Fortinet black logo

Nozomi Networks Central Management Console

Nozomi Networks Central Management Console v1.0.0

1.0.0
Copy Link
Copy Doc ID d487a0b7-aeb3-11ed-8e6d-fa163e15d75b:506

About the connector

The Nozomi Networks Central Management Console (CMC) consolidates OT and IoT risk monitoring and visibility from Guardian physical or virtual appliances across all of your distributed sites. It integrates with your IT security infrastructure for streamlined workflows and faster response to threats and anomalies.

FortiSOAR also integrates with the Nozomi Networks Guardian. To know more about the Nozomi Networks Guardian connector, see the Nozomi Networks Guardian v1.1.0 connector documentation.

This document provides information about the Nozomi Networks Central Management Console Connector, which facilitates automated interactions, with a Nozomi Networks Central Management Console server using FortiSOAR™ playbooks. Add the Nozomi Networks Central Management Console Connector as a step in FortiSOAR™ playbooks and perform automated operations with Nozomi Networks Central Management Console.

Use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents and alerts from Nozomi Networks Central Management Console. For more information, see the Data Ingestion Support section.

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 7.3.1-2105

Authored By: Fortinet

Certified: Yes

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.

You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-nozomi-networks-central-management-console

Prerequisites to configuring the connector

  • You must have the URL of the Nozomi Networks Central Management Console server to which you will connect and perform automated operations and credentials (username-password pair) to access that server.
  • The FortiSOAR™ server should have outbound connectivity to port 443 on the Nozomi Networks Central Management Console server.

Minimum Permissions Required

  • The authenticated user must be in a group that is assigned an "admin" role.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Nozomi Networks Central Management Console connector card. On the connector popup, click the Configurations tab to enter the required configuration details.

Parameter Description
Server URL URL of the Nozomi Networks Central Management Console server to which you will connect and perform automated operations.
Username Username to access the Nozomi Networks Central Management Console server to which you will connect and perform automated operations.
Password Password to access the Nozomi Networks Central Management Console server to which you will connect and perform automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not. By default, this is set as 'True'.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™:

Function Description Annotation and Category
Create Indicator Creates a threat intelligence indicator in Nozomi Networks Central Management Console based on the JSON array list of indicators you have specified. The JSON array must contain the name, threat type, and content of the indicator. create_threat_intelligence_indicator
Investigation
Get All Indicators Retrieves all threat intelligence indicators from Nozomi Networks Central Management Console. get_all_threat_intelligence_indicators
Investigation
Delete Indicator Deletes a threat intelligence indicator from Nozomi Networks Central Management Console based on the JSON array list of indicators you have specified. The JSON array must contain the ID and threat type of the indicator. delete_threat_intelligence_indicator
Investigation
Get Alerts List Retrieves all alerts or specific alerts from Nozomi Networks Central Management Console based on the search query and other input parameters you have specified. get_alerts
Investigation
Fetch All Alerts Retrieves all alerts, or specific alerts from Nozomi Networks Central Management Console based on the start DateTime and optionally, the search query and appliance ID you have specified.
Note: This operation is used while running Data Ingestion.
fetch_alerts
Investigation
Get Assets List Retrieves all assets or specific assets from Nozomi Networks Central Management Console based on the search query and other input parameters you have specified. get_assets
Investigation
Import Asset Imports assets into Nozomi Networks Central Management Console allowing you to enrich information associated with nodes. The information that you provide affects the nodes that match the specified IP field value. If there are no matches, then new nodes are created. import_asset
Investigation
Get Appliances List Retrieves all appliances or specific appliances from Nozomi Networks Central Management Console based on the search query and appliance ID you have specified. get_appliances
Investigation
Get Assertions Retrieves all assertions or specific assertions from Nozomi Networks Central Management Console based on the search query you have specified. get_assertions
Investigation
Get Captured Logs Retrieves all captured logs or specific captured logs from Nozomi Networks Central Management Console based on the search query and appliance ID you have specified. get_captured_logs
Investigation
Get Function Codes Retrieves all function codes or specific function codes from Nozomi Networks Central Management Console based on the search query you have specified. get_function_codes
Investigation
Get Health Log Retrieves all health logs or specific health logs from Nozomi Networks Central Management Console based on the search query and appliance ID you have specified. get_health_log
Investigation
Get Links Retrieves all links or specific links from Nozomi Networks Central Management Console based on the search query you have specified. get_links
Investigation
Get Node CPE Changes Retrieves all node CPE changes or specific node CPE changes from Nozomi Networks Central Management Console based on the search query and appliance ID you have specified. get_node_cpe_changes
Investigation
Get Node CPEs Retrieves all node CPEs or specific node CPEs from Nozomi Networks Central Management Console based on the search query and appliance ID you have specified. get_node_cpes
Investigation
Get Node CVEs Retrieves all node CVEs or specific node CVEs from Nozomi Networks Central Management Console based on the search query and appliance ID you have specified. get_node_cves
Investigation
Get Nodes Retrieves all nodes or specific nodes from Nozomi Networks Central Management Console based on the search query you have specified. get_nodes
Investigation
Get Alert Acknowledgement Status Retrieves all alert acknowledgment statuses from Nozomi Networks Central Management Console based on the job ID you have specified. get_alert_ack_status
Investigation
Set Acknowledgment Status Sets the alert status to Acknowledge or Unacknowledge in Nozomi Networks Central Management Console based on the alert IDs you have specified. set_alert_ack
Investigation
Run CLI Runs the specified CLI command on Nozomi Networks Central Management Console. run_cli
Investigation

operation: Create Indicator

Input parameters

Parameter Description
Indicators Specify a JSON array list of indicators using which you want to create a threat intelligence indicator in Nozomi Networks Central Management Console. You can specify between the following threat types: packet_rules, yara_rules, or stix_indicators.
Note: The JSON array must contain the name, threat type, and content of the indicator.

Output

The output contains the following populated JSON schema:
{
"name": "",
"type": "",
"id": ""
}

operation: Get All Indicators

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"name": "",
"type": "",
"id": ""
}

operation: Delete Indicator

Input parameters

Parameter Description
Indicators Specify a JSON array list of indicators using which you want to delete a threat intelligence indicator in Nozomi Networks Central Management Console. You can specify between the following threat types: packet_rules, yara_rules, or stix_indicators. The JSON array must contain the ID and threat type of the indicator.
Note: Use the 'Get All Indicators' action to retrieve the ID of an indicator.

Output

The output contains the following populated JSON schema:
{
"id": "",
"type": ""
}

operation: Get Alerts List

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of alerts) is returned.

Parameter Description
Appliance ID Specify the ID of the appliance or a comma-separated list of appliances from which you want to retrieve alerts from the Nozomi Networks Central Management Console.
Start Time Specify the starting DateTime using which you want to filter alerts retrieved alerts from Nozomi Networks Central Management Console. This parameter filters the result set to only include only those items that have been created after the specified timestamp.
Risk Level Specify the risk level (0-10) to retrieve only those alerts from Nozomi Networks Central Management Console whose risk level is equal to or above the specified value.
Status Specify the status of the alert to retrieve only those alerts from Nozomi Networks Central Management Console whose status matches the specified value.
Alert type Specify the type of the alert to retrieve only those alerts from Nozomi Networks Central Management Console whose type matches the specified value.
Is Incident Select this option, i.e., set it to 'true' if you want to retrieve only those alerts from Nozomi Networks Central Management Console that are part of an incident. By default, this option cleared, i.e., set as 'false'.
Search Query Query using which you want to search and retrieve alerts from Nozomi Networks Central Management Console. For example, | group_by type_id
Max Alerts Specify the maximum number of alerts that you want this operation to return in the response.

