NSX Network Detection and Response uses several correlation rules to create, update, and merge campaigns.
The campaign correlation rules are based on the tactics and techniques described in the MITRE ATT&CK framework. These rules correlate events based on the following activity:
| Campaign Correlation Rule | Description |
|---|---|
| Exfiltration | Exfiltration events are correlated on a workload that are preceded by infection-type events observed on the same workload, that is, events that betray a workload potentially compromised in a way to offer the attacker the ability to run arbitrary actions. For example, a command and command or drive-by event is followed by a network event that is known to be exfiltrating data. For more information about the exfiltration tactic, see MITRE ATT&CK → Tactics → Enterprise → Exfiltration. |
| High-impact event on infected host | High-impact infection-type events are correlated when they occur on a host that has other recent activity that suggests that the host may be infected. |
| Outgoing Lateral Movement | Correlation is established when lateral movement events going out from a compute on which previous incoming lateral movement events or infection-type events were observed. For example, a command and control event on a compute is followed by lateral movement towards another compute in the private network. For more information about the lateral movement tactic, see MITRE ATT&CK → Tactics → Enterprise → Lateral Movement. |
| Incoming Lateral Movement | Lateral movement events that are followed by infection-type events are correlated. For example, RDP activity is detected from workload A towards workload B and then subsequent command and control activity is observed originating from workload B. For more information about the lateral movement tactic, see MITRE ATT&CK → Tactics → Enterprise → Lateral Movement. |
| Drive-by confirmed by a Command and Control Event | Correlation is established when a drive-by infection event is followed by a command and control event. For example, a workload visits a malicious website and a drive-by event is generated, and then subsequently a command and control event occurs on the same workload. For more information about the drive-by technique, see MITRE ATT&CK → Techniques → Enterprise → Drive-by Compromise. |
| Drive-by confirmed by a malicious file event | Correlation is established when a drive-by infection event is followed by a malicious file transfer that confirms the success of the drive-by attempt and the infection of the client. For more information about drive-by technique, see MITRE ATT&CK → Techniques → Enterprise → Drive-by Compromise |
| IDS Command and Control Wave Rule | Correlation is established for IDS command and control events that share the same threat. For example, multiple hosts all create IDS network events for a specific command and control threat in a small period of time. For more information about the command and control tactic, see MITRE ATT&CK → Tactics → Enterprise → Command and Control. |
| Malicious File Wave | Correlation is established for malicious file events that share the same file hash. For example, multiple hosts all download the same ransomware in a small period of time. |
| Same Threat on Workload | Detections of the same threat on the same workload are correlated. Based on this rule, detections are only included in existing campaigns. |
| Multiple Anomaly Events on Workload | Detections of multiple anomaly events on the same workload are correlated. Based on this rule, a combination of detections with lower severity are escalated. |
