Aggregation of Detections

NSX Network Detection and Response aggregates detections if they meet certain conditions.

A detection event does not correspond to a single instance of malicious activity detected at a specific point in time. Instead, it aggregates similar activity affecting the same workload, within a period of up to 24 hours. When new detection data is received by the NSX Network Detection and Response processing pipeline, it is compared with existing detection events to determine if it can be aggregated with an existing detection event. If so, it is added to that existing detection event. Otherwise, a new detection event is created. This aggregation can happen when certain conditions are met.

When considering detections for aggregation into a single detection event, the following conditions must be met:

The overall detection event does not last more than 24 hours.
The same workload is affected:
- Same VM UUID (if any)
- Same IP address (if any)
The event type is the same.
The same type of activity was detected in the same way.

For example, for IDS detections, this means the same signature must have matched.