Output

The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"type_id": "",
"name": "",
"description": "",
"severity": "",
"mac_src": "",
"mac_dst": "",
"ip_src": "",
"ip_dst": "",
"risk": "",
"protocol": "",
"src_roles": "",
"dst_roles": "",
"time": "",
"ack": "",
"id_src": "",
"id_dst": "",
"synchronized": "",
"appliance_id": "",
"port_src": "",
"port_dst": "",
"label_src": "",
"label_dst": "",
"trigger_id": "",
"trigger_type": "",
"appliance_host": "",
"appliance_ip": "",
"transport_protocol": "",
"is_security": "",
"note": "",
"appliance_site": "",
"parents": [],
"is_incident": "",
"properties": {
"bad_actor": "",
"base_risk": "",
"is_dst_node_learned": "",
"is_dst_public": "",
"is_dst_reputation_bad": "",
"is_src_node_learned": "",
"is_src_public": "",
"is_src_reputation_bad": "",
"remediation_target": "",
"victims": [],
"mitre_attack/techniques": [
{
"technique": "",
"name": "",
"tactic": ""
}
]
},
"created_time": "",
"incident_keys": [],
"bpf_filter": "",
"closed_time": "",
"status": "",
"session_id": "",
"replicated": "",
"capture_device": "",
"threat_name": "",
"type_name": "",
"sec_profile_visible": "",
"zone_src": "",
"zone_dst": "",
"mitre_attack_techniques": "",
"mitre_attack_tactics": ""
}
],
"header": [],
"error": "",
"total": ""
}

operation: Fetch All Alerts

Input parameters

Parameter Description
Start Time Specify the starting DateTime using which you want to filter alerts retrieved alerts from Nozomi Networks Central Management Console. This parameter filters the result set to only include only those items that have been created after the specified timestamp.
Appliance IDs (Optional) Specify the appliance ID or a comma-separated list of appliance IDs from which you want to retrieve alerts from the Nozomi Networks Central Management Console server.
Search Query (Optional) Specify the query using which you want to search and retrieve alerts from the Nozomi Networks Central Management Console server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"type_id": "",
"name": "",
"description": "",
"severity": "",
"mac_src": "",
"mac_dst": "",
"ip_src": "",
"ip_dst": "",
"risk": "",
"protocol": "",
"src_roles": "",
"dst_roles": "",
"time": "",
"ack": "",
"id_src": "",
"id_dst": "",
"synchronized": "",
"appliance_id": "",
"port_src": "",
"port_dst": "",
"label_src": "",
"label_dst": "",
"trigger_id": "",
"trigger_type": "",
"appliance_host": "",
"appliance_ip": "",
"transport_protocol": "",
"is_security": "",
"note": "",
"appliance_site": "",
"parents": [],
"is_incident": "",
"properties": {
"bad_actor": "",
"base_risk": "",
"is_dst_node_learned": "",
"is_dst_public": "",
"is_dst_reputation_bad": "",
"is_src_node_learned": "",
"is_src_public": "",
"is_src_reputation_bad": "",
"remediation_target": "",
"victims": [],
"mitre_attack/techniques": [
{
"technique": "",
"name": "",
"tactic": ""
}
]
},
"created_time": "",
"incident_keys": [],
"bpf_filter": "",
"closed_time": "",
"status": "",
"session_id": "",
"replicated": "",
"capture_device": "",
"threat_name": "",
"type_name": "",
"sec_profile_visible": "",
"zone_src": "",
"zone_dst": "",
"mitre_attack_techniques": "",
"mitre_attack_tactics": ""
}
],
"header": [],
"error": "",
"total": ""
}

operation: Get Assets List

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of assets) is returned.

Input parameters

Parameter Description
Appliance IDs Specify the ID or a comma-separated list of the appliance IDs from which you want to retrieve assets from the Nozomi Networks Central Management Console.
Level Select the levels (0-4) to retrieve only those assets from Nozomi Networks Central Management Console whose levels are equal to the specified value.
Asset type Specify the type of the asset or a comma-separated list of asset types to retrieve only those assets from Nozomi Networks Central Management Console whose type matches the specified values.
Search Query Query using which you want to search and retrieve assets from the Nozomi Networks Central Management Console server. For example, | head 2
Max Assets Specify the maximum number of assets that you want this operation to return in the response.

Output

The output contains the following populated JSON schema:
{
"result": [
{
"name": "",
"level": "",
"appliance_hosts": [],
"ip": [],
"mac_address": [],
"mac_vendor": [],
"os": "",
"roles": [],
"vendor": "",
"firmware_version": "",
"os_or_firmware": "",
"serial_number": "",
"product_name": "",
"type": "",
"protocols": [],
"nodes": [],
"custom_fields": {},
"deleted_at": "",
"time": "",
"synchronized": "",
"replicated": "",
"appliance_id": "",
"appliance_ip": "",
"appliance_host": "",
"mac_address_level": {},
"id": "",
"vendor:info": {
"source": "",
"granularity": "",
"confidence": ""
},
"firmware_version:info": {
"source": ""
},
"product_name:info": {
"source": ""
},
"serial_number:info": {
"source": ""
},
"type:info": {
"source": ""
},
"capture_device": "",
"vlan_id": [],
"zones": [],
"_asset_kb_id": "",
"created_at": "",
"fields": {},
"last_activity_time": "",
"appliance_sites": [],
"end_of_sale_date": "",
"end_of_sale_date:info": {
"source": ""
},
"end_of_support_date": "",
"end_of_support_date:info": {
"source": ""
},
"lifecycle": "",
"lifecycle:info": {
"source": ""
},
"is_ai_enriched": "",
"os:info": {
"source": ""
}
}
],
"header": [],
"error": "",
"total": ""
}

operation: Import Asset

Input parameters

Parameter Description
Import Type Select the 'Type' of import using which you want to import assets into Nozomi Networks Central Management Console. You can choose from the following options: JSON or CSV.
  • If you choose 'JSON', then you must specify the following parameter:
    • Asset: Provide a list of items and their values in the JSON format that you want to import as an asset into the Nozomi Networks Central Management Console.
  • If you choose 'CSV', then you must specify the following parameters:
    • Type: Choose between Attachment ID or File IRI.
    • File Attachment/IRI Reference: File attachment ID or IRI reference that is used to access the attachment metadata from the FortiSOAR™ Attachments module. In the playbook, if you select 'File Attachment', this defaults to the {{vars.attachment_id}} value or if you select 'IRI Reference', then this defaults to the {{vars.file_iri}} value.

Output

The output contains the following populated JSON schema:
{
"result": "",
"error": ""
}

operation: Get Appliances List

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of appliances) is returned.

Parameter Description
Appliance IDs Specify the ID of the appliance or a comma-separated list of appliances that you want to retrieve from the Nozomi Networks Central Management Console.
Search Query Query using which you want to search and retrieve appliances from the Nozomi Networks Central Management Console server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"ip": "",
"last_sync": "",
"id": "",
"info": {
"description": "",
"appliance_type": "",
"appliance_mode": "",
"model": "",
"uptime": {
"days": "",
"hours": "",
"minutes": "",
"seconds": ""
},
"network_interfaces": "",
"has_sp_code": "",
"has_sp_license": "",
"license_base": {
"licensee": "",
"bundle_name": "",
"license_id": "",
"license_machine_id": "",
"is_disabled": "",
"type": "",
"status": "",
"extra": {
"expire_date": "",
"actual_licensed_nodes": "",
"supported_nodes": ""
},
"can_be_set": ""
},
"license_threat_intelligence": {
"licensee": "",
"license_id": "",
"license_machine_id": "",
"is_disabled": "",
"type": "",
"status": "",
"extra": {
"expire_date": ""
},
"can_be_set": ""
},
"license_asset_intelligence": {
"licensee": "",
"license_id": "",
"license_machine_id": "",
"is_disabled": "",
"type": "",
"status": "",
"extra": {
"expire_date": ""
},
"can_be_set": ""
},
"license_smart_polling": {
"licensee": "",
"license_id": "",
"license_machine_id": "",
"is_disabled": "",
"type": "",
"status": "",
"extra": {
"expire_date": ""
},
"can_be_set": ""
},
"risk": "",
"alerts_count": "",
"alerts_count_last_5m": "",
"nodes_count": "",
"links_count": "",
"variables_count": "",
"assets_count": "",
"all_speed": "",
"throughput_series": [],
"cpu_perc": "",
"mem_free": "",
"mem_used": "",
"disk_usage_perc": "",
"host": "",
"site": "",
"fips_enabled": "",
"n2os_version": "",
"data": {
"total": "",
"used": "",
"free": "",
"free_perc": "",
"used_perc": "",
"status": ""
},
"ntp_offset": "",
"time": "",
"time_utc_offset": "",
"has_low_ram": "",
"has_reached_limits": "",
"is_under_high_load": "",
"has_migration_errors": "",
"machine_id": "",
"last_cmc": "",
"update_message": ""
},
"allowed": "",
"sync_throughput": "",
"is_updating": "",
"map_position": "",
"previous_alerts_count_last_5m": "",
"version_locked": "",
"site": "",
"host": "",
"time": "",
"synchronized": "",
"replicated": "",
"deleted_at": "",
"health": {
"stale": "",
"status": ""
},
"appliance_id": "",
"appliance_ip": "",
"appliance_host": "",
"force_update": "",
"model": "",
"last_seen_packet": "",
"bpf_filters_to_be_propagated": "",
"have_bpf_filters_changed": "",
"certificate_exchange_status": "",
"denylists_to_be_propagated": "",
"have_denylists_changed": "",
"rc_has_connection_errors": ""
}
],
"header": [],
"error": "",
"total": ""
}

