The goal of the NSX Suspicious Traffic feature is to detect suspicious or anomalous network traffic behaviors in your NSX environment. You may have heard this feature referred to as NTA (Network Traffic Analysis).
Requirements:
- This feature requires NAPP to be deployed in the environment
- NSX Intelligence should be activated and operational
- Requires additional ATP licensing
How It Works
After you have satisfied the prerequisites, the NSX Suspicious Traffic feature can start generating network threat analytics on the eastwest network traffic flow data that NSX Intelligence has collected from your eligible NSX workloads (hosts or clusters of hosts). NSX Intelligence stores the collected data and persists that data for 30 days. The NSX Suspicious Traffic engine analyzes the data and flags suspicious activities using the supported detectors. You can view the information about the detected threat events using the Detection Events tab of the NSX Suspicious Traffic UI page. The NSX Suspicious Traffic feature also feeds its data to the NSX Network Detection and response feature.
Suspicious Traffic Detectors
The NSX Suspicious Traffic feature uses detectors to classify the detected suspicious network traffic. The detections generated by these detectors might be associated to specific techniques or tactics in the MITRE ATT&CK® Framework.
These detectors are turned off by default and you must explicitly turn on each detector that you want to use in your NSX environment.
You can manage the exclusion lists and the likelihood value for some of the definitions of these supported detectors using the Detector Definitions tab. See Managing the NSX Suspicious Traffic Detector Definitions for details.
Work with Suspicious Traffic Feature
Go to Suspicious Traffic Detector Definitions
- Click Security
- Click Suspicious Traffic
- Click Detector Definitions
You can see many Detector Definitions of Suspicious Traffic that are available with NSX Intelligence. Use Scroll Bar to scroll to down and review all Suspicious Traffic Detector Definitions
You can enable required detectors for your infrastructure. for example lets view and edit and enable “Remote Services” detector
- Click pencil next to Remote Services
We can see that this definition has multiple configuration options. 1. We can change the confidence threshold by dragging the slider for this definition
- Click in the Exclusions box – you can see for this definition we can exclude either Groups or VMs
- Click Groups
- We can see the available groups we can exclude from this Detector Definition. Let’s select 3-tier-app-servers Group to exclude from this definition.
- Click Apply to save our exclusion for this Detector Definition.
Enable Remote Services Detector Definition
- Click the radio slider to enable the Remote Services Detector Definition
- Click Save
- Use the scroll bar to scroll back up to the top of the screen.
Navigate to Suspicious Traffic Events Dashboard
- Click Events to return to the Suspicious Traffic Event Dashboard
- The longer NSX Intelligence can monitor the environment, the better baseline it gets for understanding what’s normal and what is considered abnormal. Because many of the Detector Definitions require a historical baseline, we do not show suspicious traffic triggers in the lab, but feel free to explore what kind of behaviors NSX Intelligence is watching for here and back in Detector Definitions!
In the similar way you can enable and work with other detector definitions as well.
Please refer how to do threat hunting in NSX Advanced Threat Prevention (ATP) Demo blog post. That’s it for this blog. Catch you in the next one. Thank you!