You can configure settings for Network Traffic Anomaly (NTA) using the NSX Suspicious Traffic feature. You can configure the NSX Suspicious Traffic feature from NSX Network Detection and Response or Security Intelligence.

Note: If you configure NTA data collection or suspicious traffic detectors settings from the Security Intelligence UI, NSX Network Detection and Response will display that configuration and vice versa. Changing settings in one location will overwrite previous settings in the other location.

The NTA Detector Definitions tab under the Settings page displays all of the detectors currently supported by the NSX Suspicious Traffic feature.

A detector is turned off by default. You must manually turn on each detector before it can start monitoring the network traffic flows in your NSX environment. For details, see Activate the Suspicious Traffic Detectors.

The NSX Suspicious Traffic detector listed on the NTA Detector Definitions tab typically includes the following.

  • Detector name and description
  • On/Off toggle button
  • Likelihood (sensitivity) slider

    The slider allows you to set the likelihood a detector generates an alert. For a detection that falls below the threshold of likelihood, the system discards the suspicious traffic event. This slider is not included for all detectors.

  • Exclusions

    A VM exclusion is a static list of VMs that the NSX Suspicious Traffic feature excludes from being monitored by the detector. For a Group exclusion, whether the detector excludes a member depends on when the system runs the detector. If the Group does not exist at the time the system runs the detector, the system might generate a warning in the system logs. If the VM does not exist at the time the system runs the detector, the detector silently ignores the exclusion setting. Group exclusion is not supported by all of the NSX Suspicious Traffic detectors.