operation: Get Assertions

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of assertions) is returned.

Parameter Description
Search Query Query using which you want to search and retrieve assertions from the Nozomi Networks Central Management Console server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"error": "",
"total": "",
"header": [],
"result": [
{
"query": "",
"result": "",
"name": "",
"failed_since": "",
"id": "",
"can_send_alert": "",
"has_sent_alert": "",
"bpf_filter": "",
"failures_count": "",
"time": "",
"alert_delay": "",
"can_request_trace": "",
"alert_risk": "",
"is_security": "",
"group_id": "",
"note": "",
"deleted_at": "",
"replicated": "",
"synchronized": "",
"propagate_to_appliances": "",
"propagated": ""
}
]
}

operation: Get Captured Logs

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of captured logs) is returned.

Parameter Description
Appliance IDs Specify the ID of the appliance or a comma-separated list of appliances from which you want to retrieve captured logs from the Nozomi Networks Central Management Console.
Search Query Query using which you want to search and retrieve captured logs from the Nozomi Networks Central Management Console server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"error": "",
"total": "",
"header": [],
"result": [
{
"id": "",
"time": "",
"appliance_id": "",
"appliance_ip": "",
"appliance_host": "",
"synchronized": "",
"id_src": "",
"id_dst": "",
"protocol": "",
"log": "",
"replicated": "",
"sync_time": ""
}
]
}

operation: Get Function Codes

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of function codes) is returned.

Parameter Description
Search Query Query using which you want to search and retrieve function codes from the Nozomi Networks Central Management Console server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"protocol": "",
"fc": "",
"count": "",
"description": ""
}
],
"header": [],
"total": ""
}

operation: Get Health Log

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of health logs) is returned.

Parameter Description
Appliance IDs Specify the ID of the appliance or a comma-separated list of appliances from which you want to retrieve health logs from the Nozomi Networks Central Management Console.
Search Query Query using which you want to search and retrieve health logs from the Nozomi Networks Central Management Console server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"time": "",
"appliance_id": "",
"appliance_ip": "",
"appliance_host": "",
"synchronized": "",
"info": {
"description": ""
},
"replicated": ""
}
],
"header": [],
"error": "",
"total": ""
}

operation: Get Links

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of links) is returned.

Parameter Description
Search Query Query using which you want to search and retrieve links from the Nozomi Networks Central Management Console server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"from": "",
"to": "",
"is_from_public": "",
"is_to_public": "",
"protocol": "",
"first_activity_time": "",
"last_activity_time": "",
"last_handshake_time": "",
"transport_protocols": [],
"tcp_handshaked_connections.total": "",
"tcp_handshaked_connections.last_5m": "",
"tcp_handshaked_connections.last_15m": "",
"tcp_handshaked_connections.last_30m": "",
"tcp_connection_attempts.total": "",
"tcp_connection_attempts.last_5m": "",
"tcp_connection_attempts.last_15m": "",
"tcp_connection_attempts.last_30m": "",
"transferred.packets": "",
"transferred.bytes": "",
"transferred.last_5m_bytes": "",
"transferred.last_15m_bytes": "",
"transferred.last_30m_bytes": "",
"transferred.smallest_packet_bytes": "",
"transferred.biggest_packet_bytes": "",
"transferred.avg_packet_bytes": "",
"tcp_retransmission.percent": "",
"tcp_retransmission.packets": "",
"tcp_retransmission.bytes": "",
"tcp_retransmission.last_5m_bytes": "",
"tcp_retransmission.last_15m_bytes": "",
"tcp_retransmission.last_30m_bytes": "",
"throughput_speed": "",
"is_learned": "",
"is_fully_learned": "",
"is_broadcast": "",
"has_confirmed_data": "",
"_can": {
"link_events": "",
"captured_urls": "",
"trace_requests": ""
},
"alerts": "",
"last_trace_request_time": "",
"_ports": [
{
"tcp": ""
}
],
"active_checks": [],
"_checks": {},
"function_codes": [],
"bpf_filter": "",
"from_zone": "",
"to_zone": ""
}
],
"header": [],
"total": ""
}

operation: Get Node CPE Changes

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of Node CPE Changes) is returned.

Input parameters

Parameter Description
Appliance IDs Specify the ID of the appliance or a comma-separated list of appliances from which you want to retrieve Node CPE Changes from the Nozomi Networks Central Management Console.
Search Query Query using which you want to search and retrieve Node CPE Changes from the Nozomi Networks Central Management Console server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"node_id": "",
"cpe": "",
"cpe_part": "",
"cpe_vendor": "",
"cpe_product": "",
"cpe_version": "",
"cpe_update": "",
"new_cpe": "",
"new_cpe_vendor": "",
"new_cpe_product": "",
"new_cpe_version": "",
"new_cpe_update": "",
"node_cpe_id": "",
"time": "",
"synchronized": "",
"appliance_id": "",
"appliance_ip": "",
"appliance_host": "",
"human_cpe_vendor": "",
"human_cpe_product": "",
"new_human_cpe_vendor": "",
"new_human_cpe_product": "",
"human_cpe_version": "",
"human_cpe_update": "",
"new_human_cpe_version": "",
"new_human_cpe_update": "",
"likelihood": "",
"new_likelihood": "",
"replicated": "",
"cpe_edition": "",
"new_cpe_edition": "",
"human_cpe_edition": "",
"new_human_cpe_edition": ""
}
],
"header": [],
"error": "",
"total": ""
}

operation: Get Node CPEs

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of Node CPEs) is returned.

Input parameters

Parameter Description
Appliance IDs Specify the ID of the appliance or a comma-separated list of appliances from which you want to retrieve Node CPEs from the Nozomi Networks Central Management Console.
Search Query Query using which you want to search and retrieve Node CPEs from the Nozomi Networks Central Management Console server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"node_id": "",
"cpe": "",
"cpe_part": "",
"cpe_vendor": "",
"cpe_product": "",
"cpe_version": "",
"cpe_update": "",
"time": "",
"synchronized": "",
"appliance_id": "",
"appliance_ip": "",
"appliance_host": "",
"updated": "",
"cpe_translator": "",
"human_cpe_vendor": "",
"human_cpe_product": "",
"human_cpe_version": "",
"human_cpe_update": "",
"likelihood": "",
"replicated": "",
"cpe_edition": "",
"human_cpe_edition": "",
"unique_hw_id": "",
"deleted_at": "",
"asset_id": "",
"node_label": "",
"node_type": "",
"node_vendor": "",
"node_product_name": "",
"node_firmware_version": "",
"zone": "",
"node_os": ""
}
],
"header": [],
"error": "",
"total": ""
}

operation: Get Node CVEs

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of Node CVEs) is returned.

