Create an event-based task
In this article, references to protecting virtual machines do not apply to Deep Security as a Service.
Event-based tasks let you monitor protected computers for specific events and perform tasks based on certain conditions.
From the main page you can:
- Create New event-based tasks
- Examine or modify the Properties of an existing event-based task
- Duplicate (and then modify) existing event-based tasks
- Delete an event-based task
Events that you can monitor
- Computer Created (by System): A computer being added to the manager during synchronization with an Active Directory
or Cloud Provider account , or the creation of a virtual machine on a managed ESXi server running a virtual appliance.
- Computer Moved (by System):
A virtual machine being moved from one vApp to another within the same ESXi, or a virtual machine on an ESXi being move from one datacenter to another or from one ESXi to another (including from an unmanaged ESXi server to a managed ESXi server running a virtual appliance.)
- Agent-Initiated Activation: An agent is activated using agent-initiated activation.
- IP Address Changed: A computer has begun using a different IP.
- NSX Security Group Changed: The following situations will trigger this event (the event will be recorded on each affected VM):
- A VM is added to a group that is (indirectly) associated with the NSX Deep Security Service Profile
- A VM is removed from an NSX Group that is associated with the NSX Deep Security Service Profile
- An NSX Policy associated with the NSX Deep Security Service Profile is applied to an NSX Group
- An NSX Policy associated with the NSX Deep Security Service Profile is removed from an NSX Group
- An NSX Policy is associated with the NSX Deep Security Service Profile
- An NSX Policy is removed from the NSX Deep Security Service Profile
- An NSX Group that is associated with an NSX Deep Security Service Profile changes name
You can require specific match conditions to be met in order for the task to be carried out. (Add additional conditions by pressing the "plus" button.) If you specify multiple conditions, each of the conditions must be met for the task to be carried out. (In other words, multiple conditions are "AND" conditions, not "OR".)
Use Java regular expression syntax (http://docs.oracle.com/javase/6/docs/api/java/util/regex/Pattern.html) to match patterns in the following fields:
- Cloud Instance Image ID: Cloud instance Image ID.
The Cloud Instance Name match condition is only available for AWS cloud instances.
- Cloud Instance Metadata: The metadata being matched corresponds to AWS "tags" in the Amazon environment.
The Cloud Instance Metadata match condition is only available for AWS cloud instances. Metadata currently associated with a computer is displayed on the Overview page in its editor window. To define the conditions to match for, you must provide two pieces of information: the metadata tag key and the metadata tag value. For example, to match a computer which has a metadata key named "AlphaFunction" that has a value of "DServer", you would enter "AlphaFunction" and "DServer" (without the quotes). If you wanted match more than one possible condition, you could use regular expressions and enter "AlphaFunction" and ".*Server", or "AlphaFunction" and "D.*".
- Cloud Instance Security Group Name: The security group the cloud instance applies to.
The Cloud Instance Security GroupName match condition is only available for AWS cloud instances.
- Cloud Account Name: The "Name" field in the Cloud Account properties window.
- Computer Name: The "Hostname" field in the computer properties window.
- ESXi Name: The "Hostname" field of the ESXi server on which the VM computer is hosted. ESXi Name: The "Hostname" field of the ESXi server on which the VM computer is hosted.
- Folder Name: The name of the folder or directory in which the computer is located in its local environment.
The Folder Name match condition looks for a match against the name of any parent folder of the computer, including the root datacenter for vCenter server integrations. If you add a "*" character to the beginning of the regular expression, the condition must match the name on all parent folders. This is particularly useful when combined with negation in a regular expression. For example, if you want to match computers in folders that do not include "Linux" in the folder name, you could use a regular expression like
- NSX Security Group Name: The list of potential groups in this condition refers only to NSX Groups associated with NSX Policies associated with the NSX Deep Security Service Profile. The VM may be a member of other NSX Groups but for the purposes of this match, condition it is not relevant.
- Platform: The operating system of the computer.
- vCenter name: The "Name" field of the computer's vCenter properties that was added to Deep Security Manager.
Java regular expression examples:
|To match:||Use this:|
|any string (but not nothing)||.+|
|empty string (no text)||^$|
|Folder Alpha||Folder\ Alpha|
|Microsoft Windows 2003
|Red Hat 7
These next two conditions match True or False conditions:
- Appliance Protection Available: A Deep Security Virtual Appliance is available to protect VMs on the ESXi on which the VM is hosted. The VM may or may not be in a "Activated" state.
- Appliance Protection Activated: A Deep Security Virtual Appliance is available to protect VMs on the ESXi on which the VM is hosted and the VM is "Activated".
The last condition option looks for matches to an IP in an IP list:
- Last Used IP Address: The current or last known IP address of the computer.
The following actions can be taken depending on which of the above events is detected:
- Activate Computer: Deep Security protection is activated on the computer.
- Delay activation by (minutes): Activation is delayed by a specified number of minutes.
- If the event-based task is intended to apply protection to a VM that is being vMotioned to an ESXi protected by a Deep Security Virtual Appliance, add a delay before activation to allow any pending VMware administrative tasks to complete. The amount of delay varies depending on your environment.
- Activation will only occur if the computer is not already activated. That is, activation will only occur if the computer does not already have agent
or virtual appliance protection, or if the computer only has agent protection but virtual appliance protection is available.
- Deactivate Computer:Deep Security protection is deactivated on the computer.
- Assign Policy: The new computer is automatically assigned a policy. (The computer must be activated first.)
- Assign Relay Group: The new computer is automatically assigned a relay group from which to receive security updates.
- Assign to Computer Group: The computer is placed in one of the computer groups on the Computers page.
Order of execution
If multiple event-based tasks are triggered by the same condition, the tasks are executed in alphabetical order by task name.
Enable or disable an event-based task
Existing event-based tasks can be enabled or disabled. For example, you may want to temporarily disable an event-based task while you perform certain administrative duties during which you don't want any activity to occur. The control to enable or disable an event-based task is on the General tab of the task's Properties window.