The Detector Definitions tab in the Suspicious Traffic page displays all of the detectors currently supported by the NSX Suspicious Traffic feature in Security Intelligence.
A detector is deactivated by default. You must manually activate single or multiple detectors before monitoring the network traffic flows in your NSX environment. See Activate the NSX Suspicious Traffic Detectors for details.
Each NSX Suspicious Traffic detector listed on the Detector Definitions tab typically includes the following.
- Detector name and description
- Activation or deactivation button
- Likelihood (sensitivity) slider
The slider allows you to set the likelihood a detector generates an alert. For a detection that falls below the threshold of likelihood, the system discards the suspicious traffic event. This slider is not included for all detectors.
- Add, Edit, or Delete Exclusions
You can add, edit, or delete VM and Group exclusions. A VM exclusion is a static list of VMs that the NSX Suspicious Traffic feature excludes from being monitored by the detector. For a Group exclusion, whether the detector excludes a member depends on when the system runs the detector.
If the Group does not exist at the time the system runs the detector, the system might generate a warning in the system logs. If the VM does not exist at the time the system runs the detector, the detector silently ignores the exclusion setting. Group exclusion is not supported by all of the NSX Suspicious Traffic detectors.
Modify Some Property Values of a Detector Definition
To modify some of the default property values for select NSX Suspicious Traffic detector definitions, use the Detector Definitions tab.
Conditions préalables
- The Security Intelligence 3.2 or later must be activated.
- You must be logged in to NSX Manager using one of the following NSX roles.
- Enterprise Admin
- Security Admin