Fortinet black logo

Nozomi Networks Guardian

Nozomi Networks Guardian v1.0.0

Copy Link
Copy Doc ID f62e11e5-910d-11eb-b70b-00505692583a:110

About the connector

The Nozomi Networks Guardian platform used to monitor OT/IoT/IT networks. It combines asset discovery, network visualization, vulnerability assessment, risk monitoring, and threat detection in a single solution.

This document provides information about the Nozomi Networks Guardian connector, which facilitates automated interactions, with your Nozomi Networks Guardian server using FortiSOAR™ playbooks. Add the Nozomi Networks Guardian connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving assets and alerts from Nozomi Networks Guardian, importing assets into Nozomi Networks Guardian, running a CLI command on Nozomi Networks Guardian, etc.

Version information

Connector Version: 1.0.0

Authored By: Community

Certified: No

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:

yum install cyops-connector-nozomi-networks-guardian

Prerequisites to configuring the connector

  • You must have the URL of Nozomi Networks Guardian server to which you will connect and perform automated operations and credentials (username-password pair) to access that server.
  • The FortiSOAR™ server should have outbound connectivity to port 443 on the Nozomi Networks Guardian server.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Nozomi Networks Guardian connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:

Parameter Description
Server URL URL of the Nozomi Networks Guardian server to which you will connect and perform automated operations.
Username Username to access the Nozomi Networks Guardian server to which you will connect and perform automated operations.
Password Password to access the Nozomi Networks Guardian server to which you will connect and perform automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:

Function Description Annotation and Category
List All Alerts Retrieves all alerts, or alerts based on the search query you have specified, from Nozomi Networks Guardian. get_alerts
Investigation
Get Alert Details Retrieves information about a specific alert from Nozomi Networks Guardian based on the alert ID that you have specified. get_alert_details
Investigation
List All Assets Retrieves all assets, or assets based on the search query you have specified, from Nozomi Networks Guardian. get_assets
Investigation
Import Asset Imports assets into Nozomi Networks Guardian allowing you to enrich information associated with nodes. The information that you provide affects the nodes that match the specified IP field value. If there are no matches, then new nodes are created. import_asset
Investigation
Get Appliances Retrieves all appliances, or appliances based on the search query you have specified, from Nozomi Networks Guardian. get_appliances
Investigation
Get Assertions Retrieves all assertions, or assertions based on the search query you have specified, from Nozomi Networks Guardian. get_assertions
Investigation
Get Captured Logs Retrieves all captured logs, or captured logs based on the search query you have specified, from Nozomi Networks Guardian. get_captured_logs
Investigation
Get Captured URLs Retrieves all captured URLs, or captured URLs based on the search query you have specified, from Nozomi Networks Guardian. get_captured_urls
Investigation
Get Function Codes Retrieves all function codes, or function codes based on the search query you have specified, from Nozomi Networks Guardian. get_function_codes
Investigation
Get Health Log Retrieves all health logs, or health logs based on the search query you have specified, from Nozomi Networks Guardian. get_health_log
Investigation
Get Link Events Retrieves all link events, or link events based on the search query you have specified, from Nozomi Networks Guardian. get_link_events
Investigation
Get Links Retrieves all links, or links based on the search query you have specified, from Nozomi Networks Guardian. get_links
Investigation
Get Node CPE Changes Retrieves all node CPE changes, or node CPE changes based on the search query you have specified, from Nozomi Networks Guardian. get_node_cpe_changes
Investigation
Get Node CPEs Retrieves all node CPEs, or node CPEs based on the search query you have specified, from Nozomi Networks Guardian. get_node_cpes
Investigation
Get Node CVEs Retrieves all node CVEs, or node CVEs based on the search query you have specified, from Nozomi Networks Guardian. get_node_cves
Investigation
Get Nodes Retrieves all nodes, or nodes based on the search query you have specified, from Nozomi Networks Guardian. get_nodes
Investigation
Get Sessions Retrieves all sessions, or sessions based on the search query you have specified, from Nozomi Networks Guardian. get_sessions
Investigation
Get Sessions History Retrieves all archived sessions, or archived sessions based on the search query you have specified, from Nozomi Networks Guardian. get_sessions_history
Investigation
Get Variable History Retrieves all variable history, or variable history based on the search query you have specified, from Nozomi Networks Guardian. get_variable_history
Investigation
Get Variables Retrieves all variables, or variables based on the search query you have specified, from Nozomi Networks Guardian. get_variables
Investigation
Get Alert Acknowledgement Status Retrieves all alert acknowledgment statuses based on the alert acknowledgment job ID you have specified, from Nozomi Networks Guardian. get_alert_ack_status
Investigation
Set Acknowledgment Status Set alert statuses to Acknowledge or Unacknowledge based on the alert IDs you have specified, from Nozomi Networks Guardian. set_alert_ack
Investigation
Run CLI Runs the specified CLI command on Nozomi Networks Guardian. run_cli
Investigation

operation: List All Alerts

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve alerts from the Nozomi Networks Guardian server. For example, | count

