You must manually turn on the NSX Suspicious Traffic detectors that you want to monitor. Only the detectors that are activated will be used for monitoring suspicious network traffic events.

Use the following steps to turn on a supported NSX Suspicious Traffic detector to perform network traffic analysis on the collected traffic data.

Procedure

  1. From your browser, log in with the required privileges to an NSX Manager appliance at https://<nsx-manager-ip-address>.
  2. Use the following steps to activate supported NSX Suspicious Traffic detector to perform network traffic analysis on the collected traffic data.
    Note that the following steps are for all available detectors, except for the DNS-based detectors, which must be manually configured before they can be used. See the next step after this one for information about configuring DNS-based detectors.
    1. Navigate to the Threat Detection & Response > Settings > NTA Detector Definitions tab.
    2. Locate single or multiple detectors that you want to activate.
    3. Click the check box next to each detector and click Activate.
      The activated detectors show as Activated in the NTA Detector Definitions tab.
  3. To turn on DNS-based detectors, such as Domain Generation Algorithm (DGA) and DNS Tunneling, perform the following steps only once.
    1. Create a custom DNS context profile or use a default system-provided context profile.
      For details, see Context Profiles.
    2. Create a distributed firewall rule, using ANY in the Sources and Destinations columns; and using the DNS context profile, if you created one.
      For details, see Add a Distributed Firewall.
    3. Navigate to the Threat Detection & Response > Settings > NTA Detector Definitions tab.
    4. Locate the detector that you want to activate.
    5. Click the check box next to the detector and click Activate.
      The Status column displays Activated status for the activated detectors.
  4. (Optional) Use the following steps to deactivate supported NSX Suspicious Traffic detector to stop network traffic analysis.
    1. Navigate to the Threat Detection & Response > Settings > NTA Detector Definitions tab.
    2. Locate single or multiple detectors to deactivate.
    3. Click the check box next to each detector and click Deactivate.
      The Status column displays Deactivated status for the deactivated detectors.

Results

The Status column displays Activated or Deactivated status.

What to do next

Monitor and analyze the detected suspicious traffic events.