- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-05-2025 02:22 AM
Hi all
Experiencing Issues with creating Custom Security Events towards NVM (nvzflows) In my SNA platform.
Been creating a test Custom Security Event, just to see If it triggers.
"CSE: Forbidden Application"
When any subject host; using the process "well known .exe" communicates with any peer host, an alarm is raised.
Subject Process Names "well known .exe" on windows hosts.
Saved the Custom Event.
On my endpoint this well known .exe Process Names" triggeres. And It's visibile under the "Report Builder" --> Endpoint Traffic (NVM).
But no alert shows up under my Security Insight Dashbard.
Why?
The goal of my NVM (nvzflows) Is to create "Custom Security Events" for alerts.
Thanks
Solved! Go to Solution.
- Labels:
-
Stealthwatch
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-06-2025 08:30 AM

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-05-2025 05:29 AM
Please can you confirm which version of SNA you have installed?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-05-2025 05:44 AM
I'm running the latest version.
7.5.1

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-06-2025 03:23 AM
Unfortunately you cannot use NMV telemetry to trigger a custom security event the way you describe.
The 'worst case scenario' for a host running Secure Client is the remote worker use case where the NVM telemetry may be cached for some time before the user connects back to the corporate network via VPN, at which point the cached telemetry is forwarded to SNA and written to the database however the timestamps will be outside of the 5 minute window used by the core engine for real time detections. Today, NVM can be classed as additional context so it will be visible via Report Builder.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-06-2025 04:43 AM
Okey. So what you are saying Is that It's not possible to create "Custom Security Events" towards NVM telemetry data?
My NVM-module configuration Is only for endpoints that are on a "trusted network".
I actually got some hits today in my "Security Insight Dashboard" of yesterdays creation of my Custom Security Event.
But the alerts Is triggered on others endpoints that not even have the NVM-module installed which Is weird.
Thanks

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-06-2025 06:52 AM
Can you share the custom security event configuration?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-06-2025 08:30 AM
