Your first step will be to inspect the application traffic flow in NSX Intelligence.

• Click on Plan & Troubleshoot (1). Here we are looking at the Plan & Troubleshoot page and this shows a high-level overview of existing workload groups and flows between them. Green lines indicate flows that are matching an existing segmentation policy in NSX while the red dotted lines indicate unprotected flows.
• Click on the Objects filter (2), select Computes from the dropdown and check all the VMs that makes up the acme multi-tier application - VDI-03, acme-web02, acme-app02, acme-db02.
• Click on Apply (3).
• Change the timeline from NOW to Last 2 Weeks (4) as highlighted in the above image.

Click on Apply Filter and under Suspicious Traffic, select Impact Score (1).

Apply an additional filter to review the Suspicious Traffic flows with more Impact Score.

• Click on Apply Filter (1). Scroll down to Suspicious Traffic Section.
• Select Impact Score as a option. In Custom Range Prompt add Min = 64 and Max = 100 (2).
• Click on Apply (3).

We can see that workloads with an exclamation mark. This indicates that we've depicted a threat affecting these workloads. Review Threat Events for an individual Virtual Machine.

• Right click on the VM acme-db02 and select Suspicious Network Activities.

2. Find the event with Impact score 65(1) under Threat Detection. Expand the event by clicking on button > next to it. Review the suspicious activity.

• As you can observe the Event Command and Control Domain Generation Algorithm(DGA).
• DGAs are psuedo-random generators that construct a random sequence of characters used to form domain names. DGAs provide malware with new domains in order to evade security countermeasures.
• Its an Anomaly in the DNS lookup performed by an internal host. The highlighted campaign in the event details indicates that it is not an individual detection instead there are multiple events across multiple assets.

NSX Advanced Threat Prevention leverages enhanced net flow data and layer 7 flow information to build a baseline of what's normal for every workload and then uses both unsupervised machine learning and supervised machine learning with threat centric models to identify deviations from normal that are securely relevant. The detection with the highest stress score here in the case that we've detected the use of a domain generation algorithm.

Click on the campaign link(2) available in this event. It will redirect to NSX Network Detection and Response(NDR) window. We will learn more about NDR in the following sections.