Input parameters

Parameter Description
Appliance IDs Specify the ID of the appliance or a comma-separated list of appliances from which you want to retrieve Node CVEs from the Nozomi Networks Central Management Console.
Search Query Query using which you want to search and retrieve Node CVEs from the Nozomi Networks Central Management Console server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"node_id": "",
"cve": "",
"time": "",
"cwe_id": "",
"cwe_name": "",
"matching_cpes": [],
"likelihood": "",
"resolved": "",
"resolved_reason": "",
"resolved_source": "",
"installed_on": "",
"appliance_id": "",
"appliance_ip": "",
"appliance_host": "",
"zone": "",
"asset_id": "",
"node_label": "",
"node_type": "",
"node_vendor": "",
"node_product_name": "",
"node_firmware_version": "",
"node_os": "",
"resolution_status": "",
"cve_summary": "",
"cve_references": [
{
"name": "",
"reference_type": "",
"source": "",
"url": ""
}
],
"cve_score": "",
"cve_creation_time": "",
"cve_update_time": "",
"cve_source": ""
}
],
"header": [],
"error": "",
"total": ""
}

operation: Get Nodes

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of nodes) is returned.

Parameter Description
Search Query Query using which you want to search and retrieve nodes from the Nozomi Networks Central Management Console server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"appliance_host": "",
"label": "",
"id": "",
"_asset_kb_id": "",
"ip": "",
"mac_address": "",
"mac_address:info": {
"source": "",
"likelihood": "",
"likelihood_level": ""
},
"mac_vendor": "",
"_private_status": "",
"subnet": "",
"vlan_id": "",
"vlan_id:info": {
"source": ""
},
"zone": "",
"level": "",
"type": "",
"type:info": {
"source": ""
},
"os": "",
"os:info": {
"source": ""
},
"vendor": "",
"vendor:info": {
"source": ""
},
"product_name": "",
"product_name:info": {
"source": ""
},
"firmware_version": "",
"firmware_version:info": {
"source": ""
},
"serial_number": "",
"serial_number:info": {
"source": ""
},
"is_broadcast": "",
"is_public": "",
"fields": {},
"reputation": "",
"is_compromised": "",
"is_confirmed": "",
"is_learned": "",
"is_fully_learned": "",
"is_disabled": "",
"_is_licensed": "",
"roles": [],
"links": [
{
"id": "",
"protos": [
{
"name": "",
"last_activity": ""
}
]
}
],
"links_count": "",
"protocols": [],
"created_at": "",
"first_activity_time": "",
"last_activity_time": "",
"received.packets": "",
"received.bytes": "",
"received.last_5m_bytes": "",
"received.last_15m_bytes": "",
"received.last_30m_bytes": "",
"sent.packets": "",
"sent.bytes": "",
"sent.last_5m_bytes": "",
"sent.last_15m_bytes": "",
"sent.last_30m_bytes": "",
"tcp_retransmission.percent": "",
"tcp_retransmission.packets": "",
"tcp_retransmission.bytes": "",
"tcp_retransmission.last_5m_bytes": "",
"tcp_retransmission.last_15m_bytes": "",
"tcp_retransmission.last_30m_bytes": "",
"variables_count": "",
"device_id": "",
"properties": {},
"custom_fields": {},
"bpf_filter": "",
"device_modules": {},
"capture_device": ""
}
],
"header": [],
"total": ""
}

operation: Get Alert Acknowledgement Status

Input parameters

Parameter Description
Job ID Specify the ID of the alert acknowledgment job whose acknowledgment status you want to retrieve from Nozomi Networks Central Management Console.
Note: You can retrieve the Job ID using the 'Set Acknowledgment Status' operation.

Output

The output contains the following populated JSON schema:
{
"result": {
"status": ""
}
}

operation: Set Acknowledgment Status

Input parameters

Parameter Description
Alert IDs List of comma-separated alert IDs whose acknowledgment status you want to set in Nozomi Networks Central Management Console.
Acknowledgment Status Select this checkbox to set the acknowledgment status of specified alerts to 'Acknowledge' or clear this checkbox to set the acknowledgment status of specified alerts to 'UnAcknowledge' in Nozomi Networks Central Management Console.

Output

The output contains the following populated JSON schema:
{
"result": {
"id": ""
},
"error": ""
}

operation: Run CLI

Input parameters

Parameter Description
Command Specify the CLI command that you want to run on Nozomi Networks Central Management Console.

Output

The output contains a non-dictionary value.

Included playbooks

The Sample - Nozomi Networks Central Management Console - 1.0.0 playbook collection comes bundled with the Nozomi Networks Central Management Console connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Nozomi Networks Central Management Console connector.

  • > Nozomi Networks Central Management Console > Fetch Alerts
  • Create Indicator
  • Delete Indicator
  • Fetch All Alerts
  • Get Alert Acknowledgement Status
  • Get Alerts List
  • Get All Indicators
  • Get Appliances List
  • Get Assertions
  • Get Assets List
  • Get Captured Logs
  • Get Function Codes
  • Get Health Log
  • Get Links
  • Get Node CPE Changes
  • Get Node CPEs
  • Get Node CVEs
  • Get Nodes
  • Import Asset
  • Nozomi Networks Central Management Console > Create Alerts
  • Nozomi Networks Central Management Console > Ingest
  • Run CLI
  • Set Acknowledgment Status

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Data Ingestion Support

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Nozomi Networks Central Management Console. Currently, "incidents" in Nozomi Networks Central Management Console are mapped to "incidents" in FortiSOAR™. An incident in Nozomi contains alerts, i.e., each alert in Nozomi contains an is_incident parameter that states whether that alert is part of an incident. If the alert is part of an incident, then the is_incident parameter will be set to "true" (else "false"). Therefore, when mapping incidents from Nozomi, i.e., the is_incident parameter is set to "true", then both "Incident" and correlated "Alert" records are created in FortiSOAR. If the is_incident parameter is set to false, then only alert records are created in FortiSOAR.
Important: It is recommended that Data Ingestion of Nozomi Networks Central Management Console should be done with the default selected "Incidents" module. Selecting a module other than "Incidents" might cause the data ingestion to fail.

For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.

Configure Data Ingestion

You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming Nozomi Networks Central Management Console "incidents" to FortiSOAR™ "incidents".

The Data Ingestion Wizard enables you to configure the scheduled pulling of data from Nozomi Networks Central Management Console into FortiSOAR™. It also lets you pull some sample data from Nozomi Networks Central Management Console using which you can define the mapping of data between Nozomi Networks Central Management Console and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the Nozomi Networks Central Management Console incident.

  1. To begin configuring data ingestion, click Configure Data Ingestion on the Nozomi Networks Central Management Console connector’s "Configurations" page.

    Sample data is required to create a field mapping between Nozomi Networks Central Management Console data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
  2. On the Fetch Data screen, provide the configurations required to fetch Nozomi Networks Central Management Console incidents. In the Pull Threats from Last X Minutes field, type the time in minutes from when you want to pull incidents from Nozomi Networks Central Management Console. This parameter filters the result set to only include only those incidents that have been created after the specified timestamp. Optionally, in the Appliance IDs field, you can specify the appliance ID or a comma-separated list of appliance IDs from which you want to retrieve alerts:

    Once you have completed specifying the configurations, click Fetch Data.
  3. On the Field Mapping screen, map the fields of a Nozomi Networks Central Management Console incident to the fields of an incident present in FortiSOAR™. The Field Mapping screen displays the Sample Data on the right side and the Field Mapping (FortiSOAR™ fields) on the left side. The sample data is in the form of a Key-Value pair.
    From the Module drop-down list that appears next to Field Mapping, select the FortiSOAR™ module for which you want to map the fields. The default module, which is Incident is already selected.
    Note: It is recommended that you do not change the default selected module Selecting a module other than the default might cause the data ingestion to fail, and you will require to remap all the fields.
    Also, some fields such as Name and some picklists can come pre-mapped with their jinja value. You do not require to re-map these fields unless you want to override their default values.
    To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the risk parameter of a Nozomi Networks Central Management Console incident to the Vulnerability Severity parameter of a FortiSOAR™ incident, click the Vulnerability Severity field and then click the risk field to populate its keys:

    For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
  4. Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Nozomi Networks Central Management Console, so that the content gets pulled from the Nozomi Networks Central Management Console into FortiSOAR™.
    On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
    In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from Nozomi Networks Central Management Console every morning at 5 am, click Daily, and in the hour box enter 5 , and in the minute box enter 0:

    Once you have completed scheduling, click Save Settings & Continue.
  5. The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks.
    Click Done to complete the data ingestion and exit the Data Ingestion Wizard.
Previous
Next

About the connector

The Nozomi Networks Central Management Console (CMC) consolidates OT and IoT risk monitoring and visibility from Guardian physical or virtual appliances across all of your distributed sites. It integrates with your IT security infrastructure for streamlined workflows and faster response to threats and anomalies.

