Custom Pattern as a Classification Value on NSX Data Security Regulation

Please note: as of NSX 6.2.3, the NSX Data Security feature has been deprecated. In NSX 6.2.3, you can continue to use this feature at your discretion, but be aware that this feature will be removed from NSX in a future release. Official communication available on the release notes for the (now pulled) NSX 6.2.3 Deprecated section

Recently a customer asked me if it was possible on NSX Data Security to have a custom violation pattern when scanning VMs.Actually I never even thought about that simply because Laws, Privacy and Security Regulations are very much standardised and have very specific patterns defined by governments all around the world. VMware Data Security supports PCI, PHI, and PII related regulations only and here you can see the complete list https://pubs.vmware.com/NSX-62/topic/com.vmware.nsx.reference.doc/GUID-1F4C32A8-9EA4-4F82-924C-D88323E3CF25.html

Now back to the question: is it possible to have a custom violation pattern? The answer is yes! However it’s not available using the Web Client instead you have to create it via API, and it leverages Regular Expression (aka RegEx). There isn’t a lot of documentation out there so I’m sharing my discovery here given I spent some time figuring this out 🙂

Creating regular Expressions from NSX Administration Guide
Configure a Customized Regex as a Classification Value from nsx_62_api.pdf here’s a screenshot

DID YOU KNOW IT? As you can see the endpoint URL has a dlp and in case you didn’t know it’s an RSA product called Data Loss Prevention suite which RSA is dropping (see this link) which is why VMware has deprecated this module.

The regulation that we are going to use for this it’s called “Custom Account Numbers” and what we’re going to do in the next steps is to customise the content blade assigned to this regulation.

Get the list of regulation to find out the id

GET https://NSX-Manager-IP-Address/api/2.0/dlp/regulation

The full XML response you get back is the following


<Regulation>
 <revision>0</revision>
 <name>Custom Account Numbers</name>
 <description>Identifies documents and transmissions that contains identification or account numbers custom to your organisation. This policy requires customization of the Custom Accounts content blade.
 </description>
 <clientHandle/>
 <isUniversal>false</isUniversal>
 <universalRevision>0</universalRevision>
 <id>52</id>
 <classifications>
 <Classification>
 <id>20</id>
 <name>Custom Accounts</name>
 <providerName>Custom Accounts</providerName>
 <description>Custom Accounts</description>
 <customizable>true</customizable>
 </Classification>
 </classifications>
 <regions>ALL</regions>
 <categories>
 <string>PII</string>
 </categories>
</Regulation>

So we know that the Regulation ID = 52 and the Classification ID = 20

Get the classification value

GET https://NSX-Manager-IP-Address/api/2.0/dlp/classificationvalue

So we know the classificationValue ID = 3

Configure custom RegEx for a Classification Value

I’m going to make a very simple RegEx formatted as following:

vlab-[0-9]{3}-[A-Za-z]{4}[0-9]{2}

This will match any string like vlab-001-prod01 for instance, could be a hostname or whatever you want it to be really, you can play with this good online RegEx parser 🙂

Using a PUT https://NSX-Manager-IP-Address/api/2.0/dlp/policy/classificationvalues we can store this pattern inside the classificationValue, as following