Configure NSX security tags

If you are using agentless protection, you can configure Deep Security Virtual Appliance to apply NSX security tags to protected VMs when the Anti-Malware and Intrusion Prevention (IPS) modules detect a threat. NSX security tags can be used with NSX Service Composer to automate certain tasks, such as quarantining infected VMs. For more information on NSX tagging and dynamic NSX security group assignment, see the documentation from VMware.

VMware NSX security tags are not the same thing as Deep Security event tags. NSX tagging occurs in the VMware vSphere environment; Deep Security event tags are in the Deep Security database.

Topics on this page:

Configure Anti-Malware to apply NSX security tags

To configure the Anti-Malware module to apply NSX security tags when malware is found:

  1. Go to Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). > Anti-Malware > Advanced > NSX Security Tagging.
  2. Select On to enable the feature.
  3. From the NSX Security Tag drop-down list, select the name of the NSX security tag that assigned in NSX when malware is found. Options are:
    • ANTI_VIRUS.VirusFound.threat=low
    • ANTI_VIRUS.VirusFound.threat=medium
    • ANTI_VIRUS.VirusFound.threat=high

    For example, if you choose ANTI_VIRUS.VirusFound.threat=low, then an NSX security tag called ANTI_VIRUS.VirusFound.threat=low is assigned to the VM if malware is found on the VM. The tag name is not related to the threat level of the malware, so the 'low' tag is applied even if the malware poses a high threat (and vice versa).

  4. Optionally, select Apply NSX Security Tag only if remediation action fails if you only want to apply the NSX security tag if the remediation action attempted by the Anti-Malware module fails. (The remediation action is determined by the malware scan configuration that is in effect. To see which malware scan configuration is in effect, go to the Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). > Anti-Malware > General tab and check the Real-Time Scan, Manual Scan, and Scheduled Scan areas.)
  5. Optionally, select Remove previously applied NSX Security Tags if subsequent Malware Scans complete without any malware detection events. Choose this option if you want to have the security tag removed if a subsequent malware scan does not detect any malware. You should only use this setting if all malware scans are of the same kind.
  6. Click Save.

Configure Intrusion Prevention to apply NSX security tags

To configure the Intrusion Prevention module to apply NSX security tags, go to Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). > Intrusion Prevention > Advanced > NSX Security Tagging.

Intrusion Prevention events have a severity level that is determined by the severity level of the Intrusion Prevention rule that triggered the event. To configure the severity level of an Intrusion Prevention rule, go to Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). > Intrusion Prevention > General > Assigned Intrusion Prevention Rules and double-click a rule. Change the Severity field as required.

Intrusion Prevention rule severity levels map to NSX tags as follows:

IPS Rule Severity NSX Security Tag
Critical IDS_IPS.threat=high
High IDS_IPS.threat=high
Medium IDS_IPS.threat=medium
Low IDS_IPS.threat=low

You can configure the sensitivity of the tagging mechanism by specifying the minimum Intrusion Prevention severity level that can cause an NSX security tag to be applied to a VM.

The options for the Minimum rule severity to trigger application of an NSX Security Tag setting are:

  • Default (No Tagging): No NSX tag is applied.
  • Critical: An NSX tag is applied to the VM if an Intrusion Prevention rule with a severity level of Critical is triggered.
  • High: An NSX tag is applied to the VM if an Intrusion Prevention rule with a severity level of High or Critical is triggered.
  • Medium: An NSX tag is applied to the VM if an Intrusion Prevention rule with a severity level of Medium, High, or Critical is triggered.
  • Low: An NSX tag is applied to the VM if an Intrusion Prevention rule with a severity level of Low, Medium, High, or Critical is triggered.

Separate settings exist for rules in prevent mode vs. detect-only mode. For information about behavior modes, see Use behavior modes to test rules.