FortiSOAR also integrates with the Nozomi Networks Guardian. To know more about the Nozomi Networks Guardian connector, see the Nozomi Networks Guardian v1.1.0 connector documentation.

This document provides information about the Nozomi Networks Central Management Console Connector, which facilitates automated interactions, with a Nozomi Networks Central Management Console server using FortiSOAR™ playbooks. Add the Nozomi Networks Central Management Console Connector as a step in FortiSOAR™ playbooks and perform automated operations with Nozomi Networks Central Management Console.

Use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents and alerts from Nozomi Networks Central Management Console. For more information, see the Data Ingestion Support section.

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 7.3.1-2105

Authored By: Fortinet

Certified: Yes

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.

You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-nozomi-networks-central-management-console

Prerequisites to configuring the connector

Minimum Permissions Required

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Nozomi Networks Central Management Console connector card. On the connector popup, click the Configurations tab to enter the required configuration details.

Parameter Description
Server URL URL of the Nozomi Networks Central Management Console server to which you will connect and perform automated operations.
Username Username to access the Nozomi Networks Central Management Console server to which you will connect and perform automated operations.
Password Password to access the Nozomi Networks Central Management Console server to which you will connect and perform automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not. By default, this is set as 'True'.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™:

Function Description Annotation and Category
Create Indicator Creates a threat intelligence indicator in Nozomi Networks Central Management Console based on the JSON array list of indicators you have specified. The JSON array must contain the name, threat type, and content of the indicator. create_threat_intelligence_indicator
Investigation
Get All Indicators Retrieves all threat intelligence indicators from Nozomi Networks Central Management Console. get_all_threat_intelligence_indicators
Investigation
Delete Indicator Deletes a threat intelligence indicator from Nozomi Networks Central Management Console based on the JSON array list of indicators you have specified. The JSON array must contain the ID and threat type of the indicator. delete_threat_intelligence_indicator
Investigation
Get Alerts List Retrieves all alerts or specific alerts from Nozomi Networks Central Management Console based on the search query and other input parameters you have specified. get_alerts
Investigation
Fetch All Alerts Retrieves all alerts, or specific alerts from Nozomi Networks Central Management Console based on the start DateTime and optionally, the search query and appliance ID you have specified.
Note: This operation is used while running Data Ingestion.
fetch_alerts
Investigation
Get Assets List Retrieves all assets or specific assets from Nozomi Networks Central Management Console based on the search query and other input parameters you have specified. get_assets
Investigation
Import Asset Imports assets into Nozomi Networks Central Management Console allowing you to enrich information associated with nodes. The information that you provide affects the nodes that match the specified IP field value. If there are no matches, then new nodes are created. import_asset
Investigation
Get Appliances List Retrieves all appliances or specific appliances from Nozomi Networks Central Management Console based on the search query and appliance ID you have specified. get_appliances
Investigation
Get Assertions Retrieves all assertions or specific assertions from Nozomi Networks Central Management Console based on the search query you have specified. get_assertions
Investigation
Get Captured Logs Retrieves all captured logs or specific captured logs from Nozomi Networks Central Management Console based on the search query and appliance ID you have specified. get_captured_logs
Investigation
Get Function Codes Retrieves all function codes or specific function codes from Nozomi Networks Central Management Console based on the search query you have specified. get_function_codes
Investigation
Get Health Log Retrieves all health logs or specific health logs from Nozomi Networks Central Management Console based on the search query and appliance ID you have specified. get_health_log
Investigation
Get Links Retrieves all links or specific links from Nozomi Networks Central Management Console based on the search query you have specified. get_links
Investigation
Get Node CPE Changes Retrieves all node CPE changes or specific node CPE changes from Nozomi Networks Central Management Console based on the search query and appliance ID you have specified. get_node_cpe_changes
Investigation
Get Node CPEs Retrieves all node CPEs or specific node CPEs from Nozomi Networks Central Management Console based on the search query and appliance ID you have specified. get_node_cpes
Investigation
Get Node CVEs Retrieves all node CVEs or specific node CVEs from Nozomi Networks Central Management Console based on the search query and appliance ID you have specified. get_node_cves
Investigation
Get Nodes Retrieves all nodes or specific nodes from Nozomi Networks Central Management Console based on the search query you have specified. get_nodes
Investigation
Get Alert Acknowledgement Status Retrieves all alert acknowledgment statuses from Nozomi Networks Central Management Console based on the job ID you have specified. get_alert_ack_status
Investigation
Set Acknowledgment Status Sets the alert status to Acknowledge or Unacknowledge in Nozomi Networks Central Management Console based on the alert IDs you have specified. set_alert_ack
Investigation
Run CLI Runs the specified CLI command on Nozomi Networks Central Management Console. run_cli
Investigation

operation: Create Indicator

Input parameters

Parameter Description
Indicators Specify a JSON array list of indicators using which you want to create a threat intelligence indicator in Nozomi Networks Central Management Console. You can specify between the following threat types: packet_rules, yara_rules, or stix_indicators.
Note: The JSON array must contain the name, threat type, and content of the indicator.

Output

The output contains the following populated JSON schema:
{
"name": "",
"type": "",
"id": ""
}

operation: Get All Indicators

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"name": "",
"type": "",
"id": ""
}

operation: Delete Indicator

Input parameters

Parameter Description
Indicators Specify a JSON array list of indicators using which you want to delete a threat intelligence indicator in Nozomi Networks Central Management Console. You can specify between the following threat types: packet_rules, yara_rules, or stix_indicators. The JSON array must contain the ID and threat type of the indicator.
Note: Use the 'Get All Indicators' action to retrieve the ID of an indicator.

Output

The output contains the following populated JSON schema:
{
"id": "",
"type": ""
}

operation: Get Alerts List

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of alerts) is returned.

Parameter Description
Appliance ID Specify the ID of the appliance or a comma-separated list of appliances from which you want to retrieve alerts from the Nozomi Networks Central Management Console.
Start Time Specify the starting DateTime using which you want to filter alerts retrieved alerts from Nozomi Networks Central Management Console. This parameter filters the result set to only include only those items that have been created after the specified timestamp.
Risk Level Specify the risk level (0-10) to retrieve only those alerts from Nozomi Networks Central Management Console whose risk level is equal to or above the specified value.
Status Specify the status of the alert to retrieve only those alerts from Nozomi Networks Central Management Console whose status matches the specified value.
Alert type Specify the type of the alert to retrieve only those alerts from Nozomi Networks Central Management Console whose type matches the specified value.
Is Incident Select this option, i.e., set it to 'true' if you want to retrieve only those alerts from Nozomi Networks Central Management Console that are part of an incident. By default, this option cleared, i.e., set as 'false'.
Search Query Query using which you want to search and retrieve alerts from Nozomi Networks Central Management Console. For example, | group_by type_id
Max Alerts Specify the maximum number of alerts that you want this operation to return in the response.

