detection summary

Detection Type

You can view the detection type icon in the Type column. Hover over to view the detection type.

Detection type icon. Hover over to view the name

Detection types and icons that appears on the NDR UI

Export and Download Packet Capture Files

From the Flow Data tab of the detection summary, you can export and download the PCAP (packet capture) files captured by NSX IDS/IPS. For more details on PCAP, see Export and Download Packet Capture Files.
Note: The PCAP file is available for the E-W/Distributed IDS/IPS events and if PCAPs is enabled in the IDS Profile. If the PCAP file is not available, the link is not displayed. Also, both NSX and NSX Application Platform must be on version 4.2 or later.

Malware Behavior Overview

The Malware Behavior section provides information from the dynamic analysis that was performed on the malicious software instance that is related to the event.

Click View Reports to access detailed in-depth technical information on what the malware does, how it operates, and what kind of a risk it poses. For more information on the displayed information, see Analysis Report Details.

Note: If no malicious software was detected for the event, this section will not appear.