The Detector Definitions tab in the Suspicious Traffic page displays all of the detectors currently supported by the NSX Suspicious Traffic feature in Security Intelligence.

A detector is deactivated by default. You must manually activate single or multiple detectors before monitoring the network traffic flows in your NSX environment. See Activate the NSX Suspicious Traffic Detectors for details.

Each NSX Suspicious Traffic detector listed on the Detector Definitions tab typically includes the following.

  • Detector name and description
  • Activation or deactivation button
  • Likelihood (sensitivity) slider

    The slider allows you to set the likelihood a detector generates an alert. For a detection that falls below the threshold of likelihood, the system discards the suspicious traffic event. This slider is not included for all detectors.

  • Add, Edit, or Delete Exclusions

    You can add, edit, or delete VM and Group exclusions. A VM exclusion is a static list of VMs that the NSX Suspicious Traffic feature excludes from being monitored by the detector. For a Group exclusion, whether the detector excludes a member depends on when the system runs the detector.

    If the Group does not exist at the time the system runs the detector, the system might generate a warning in the system logs. If the VM does not exist at the time the system runs the detector, the detector silently ignores the exclusion setting. Group exclusion is not supported by all of the NSX Suspicious Traffic detectors.

Modify Some Property Values of a Detector Definition

To modify some of the default property values for select NSX Suspicious Traffic detector definitions, use the Detector Definitions tab.

The following image shows an example of a detector definition that is in edit mode.
Screenshot of the Horizontal Port Scan detector definition card in Edit mode..

Conditions préalables

  • The Security Intelligence 3.2 or later must be activated.
  • You must be logged in to NSX Manager using one of the following NSX roles.
    • Enterprise Admin
    • Security Admin

Procédure

  1. From your browser, log in with the required privileges to an NSX Manager appliance at https://<nsx-manager-ip-address>.
  2. Navigate to the Security > Suspicious Traffic > Detector Definition tab.
  3. Locate the detector whose definition you want to modify and click Edit (pencil icon).
  4. If a likelihood slider is included in the definition, move the slider to the desired value that the detector uses for identifying a suspicious traffic event.
    Setting the slider to a lower value means there is a greater likelihood of that detector identifying a suspicious traffic event.
  5. Define VM and Group Exclusions.
    1. Click Add/Edit Exclusion and in the drop-down menu, select Groups and/or VMs for the Source.
      Some detectors only have VMs exclusion available for selection.
    2. Define your exclusion list by selecting from the list of available Groups or VMs and click Apply.
    3. Click Save > Save Settings.
  6. Activate or deactivate multiple detectors.
    1. Select the check box next to the detectors to activate or deactivate.
    2. Scroll to the top of the page and click Activate or Deactivate.
    The edited detectors show as Activated or Deactivated in the Detector Definitions tab.