Output

The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"type_id": "",
"name": "",
"description": "",
"severity": "",
"mac_src": "",
"mac_dst": "",
"ip_src": "",
"ip_dst": "",
"risk": "",
"protocol": "",
"src_roles": "",
"dst_roles": "",
"time": "",
"ack": "",
"id_src": "",
"id_dst": "",
"synchronized": "",
"appliance_id": "",
"port_src": "",
"port_dst": "",
"label_src": "",
"label_dst": "",
"trigger_id": "",
"trigger_type": "",
"appliance_host": "",
"appliance_ip": "",
"transport_protocol": "",
"is_security": "",
"note": "",
"appliance_site": "",
"parents": [],
"is_incident": "",
"properties": {
"bad_actor": "",
"base_risk": "",
"is_dst_node_learned": "",
"is_dst_public": "",
"is_dst_reputation_bad": "",
"is_src_node_learned": "",
"is_src_public": "",
"is_src_reputation_bad": "",
"remediation_target": "",
"victims": [],
"mitre_attack/techniques": [
{
"technique": "",
"name": "",
"tactic": ""
}
]
},
"created_time": "",
"incident_keys": [],
"bpf_filter": "",
"closed_time": "",
"status": "",
"session_id": "",
"replicated": "",
"capture_device": "",
"threat_name": "",
"type_name": "",
"sec_profile_visible": "",
"zone_src": "",
"zone_dst": "",
"mitre_attack_techniques": "",
"mitre_attack_tactics": ""
}
],
"header": [],
"error": "",
"total": ""
}

operation: Fetch All Alerts

Input parameters

Parameter Description
Start Time Specify the starting DateTime using which you want to filter alerts retrieved alerts from Nozomi Networks Central Management Console. This parameter filters the result set to only include only those items that have been created after the specified timestamp.
Appliance IDs (Optional) Specify the appliance ID or a comma-separated list of appliance IDs from which you want to retrieve alerts from the Nozomi Networks Central Management Console server.
Search Query (Optional) Specify the query using which you want to search and retrieve alerts from the Nozomi Networks Central Management Console server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"type_id": "",
"name": "",
"description": "",
"severity": "",
"mac_src": "",
"mac_dst": "",
"ip_src": "",
"ip_dst": "",
"risk": "",
"protocol": "",
"src_roles": "",
"dst_roles": "",
"time": "",
"ack": "",
"id_src": "",
"id_dst": "",
"synchronized": "",
"appliance_id": "",
"port_src": "",
"port_dst": "",
"label_src": "",
"label_dst": "",
"trigger_id": "",
"trigger_type": "",
"appliance_host": "",
"appliance_ip": "",
"transport_protocol": "",
"is_security": "",
"note": "",
"appliance_site": "",
"parents": [],
"is_incident": "",
"properties": {
"bad_actor": "",
"base_risk": "",
"is_dst_node_learned": "",
"is_dst_public": "",
"is_dst_reputation_bad": "",
"is_src_node_learned": "",
"is_src_public": "",
"is_src_reputation_bad": "",
"remediation_target": "",
"victims": [],
"mitre_attack/techniques": [
{
"technique": "",
"name": "",
"tactic": ""
}
]
},
"created_time": "",
"incident_keys": [],
"bpf_filter": "",
"closed_time": "",
"status": "",
"session_id": "",
"replicated": "",
"capture_device": "",
"threat_name": "",
"type_name": "",
"sec_profile_visible": "",
"zone_src": "",
"zone_dst": "",
"mitre_attack_techniques": "",
"mitre_attack_tactics": ""
}
],
"header": [],
"error": "",
"total": ""
}

operation: Get Assets List

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of assets) is returned.

Input parameters

Parameter Description
Appliance IDs Specify the ID or a comma-separated list of the appliance IDs from which you want to retrieve assets from the Nozomi Networks Central Management Console.
Level Select the levels (0-4) to retrieve only those assets from Nozomi Networks Central Management Console whose levels are equal to the specified value.
Asset type Specify the type of the asset or a comma-separated list of asset types to retrieve only those assets from Nozomi Networks Central Management Console whose type matches the specified values.
Search Query Query using which you want to search and retrieve assets from the Nozomi Networks Central Management Console server. For example, | head 2
Max Assets Specify the maximum number of assets that you want this operation to return in the response.

Output

The output contains the following populated JSON schema:
{
"result": [
{
"name": "",
"level": "",
"appliance_hosts": [],
"ip": [],
"mac_address": [],
"mac_vendor": [],
"os": "",
"roles": [],
"vendor": "",
"firmware_version": "",
"os_or_firmware": "",
"serial_number": "",
"product_name": "",
"type": "",
"protocols": [],
"nodes": [],
"custom_fields": {},
"deleted_at": "",
"time": "",
"synchronized": "",
"replicated": "",
"appliance_id": "",
"appliance_ip": "",
"appliance_host": "",
"mac_address_level": {},
"id": "",
"vendor:info": {
"source": "",
"granularity": "",
"confidence": ""
},
"firmware_version:info": {
"source": ""
},
"product_name:info": {
"source": ""
},
"serial_number:info": {
"source": ""
},
"type:info": {
"source": ""
},
"capture_device": "",
"vlan_id": [],
"zones": [],
"_asset_kb_id": "",
"created_at": "",
"fields": {},
"last_activity_time": "",
"appliance_sites": [],
"end_of_sale_date": "",
"end_of_sale_date:info": {
"source": ""
},
"end_of_support_date": "",
"end_of_support_date:info": {
"source": ""
},
"lifecycle": "",
"lifecycle:info": {
"source": ""
},
"is_ai_enriched": "",
"os:info": {
"source": ""
}
}
],
"header": [],
"error": "",
"total": ""
}

operation: Import Asset

Input parameters

Parameter Description
Import Type Select the 'Type' of import using which you want to import assets into Nozomi Networks Central Management Console. You can choose from the following options: JSON or CSV.
  • If you choose 'JSON', then you must specify the following parameter:
    • Asset: Provide a list of items and their values in the JSON format that you want to import as an asset into the Nozomi Networks Central Management Console.
  • If you choose 'CSV', then you must specify the following parameters:
    • Type: Choose between Attachment ID or File IRI.
    • File Attachment/IRI Reference: File attachment ID or IRI reference that is used to access the attachment metadata from the FortiSOAR™ Attachments module. In the playbook, if you select 'File Attachment', this defaults to the {{vars.attachment_id}} value or if you select 'IRI Reference', then this defaults to the {{vars.file_iri}} value.

Output

The output contains the following populated JSON schema:
{
"result": "",
"error": ""
}

operation: Get Appliances List

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of appliances) is returned.

Parameter Description
Appliance IDs Specify the ID of the appliance or a comma-separated list of appliances that you want to retrieve from the Nozomi Networks Central Management Console.
Search Query Query using which you want to search and retrieve appliances from the Nozomi Networks Central Management Console server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"ip": "",
"last_sync": "",
"id": "",
"info": {
"description": "",
"appliance_type": "",
"appliance_mode": "",
"model": "",
"uptime": {
"days": "",
"hours": "",
"minutes": "",
"seconds": ""
},
"network_interfaces": "",
"has_sp_code": "",
"has_sp_license": "",
"license_base": {
"licensee": "",
"bundle_name": "",
"license_id": "",
"license_machine_id": "",
"is_disabled": "",
"type": "",
"status": "",
"extra": {
"expire_date": "",
"actual_licensed_nodes": "",
"supported_nodes": ""
},
"can_be_set": ""
},
"license_threat_intelligence": {
"licensee": "",
"license_id": "",
"license_machine_id": "",
"is_disabled": "",
"type": "",
"status": "",
"extra": {
"expire_date": ""
},
"can_be_set": ""
},
"license_asset_intelligence": {
"licensee": "",
"license_id": "",
"license_machine_id": "",
"is_disabled": "",
"type": "",
"status": "",
"extra": {
"expire_date": ""
},
"can_be_set": ""
},
"license_smart_polling": {
"licensee": "",
"license_id": "",
"license_machine_id": "",
"is_disabled": "",
"type": "",
"status": "",
"extra": {
"expire_date": ""
},
"can_be_set": ""
},
"risk": "",
"alerts_count": "",
"alerts_count_last_5m": "",
"nodes_count": "",
"links_count": "",
"variables_count": "",
"assets_count": "",
"all_speed": "",
"throughput_series": [],
"cpu_perc": "",
"mem_free": "",
"mem_used": "",
"disk_usage_perc": "",
"host": "",
"site": "",
"fips_enabled": "",
"n2os_version": "",
"data": {
"total": "",
"used": "",
"free": "",
"free_perc": "",
"used_perc": "",
"status": ""
},
"ntp_offset": "",
"time": "",
"time_utc_offset": "",
"has_low_ram": "",
"has_reached_limits": "",
"is_under_high_load": "",
"has_migration_errors": "",
"machine_id": "",
"last_cmc": "",
"update_message": ""
},
"allowed": "",
"sync_throughput": "",
"is_updating": "",
"map_position": "",
"previous_alerts_count_last_5m": "",
"version_locked": "",
"site": "",
"host": "",
"time": "",
"synchronized": "",
"replicated": "",
"deleted_at": "",
"health": {
"stale": "",
"status": ""
},
"appliance_id": "",
"appliance_ip": "",
"appliance_host": "",
"force_update": "",
"model": "",
"last_seen_packet": "",
"bpf_filters_to_be_propagated": "",
"have_bpf_filters_changed": "",
"certificate_exchange_status": "",
"denylists_to_be_propagated": "",
"have_denylists_changed": "",
"rc_has_connection_errors": ""
}
],
"header": [],
"error": "",
"total": ""
}

