Host tags

The host tagging feature allows you to associate one or more arbitrary strings to the hosts in your environment. You can use these tags as a simple labeling mechanism for hosts, as a factor in network event post-processing rules, for example, alert suppression or NTA post-processing, or as a filter for network events.

Customer-defined tags

You can create an arbitrary string of up to 30 characters as a tag. Although these dynamic customer-defined tags have no intrinsic meaning to the VMware NSX Network Detection and Response, they allow you to label hosts by user (for example, CEO or Finance), function (such as DB server), or other categories.

Note:

You cannot create a customer-defined tag that starts with ll or ll:.

System-defined tags

To enhance campaign detections, the host tagging feature was extended with system-defined tags. You can assign these tags to known hosts in your environment. With these tags, correlations can be made more accurately. For example, correlating server-side activity between two hosts may result in a particular host being considered part of a campaign. However, distinguishing a malicious compromise attempt from a benign vulnerability scan is not straightforward. The use of a tag to indicate that the host is an internal vulnerability scanner allows the campaign correlation rule to exclude that host from the campaign.

System-defined tag structure

A system-defined tag has the following format:

ll:tag string

  • ll: is prepended to all system-defined tags.

  • The tag string is an arbitrary string of characters, for example dns server.

Note:

You cannot create a customer-defined tag that starts with ll or ll:.

You cannot delete a system-defined tag.

Available system-defined tags

The following system-defined tags can be applied:

ll:dns server

Tag a DNS server in your network. The detection systems use this information to produce more accurate and context-aware detections involving the tagged DNS server.

ll:vulnerability scanner

Tag a vulnerability scanner (a host that performs vulnerability scans of the other hosts in the network). The detection systems use this information to confidently differentiate between scheduled benign vulnerability scans and malicious attacker-initiated vulnerability scans.

Add tags

Add a customer-defined or system-defined tag to a host using the Add host tag pop-up, the Tags widget, or selecting a tag in the Tags section of the Host summary sidebar.

Remove tags

Remove a customer-defined or system-defined tag from a host using the Remove host tag pop-up or by clicking the cancel/close after the tag name in the Tags widget or the Host summary sidebar.