Create an event-based task

In this article, references to protecting virtual machines do not apply to Deep Security as a Service.

Event-based tasks let you monitor protected computers for specific events and perform tasks based on certain conditions.

From the main page you can:

  • Create New event-based tasks ()
  • Examine or modify the Properties of an existing event-based task ()
  • Duplicate (and then modify) existing event-based tasks ()
  • Delete an event-based task ()

Click New () and select New Event-based Task. The wizard that appears will guide you through the steps of creating a new task. You will be prompted for different information depending on the type of task.

Events that you can monitor

  • Computer Created (by System): A computer being added to the manager during synchronization with an Active Directory or Cloud Provider account, or the creation of a virtual machine on a managed ESXi server running a virtual appliance.
  • Computer Moved (by System):A virtual machine being moved from one vApp to another within the same ESXi, or a virtual machine on an ESXi being move from one datacenter to another or from one ESXi to another (including from an unmanaged ESXi server to a managed ESXi server running a virtual appliance.)
  • Agent-Initiated Activation: An agent is activated using agent-initiated activation.
  • IP Address Changed: A computer has begun using a different IP.
  • NSX Security Group Changed: The following situations will trigger this event (the event will be recorded on each affected VM):
    • A VM is added to a group that is (indirectly) associated with the NSX Deep Security Service Profile
    • A VM is removed from an NSX Group that is associated with the NSX Deep Security Service Profile
    • An NSX Policy associated with the NSX Deep Security Service Profile is applied to an NSX Group
    • An NSX Policy associated with the NSX Deep Security Service Profile is removed from an NSX Group
    • An NSX Policy is associated with the NSX Deep Security Service Profile
    • An NSX Policy is removed from the NSX Deep Security Service Profile
    • An NSX Group that is associated with an NSX Deep Security Service Profile changes name

Conditions

You can require specific match conditions to be met in order for the task to be carried out. (Add additional conditions by pressing the "plus" button.) If you specify multiple conditions, each of the conditions must be met for the task to be carried out. (In other words, multiple conditions are "AND" conditions, not "OR".)

Use Java regular expression syntax (http://docs.oracle.com/javase/6/docs/api/java/util/regex/Pattern.html) to match patterns in the following fields:

  • Cloud Instance Image ID: AWS cloud instance AMI ID.
    This match condition is only available for AWS cloud instances.
  • Cloud Instance Metadata: The metadata being matched corresponds to AWS "tags" in the Amazon environment.
    This match condition is only available for AWS cloud instances. Metadata currently associated with a computer is displayed on the Overview page in its editor window. To define the conditions to match for, you must provide two pieces of information: the metadata tag key and the metadata tag value. For example, to match a computer which has a metadata key named "AlphaFunction" that has a value of "DServer", you would enter "AlphaFunction" and "DServer" (without the quotes). If you wanted match more than one possible condition, you could use regular expressions and enter "AlphaFunction" and ".*Server", or "AlphaFunction" and "D.*".
  • Cloud Instance Security Group Name: The security group the cloud instance applies to.
    This match condition is only available for AWS cloud instances.
  • Cloud Account Name: The "Display Name" field in the Cloud Account properties window.
  • Computer Name: The "Hostname" field in the computer properties window.
  • ESXi Name: The "Hostname" field of the ESXi server on which the VM computer is hosted. ESXi Name: The "Hostname" field of the ESXi server on which the VM computer is hosted.
  • Folder Name: The name of the folder or directory in which the computer is located in its local environment.
    This match condition looks for a match against the name of any parent folder of the computer, including the root datacenter for vCenter server integrations. If you add a "*" character to the beginning of the regular expression, the condition must match the name on all parent folders. This is particularly useful when combined with negation in a regular expression. For example, if you want to match computers in folders that do not include "Linux" in the folder name, you could use a regular expression like *^((?!Linux).)*$.
  • NSX Security Group Name: The list of potential groups in this condition refers only to NSX Groups associated with NSX Policies associated with the NSX Deep Security Service Profile. The VM may be a member of other NSX Groups but for the purposes of this match, condition it is not relevant.
  • Platform: The operating system of the computer.
  • vCenter name: The "Name" field of the computer's vCenter properties that was added to Deep Security Manager.

Java regular expression examples:

To match: Use this:
any string (but not nothing) .+
empty string (no text) ^$
Folder Alpha Folder\ Alpha
FIN-1234 FIN-\d+
or
FIN-.*
RD-ABCD RD-\w+
or
RD-.*
AB
or
ABC
or
ABCCCCCCCCCC
ABC*
Microsoft Windows 2003
or
Windows XP
.*Windows.*
Red Hat 7
or
Some_Linux123
or
abcFreeBSD
.*Red.*|.*Linux.*|.*FreeBSD.*

These next two conditions match True or False conditions:

  • Appliance Protection Available: A Deep Security Virtual Appliance is available to protect VMs on the ESXi on which the VM is hosted. The VM may or may not be in a "Activated" state.
  • Appliance Protection Activated: A Deep Security Virtual Appliance is available to protect VMs on the ESXi on which the VM is hosted and the VM is "Activated".

The last condition option looks for matches to an IP in an IP list:

  • Last Used IP Address: The current or last known IP address of the computer.
Depending on the source of the new computer, some fields may not be available. For example, "Platform" would not be available for computers added as a result of the synchronization with an Active Directory.

Actions

The following actions can be taken depending on which of the above events is detected:

  • Activate Computer: Deep Security protection is activated on the computer.
    • Delay activation by (minutes): Activation is delayed by a specified number of minutes.
    • If the event-based task is intended to apply protection to a VM that is being vMotioned to an ESXi protected by a Deep Security Virtual Appliance, add a delay before activation to allow any pending VMware administrative tasks to complete. The amount of delay varies depending on your environment.
    • Activation will only occur if the computer is not already activated. That is, activation will only occur if the computer does not already have agent or virtual appliance protection, or if the computer only has agent protection but virtual appliance protection is available.
  • Deactivate Computer:Deep Security protection is deactivated on the computer.
  • Assign Policy: The new computer is automatically assigned a policy. (The computer must be activated first.)
  • Assign Relay Group: The new computer is automatically assigned a relay group from which to receive security updates.
  • Assign to Computer Group: The computer is placed in one of the computer groups on the Computers page.

Order of execution

If multiple event-based tasks are triggered by the same condition, the tasks are executed in alphabetical order by task name.

Enable or disable an event-based task

Existing event-based tasks can be enabled or disabled. For example, you may want to temporarily disable an event-based task while you perform certain administrative duties during which you don't want any activity to occur. The control to enable or disable an event-based task is on the General tab of the task's Properties window.