Symptoms:
NSX Distributed IDS/IPS CPU usage alarms seen in NSX-T Alarm dashboard even with normal traffic load

VMware NSX-T Data Center
VMware NSX-T Data Center 3.x

Userworlds like the NSX Distributed IDS/IPS do not reserve CPU resources except for a tiny percentage of a single core. The multi-threaded Distributed IDS/IPS engine spins up 5 worker threads. If sufficient CPU resources are available, these threads will be spread across distinct cores. As a result, at maximum IDS/IPS can use the resources of 5 cores.

The thresholds for IDS/IPS CPU utilization used by the Alarm Framework are set to 75%, 85% and 95%, which reflect the usage percentage of only a single CPU. Depending on the number of cores used by the Distributed IDS/IPS engine, the actual CPU usage can go up to 500 % (5 cores x 100% utilization), hence exceeding the thresholds set by the alarm framework. In most cases, this is not a reason for concern.

To suppress the Distributed IDS/IDP CPU alarms from the Alarm dashboard:
 
Check the box next to Distributed IDS/IPS CPU usage Alarms, Click "ACTION" and select "Suppress" from the dropdown list, fill in Suppress Duration and click “APPLY”.
 
To disable the Distributed IDS/IPS CPU alarms from Alarm Definitions:
 
Click the three dots menu next to Distributed IDS IPS CPU usage alarms, click Edit, toggle the "Enable Detection" switch to disable.