operation: Get Assertions

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of assertions) is returned.

Parameter Description
Search Query Query using which you want to search and retrieve assertions from the Nozomi Networks Central Management Console server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"error": "",
"total": "",
"header": [],
"result": [
{
"query": "",
"result": "",
"name": "",
"failed_since": "",
"id": "",
"can_send_alert": "",
"has_sent_alert": "",
"bpf_filter": "",
"failures_count": "",
"time": "",
"alert_delay": "",
"can_request_trace": "",
"alert_risk": "",
"is_security": "",
"group_id": "",
"note": "",
"deleted_at": "",
"replicated": "",
"synchronized": "",
"propagate_to_appliances": "",
"propagated": ""
}
]
}

operation: Get Captured Logs

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of captured logs) is returned.

Parameter Description
Appliance IDs Specify the ID of the appliance or a comma-separated list of appliances from which you want to retrieve captured logs from the Nozomi Networks Central Management Console.
Search Query Query using which you want to search and retrieve captured logs from the Nozomi Networks Central Management Console server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"error": "",
"total": "",
"header": [],
"result": [
{
"id": "",
"time": "",
"appliance_id": "",
"appliance_ip": "",
"appliance_host": "",
"synchronized": "",
"id_src": "",
"id_dst": "",
"protocol": "",
"log": "",
"replicated": "",
"sync_time": ""
}
]
}

operation: Get Function Codes

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of function codes) is returned.

Parameter Description
Search Query Query using which you want to search and retrieve function codes from the Nozomi Networks Central Management Console server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"protocol": "",
"fc": "",
"count": "",
"description": ""
}
],
"header": [],
"total": ""
}

operation: Get Health Log

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of health logs) is returned.

Parameter Description
Appliance IDs Specify the ID of the appliance or a comma-separated list of appliances from which you want to retrieve health logs from the Nozomi Networks Central Management Console.
Search Query Query using which you want to search and retrieve health logs from the Nozomi Networks Central Management Console server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"time": "",
"appliance_id": "",
"appliance_ip": "",
"appliance_host": "",
"synchronized": "",
"info": {
"description": ""
},
"replicated": ""
}
],
"header": [],
"error": "",
"total": ""
}

operation: Get Links

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of links) is returned.

Parameter Description
Search Query Query using which you want to search and retrieve links from the Nozomi Networks Central Management Console server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"from": "",
"to": "",
"is_from_public": "",
"is_to_public": "",
"protocol": "",
"first_activity_time": "",
"last_activity_time": "",
"last_handshake_time": "",
"transport_protocols": [],
"tcp_handshaked_connections.total": "",
"tcp_handshaked_connections.last_5m": "",
"tcp_handshaked_connections.last_15m": "",
"tcp_handshaked_connections.last_30m": "",
"tcp_connection_attempts.total": "",
"tcp_connection_attempts.last_5m": "",
"tcp_connection_attempts.last_15m": "",
"tcp_connection_attempts.last_30m": "",
"transferred.packets": "",
"transferred.bytes": "",
"transferred.last_5m_bytes": "",
"transferred.last_15m_bytes": "",
"transferred.last_30m_bytes": "",
"transferred.smallest_packet_bytes": "",
"transferred.biggest_packet_bytes": "",
"transferred.avg_packet_bytes": "",
"tcp_retransmission.percent": "",
"tcp_retransmission.packets": "",
"tcp_retransmission.bytes": "",
"tcp_retransmission.last_5m_bytes": "",
"tcp_retransmission.last_15m_bytes": "",
"tcp_retransmission.last_30m_bytes": "",
"throughput_speed": "",
"is_learned": "",
"is_fully_learned": "",
"is_broadcast": "",
"has_confirmed_data": "",
"_can": {
"link_events": "",
"captured_urls": "",
"trace_requests": ""
},
"alerts": "",
"last_trace_request_time": "",
"_ports": [
{
"tcp": ""
}
],
"active_checks": [],
"_checks": {},
"function_codes": [],
"bpf_filter": "",
"from_zone": "",
"to_zone": ""
}
],
"header": [],
"total": ""
}

operation: Get Node CPE Changes

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of Node CPE Changes) is returned.

Input parameters

Parameter Description
Appliance IDs Specify the ID of the appliance or a comma-separated list of appliances from which you want to retrieve Node CPE Changes from the Nozomi Networks Central Management Console.
Search Query Query using which you want to search and retrieve Node CPE Changes from the Nozomi Networks Central Management Console server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"node_id": "",
"cpe": "",
"cpe_part": "",
"cpe_vendor": "",
"cpe_product": "",
"cpe_version": "",
"cpe_update": "",
"new_cpe": "",
"new_cpe_vendor": "",
"new_cpe_product": "",
"new_cpe_version": "",
"new_cpe_update": "",
"node_cpe_id": "",
"time": "",
"synchronized": "",
"appliance_id": "",
"appliance_ip": "",
"appliance_host": "",
"human_cpe_vendor": "",
"human_cpe_product": "",
"new_human_cpe_vendor": "",
"new_human_cpe_product": "",
"human_cpe_version": "",
"human_cpe_update": "",
"new_human_cpe_version": "",
"new_human_cpe_update": "",
"likelihood": "",
"new_likelihood": "",
"replicated": "",
"cpe_edition": "",
"new_cpe_edition": "",
"human_cpe_edition": "",
"new_human_cpe_edition": ""
}
],
"header": [],
"error": "",
"total": ""
}

operation: Get Node CPEs

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of Node CPEs) is returned.

Input parameters

Parameter Description
Appliance IDs Specify the ID of the appliance or a comma-separated list of appliances from which you want to retrieve Node CPEs from the Nozomi Networks Central Management Console.
Search Query Query using which you want to search and retrieve Node CPEs from the Nozomi Networks Central Management Console server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"node_id": "",
"cpe": "",
"cpe_part": "",
"cpe_vendor": "",
"cpe_product": "",
"cpe_version": "",
"cpe_update": "",
"time": "",
"synchronized": "",
"appliance_id": "",
"appliance_ip": "",
"appliance_host": "",
"updated": "",
"cpe_translator": "",
"human_cpe_vendor": "",
"human_cpe_product": "",
"human_cpe_version": "",
"human_cpe_update": "",
"likelihood": "",
"replicated": "",
"cpe_edition": "",
"human_cpe_edition": "",
"unique_hw_id": "",
"deleted_at": "",
"asset_id": "",
"node_label": "",
"node_type": "",
"node_vendor": "",
"node_product_name": "",
"node_firmware_version": "",
"zone": "",
"node_os": ""
}
],
"header": [],
"error": "",
"total": ""
}

operation: Get Node CVEs

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of Node CVEs) is returned.

