Configure NSX security tags

Deep Security can apply NSX Security Tags to protected VMs upon detecting a malware threat. NSX Security Tags can be used with NSX Service Composer to automate certain tasks, such as quarantining infected VMs. Consult your VMware NSX documentation for more information on NSX Security Tags and dynamic NSX Security Group assignment.

NSX Security Tags are part of the VMware vSphere NSX environment and are not to be confused with Deep Security Event Tags. For more information, see Apply tags to identify and group events.

The Anti-Malware and Intrusion Prevention System protection modules can be configured to apply NSX Security Tags.

To configure the Intrusion Prevention module to apply NSX Security Tags, go to Computer or Policy editorClosed > Intrusion Prevention > Advanced > NSX Security Tagging.

Intrusion Prevention Events have a severity level that is determined by the severity level of the Intrusion Prevention Rule that caused it.

The severity level of an Intrusion Prevention Rule is configurable on the Rule Properties > General tab.

Intrusion Prevention Rule severity levels map to NSX tags as follows:

IPS Rule Severity NSX Security Tag
Critical IDS_IPS.threat=high
High IDS_IPS.threat=high
Medium IDS_IPS.threat=medium
Low IDS_IPS.threat=low

You can configure the sensitivity of the tagging mechanism by specifying the minimum Intrusion Prevention severity level that will cause an NSX security tag to be applied to a VM.

The options for the Minimum rule severity to trigger application of an NSX Security Tag setting are:

  • Default (No Tagging): No NSX tag is applied.
  • Critical: An NSX tag is applied to the VM if an Intrusion Prevention Rule with a severity level of Critical is triggered.
  • High: An NSX tag is applied to the VM if an Intrusion Prevention Rule with a severity level of High or Critical is triggered.
  • Medium: An NSX tag is applied to the VM if an Intrusion Prevention Rule with a severity level of Medium, High, or Critical is triggered.
  • Low: An NSX tag is applied to the VM if an Intrusion Prevention Rule with a severity level of Low, Medium, High, or Critical is triggered.

Separate settings are provided for Rules that are operating in Prevent mode and for Rules that operating in Detect-only mode.

Whether an IPS Rule is operating in Prevent or Detect-only mode is determined not only by the Intrusion Prevention module setting (Computer or Policy editorClosed > Intrusion Prevention > General tab), but also by the configuration of the individual Rule itself (Rule Properties > General tab > Details).