Tour of the Security Intelligence Visualization Page

You access the Security Intelligence visualization page by clicking Plan & Troubleshoot > Discover & Take Action in the NSX Manager user interface.

After you activate and configure the Security Intelligence feature for the first time, when you click Plan & Troubleshoot > Discover & Take Action, Security Intelligence begins to render some visualization after some network traffic data has been received from the transport nodes and the inventory information is received from NSX Manager.

By default, when you click Discover & Take Action, you see the visualization of the security posture of all the groups defined in your NSX inventory.

If there are no groups defined yet, then all the compute entities are shown as members of the Uncategorized Computes group.
Groups might have allowed, blocked, and unprotected traffic flows between their compute member entities in the last hour. See for more information. See Working with Traffic Flows in Security Intelligence for more information about the flow types.
If there are VMs or physical servers, but they do not belong to any group, you see the icon for the Uncategorized Computes group.
If there are IP addresses that do not belong to any group, you see the Unknown icon.

Both icons for the Unknown and Uncategorized Computes groups are shown in the following image.

Screenshot image of the Unknown group and Uncategorized Computes group

If you already have defined groups, you might see a visualization similar to the following image, which illustrates a visualization of an NSX data center's security postures within the last month. The table that follows the image describes the annotated sections in the image. Screenshot of Discover & Take Action UI with visualization of groups displayed. Sections are stamped with numbers and described in the table.


Section	Description
1	In the Discover section, you can select the type of NSX objects whose security posture you want displayed. The two types of objects are Groups and Computes. When you click Plan & Troubleshoot > Discover & Take Action for the first time, the default Discover view displayed is the Groups view. This view displays all the group objects in the NSX environment during the specified time period, which is set to Now initially. To select specific groups in the Groups view, click the down arrow next to All, select one or more groups from the drop-down menu of available groups, specify whether to include or exclude the selected groups, and click Apply. To select the Computes view, click the down arrow next to Groups, select Computes, and click Apply. All the VMs, IP addresses, and physical servers that exist in your NSX environment during the currently selected time period are visualized. To select specific VMs, IP addresses, or physical servers that you want to be included in the Computes view, click the down arrow next to ALL, click Show All Types, and select a compute type (VMs, IPs, or Physical Servers) from the drop-down menu. Alternatively, select or deselect specific compute items from the drop-down menu of available objects. In the Options on selected section, specify whether to include or exclude the selected items. Click Apply. To clear any filtered selections you made in either view type, click Clear on the upper-right side of the visualization page and click Clear in the Clear All Filters dialog box to confirm. If you click Clear when in the Computes view, the selection filters are cleared and you see the Groups view. See Working with the Groups View in Security Intelligence and Working with the Computes View in Security Intelligence for more information on how to work with the two view types.
2	In the Apply Filter section, you can refine the display criteria used for the current visualization. Click Apply Filter, select the filter criteria, and click Apply. You can specify multiple filters by clicking Apply Filter again. See Use Filters on the Security Intelligence Visualization UI for more details.
3	With the Flows section, you can select which traffic flow type you want to include in the visualization for the selected time period. The colors used in the visualization for the flow types is displayed in this section. A red-hued dashed line is used for Unprotected flows. The blue-hued solid line is used for Blocked flows. The green-hued solid line for the Allowed flows. By default, all the traffic flow types are selected for the current Security Intelligence visualization. See Working with Traffic Flows in Security Intelligence for more information.
4	When you click the gear icon , links to the following pages are provided in the NSX Intelligence Related Settings dialog box. To configure settings specific for Security Intelligence, use the System > Settings > NSX Intelligence page. See Manage the Security Intelligence Data Collection Settings for more information. To manage the private IP ranges used by Security Intelligence, use the Security > General Settings > Private IP Ranges page. See Manage the Private IP Ranges for Security Intelligence for information. To use the Preferences - Classification page to manage any unreviewed infrastructure classifications, click Plan & Troubleshoot > Preferences. If there are any unreviewed infrastructure classifications that the system inferred, a red circular badge appears on the gear icon, . See Managing Compute Entity Classifications in Security Intelligence for more information.
5	The refresh status section gives information as to when the visualization graph was last refreshed. To force a refresh of the current view, click the refresh icon .
6	In the time period selection section, you select the time period that determines the historical network traffic flow data that Security Intelligence uses to generate the desired visualization and recommendation. The time period is relative to the current time and some time period in the past. Now is the default time period used when you first click Plan & Troubleshoot > Discover & Take Action. This default time period displays the most recent traffic flow data that the system has captured, up to the most recent one million traffic flows processed. To change the selected time period, click the currently selected time period and select another from the drop-down menu. You can select Now, Last 1 Hour, Last 12 Hours, Last 24 Hours, Last 1 Week, Last 2 Weeks, or Last 1 Month.
7	The canvas section displays the visualization graph of the security postures of the groups or compute entities in your NSX environment. It also includes the visualization of the traffic flows that have occurred during the selected time period. In this section, you can point to a specific node or flow arrow to obtain details about that specific entity. By default, if there are less than 500 nodes and less than 5000 flows to display, Security Intelligence does not apply any clustering mode to the security posture visualization. If those limits for the nodes and flows are exceeded, Security Intelligence clusters the nodes based on the traffic flow that has occurred between the compute entities during the selected time period. See Getting Familiar with Security Intelligence Graphic Elements and Understanding the Views and Flows in Security Intelligence for more information.
8	The Overview map is a miniature version of the whole visualization graph. When you zoom into specific entities shown in the graph, the mini-map gets updated to highlight where your current view is located relative to the overall visualization graph. When you click in the mini-map window and drag the opaque rectangular overlay, your current view of the visualization graph also gets updated. This becomes very useful when you have a very large inventory in your NSX environment.
9	Use the following viewing control icons to change the viewing mode applied to the visualization graph. Click to zoom in on the view. Click to zoom out the view. Click to apply a 1:1 aspect ratio to the visualization graph. Click to resize the view to fit the screen. Click to be in the a full screen viewing mode. Press ESC to exit the full-screen mode. Click to move items on the graph. To shift to the Move mode when you are using the Select mode, press and hold the spacebar, and drag your pointer around the UI to move objects in the visualization graph. Click to select nodes in the graph. You can drag your pointer to select multiple nodes, or press Shift and click each node you want to select. Click to view the graph using the available clustering mode. The available modes are No Clustering, Clustering by Flows, Clustering by Labels (valid in Computes view only), Clustering by Names, and Clustering by Tags. When you use the clustering by Tags mode, you must also select a tag scope. The selected tag scope value is used to arrange the entities in the visualization graph. All entities that do not have a tag within the given tag scope are clustered together. You can also use keyboard hotkeys to manage your viewing controls. To display the Keyboard Shortcuts Help window, press Shift+click the / key. To navigate to a previously viewed visualization, use your Web browser's back button. If you are in full-screen mode and you want to return to the previous visualization, press ESC to exit the full-screen mode and use your Web browser's back button.