Input parameters

Parameter Description
Appliance IDs Specify the ID of the appliance or a comma-separated list of appliances from which you want to retrieve Node CVEs from the Nozomi Networks Central Management Console.
Search Query Query using which you want to search and retrieve Node CVEs from the Nozomi Networks Central Management Console server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"node_id": "",
"cve": "",
"time": "",
"cwe_id": "",
"cwe_name": "",
"matching_cpes": [],
"likelihood": "",
"resolved": "",
"resolved_reason": "",
"resolved_source": "",
"installed_on": "",
"appliance_id": "",
"appliance_ip": "",
"appliance_host": "",
"zone": "",
"asset_id": "",
"node_label": "",
"node_type": "",
"node_vendor": "",
"node_product_name": "",
"node_firmware_version": "",
"node_os": "",
"resolution_status": "",
"cve_summary": "",
"cve_references": [
{
"name": "",
"reference_type": "",
"source": "",
"url": ""
}
],
"cve_score": "",
"cve_creation_time": "",
"cve_update_time": "",
"cve_source": ""
}
],
"header": [],
"error": "",
"total": ""
}

operation: Get Nodes

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of nodes) is returned.

Parameter Description
Search Query Query using which you want to search and retrieve nodes from the Nozomi Networks Central Management Console server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"appliance_host": "",
"label": "",
"id": "",
"_asset_kb_id": "",
"ip": "",
"mac_address": "",
"mac_address:info": {
"source": "",
"likelihood": "",
"likelihood_level": ""
},
"mac_vendor": "",
"_private_status": "",
"subnet": "",
"vlan_id": "",
"vlan_id:info": {
"source": ""
},
"zone": "",
"level": "",
"type": "",
"type:info": {
"source": ""
},
"os": "",
"os:info": {
"source": ""
},
"vendor": "",
"vendor:info": {
"source": ""
},
"product_name": "",
"product_name:info": {
"source": ""
},
"firmware_version": "",
"firmware_version:info": {
"source": ""
},
"serial_number": "",
"serial_number:info": {
"source": ""
},
"is_broadcast": "",
"is_public": "",
"fields": {},
"reputation": "",
"is_compromised": "",
"is_confirmed": "",
"is_learned": "",
"is_fully_learned": "",
"is_disabled": "",
"_is_licensed": "",
"roles": [],
"links": [
{
"id": "",
"protos": [
{
"name": "",
"last_activity": ""
}
]
}
],
"links_count": "",
"protocols": [],
"created_at": "",
"first_activity_time": "",
"last_activity_time": "",
"received.packets": "",
"received.bytes": "",
"received.last_5m_bytes": "",
"received.last_15m_bytes": "",
"received.last_30m_bytes": "",
"sent.packets": "",
"sent.bytes": "",
"sent.last_5m_bytes": "",
"sent.last_15m_bytes": "",
"sent.last_30m_bytes": "",
"tcp_retransmission.percent": "",
"tcp_retransmission.packets": "",
"tcp_retransmission.bytes": "",
"tcp_retransmission.last_5m_bytes": "",
"tcp_retransmission.last_15m_bytes": "",
"tcp_retransmission.last_30m_bytes": "",
"variables_count": "",
"device_id": "",
"properties": {},
"custom_fields": {},
"bpf_filter": "",
"device_modules": {},
"capture_device": ""
}
],
"header": [],
"total": ""
}

operation: Get Alert Acknowledgement Status

Input parameters

Parameter Description
Job ID Specify the ID of the alert acknowledgment job whose acknowledgment status you want to retrieve from Nozomi Networks Central Management Console.
Note: You can retrieve the Job ID using the 'Set Acknowledgment Status' operation.

Output

The output contains the following populated JSON schema:
{
"result": {
"status": ""
}
}

operation: Set Acknowledgment Status

Input parameters

Parameter Description
Alert IDs List of comma-separated alert IDs whose acknowledgment status you want to set in Nozomi Networks Central Management Console.
Acknowledgment Status Select this checkbox to set the acknowledgment status of specified alerts to 'Acknowledge' or clear this checkbox to set the acknowledgment status of specified alerts to 'UnAcknowledge' in Nozomi Networks Central Management Console.

Output

The output contains the following populated JSON schema:
{
"result": {
"id": ""
},
"error": ""
}

operation: Run CLI

Input parameters

Parameter Description
Command Specify the CLI command that you want to run on Nozomi Networks Central Management Console.

Output

The output contains a non-dictionary value.

Included playbooks

The Sample - Nozomi Networks Central Management Console - 1.0.0 playbook collection comes bundled with the Nozomi Networks Central Management Console connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Nozomi Networks Central Management Console connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Data Ingestion Support

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Nozomi Networks Central Management Console. Currently, "incidents" in Nozomi Networks Central Management Console are mapped to "incidents" in FortiSOAR™. An incident in Nozomi contains alerts, i.e., each alert in Nozomi contains an is_incident parameter that states whether that alert is part of an incident. If the alert is part of an incident, then the is_incident parameter will be set to "true" (else "false"). Therefore, when mapping incidents from Nozomi, i.e., the is_incident parameter is set to "true", then both "Incident" and correlated "Alert" records are created in FortiSOAR. If the is_incident parameter is set to false, then only alert records are created in FortiSOAR.
Important: It is recommended that Data Ingestion of Nozomi Networks Central Management Console should be done with the default selected "Incidents" module. Selecting a module other than "Incidents" might cause the data ingestion to fail.

For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.

Configure Data Ingestion

You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming Nozomi Networks Central Management Console "incidents" to FortiSOAR™ "incidents".

The Data Ingestion Wizard enables you to configure the scheduled pulling of data from Nozomi Networks Central Management Console into FortiSOAR™. It also lets you pull some sample data from Nozomi Networks Central Management Console using which you can define the mapping of data between Nozomi Networks Central Management Console and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the Nozomi Networks Central Management Console incident.

  1. To begin configuring data ingestion, click Configure Data Ingestion on the Nozomi Networks Central Management Console connector’s "Configurations" page.

    Sample data is required to create a field mapping between Nozomi Networks Central Management Console data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
  2. On the Fetch Data screen, provide the configurations required to fetch Nozomi Networks Central Management Console incidents. In the Pull Threats from Last X Minutes field, type the time in minutes from when you want to pull incidents from Nozomi Networks Central Management Console. This parameter filters the result set to only include only those incidents that have been created after the specified timestamp. Optionally, in the Appliance IDs field, you can specify the appliance ID or a comma-separated list of appliance IDs from which you want to retrieve alerts:

    Once you have completed specifying the configurations, click Fetch Data.
  3. On the Field Mapping screen, map the fields of a Nozomi Networks Central Management Console incident to the fields of an incident present in FortiSOAR™. The Field Mapping screen displays the Sample Data on the right side and the Field Mapping (FortiSOAR™ fields) on the left side. The sample data is in the form of a Key-Value pair.
    From the Module drop-down list that appears next to Field Mapping, select the FortiSOAR™ module for which you want to map the fields. The default module, which is Incident is already selected.
    Note: It is recommended that you do not change the default selected module Selecting a module other than the default might cause the data ingestion to fail, and you will require to remap all the fields.
    Also, some fields such as Name and some picklists can come pre-mapped with their jinja value. You do not require to re-map these fields unless you want to override their default values.
    To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the risk parameter of a Nozomi Networks Central Management Console incident to the Vulnerability Severity parameter of a FortiSOAR™ incident, click the Vulnerability Severity field and then click the risk field to populate its keys:

    For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
  4. Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Nozomi Networks Central Management Console, so that the content gets pulled from the Nozomi Networks Central Management Console into FortiSOAR™.
    On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
    In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from Nozomi Networks Central Management Console every morning at 5 am, click Daily, and in the hour box enter 5 , and in the minute box enter 0:

    Once you have completed scheduling, click Save Settings & Continue.
  5. The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks.
    Click Done to complete the data ingestion and exit the Data Ingestion Wizard.
Previous
Next