Output

The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"type_id": "",
"name": "",
"description": "",
"severity": "",
"mac_src": "",
"mac_dst": "",
"ip_src": "",
"ip_dst": "",
"risk": "",
"protocol": "",
"src_roles": "",
"dst_roles": "",
"time": "",
"ack": "",
"id_src": "",
"id_dst": "",
"synchronized": "",
"appliance_id": "",
"port_src": "",
"port_dst": "",
"label_src": "",
"label_dst": "",
"trigger_id": "",
"trigger_type": "",
"appliance_host": "",
"appliance_ip": "",
"transport_protocol": "",
"is_security": "",
"note": "",
"appliance_site": "",
"parents": [],
"is_incident": "",
"properties": {
"bad_actor": "",
"base_risk": "",
"is_dst_node_learned": "",
"is_dst_public": "",
"is_dst_reputation_bad": "",
"is_src_node_learned": "",
"is_src_public": "",
"is_src_reputation_bad": "",
"remediation_target": "",
"victims": [],
"mitre_attack/techniques": [
{
"technique": "",
"name": "",
"tactic": ""
}
]
},
"created_time": "",
"incident_keys": [],
"bpf_filter": "",
"closed_time": "",
"status": "",
"session_id": "",
"replicated": "",
"capture_device": "",
"threat_name": "",
"type_name": "",
"sec_profile_visible": "",
"zone_src": "",
"zone_dst": "",
"mitre_attack_techniques": "",
"mitre_attack_tactics": ""
}
],
"header": [],
"error": "",
"total": ""
}

operation: Get Alert Details

Input parameters

Parameter Description
Alert ID ID of the alert whose information you want to retrieve from Nozomi Networks Guardian.

Output

The output contains a non-dictionary value.

operation: List All Assets

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve assets from the Nozomi Networks Guardian server. For example, | count

Output

The output contains the following populated JSON schema:
{
"result": [
{
"name": "",
"level": "",
"id": "",
"appliance_hosts": [],
"capture_device": "",
"ip": [],
"mac_address": [],
"mac_address_level": {},
"vlan_id": [],
"mac_vendor": [],
"os": "",
"roles": [],
"vendor": "",
"_asset_kb_id": "",
"vendor:info": {
"source": ""
},
"firmware_version": "",
"firmware_version:info": {
"source": ""
},
"os_or_firmware": "",
"serial_number": "",
"serial_number:info": {
"source": ""
},
"product_name": "",
"product_name:info": {
"source": ""
},
"type": "",
"type:info": {
"source": ""
},
"protocols": [],
"nodes": [],
"zones": [],
"custom_fields": {},
"fields": {},
"created_at": "",
"last_activity_time": "",
"device_id": ""
}
],
"header": [],
"error": "",
"total": ""
}

operation: Import Asset

Input parameters

Parameter Description
Import Type Type of import using which you want to import assets into Nozomi Networks Guardian. You can choose from the following options: JSON or CSV.
If you choose 'JSON', then you must specify the following parameter:
  • Asset: Provide a list of items and their values in the JSON format that you want to import as an asset into Nozomi Networks Guardian.
If you choose 'CSV', then you must specify the following parameters:
  • Type: Choose between Attachment ID or a File IRI.
  • Reference ID: Reference ID that is used to access the attachment metadata from the FortiSOAR™ Attachments module.
    In the playbook, if you select 'Attachment ID', this defaults to the {{vars.attachment_id}} value or if you select 'File IRI', then this defaults to the {{vars.file_iri}} value.

Output

The output contains the following populated JSON schema:
{
"result": "",
"error": ""
}

operation: Get Appliances

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve appliances from the Nozomi Networks Guardian server. For example, | head 2

Output

The output contains a non-dictionary value.

operation: Get Assertions

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve assertions from the Nozomi Networks Guardian server. For example, | head 2

Output

The output contains a non-dictionary value.

operation: Get Captured Logs

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve captured logs from the Nozomi Networks Guardian server. For example, | head 2

Output

The output contains a non-dictionary value.

operation: Get Captured URLs

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve captured URLs from the Nozomi Networks Guardian server. For example, | head 2

Output

The output contains a non-dictionary value.

operation: Get Function Codes

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve function codes from the Nozomi Networks Guardian server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"protocol": "",
"fc": "",
"count": "",
"description": ""
}
],
"header": [],
"total": ""
}

operation: Get Health Log

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve health logs from the Nozomi Networks Guardian server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"time": "",
"appliance_id": "",
"appliance_ip": "",
"appliance_host": "",
"synchronized": "",
"info": {
"description": ""
},
"replicated": ""
}
],
"header": [],
"error": "",
"total": ""
}

operation: Get Link Events

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve link events from the Nozomi Networks Guardian server. For example, | head 2

Output

The output contains a non-dictionary value.

operation: Get Links

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve links from the Nozomi Networks Guardian server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"from": "",
"to": "",
"is_from_public": "",
"is_to_public": "",
"protocol": "",
"first_activity_time": "",
"last_activity_time": "",
"last_handshake_time": "",
"transport_protocols": [],
"tcp_handshaked_connections.total": "",
"tcp_handshaked_connections.last_5m": "",
"tcp_handshaked_connections.last_15m": "",
"tcp_handshaked_connections.last_30m": "",
"tcp_connection_attempts.total": "",
"tcp_connection_attempts.last_5m": "",
"tcp_connection_attempts.last_15m": "",
"tcp_connection_attempts.last_30m": "",
"transferred.packets": "",
"transferred.bytes": "",
"transferred.last_5m_bytes": "",
"transferred.last_15m_bytes": "",
"transferred.last_30m_bytes": "",
"transferred.smallest_packet_bytes": "",
"transferred.biggest_packet_bytes": "",
"transferred.avg_packet_bytes": "",
"tcp_retransmission.percent": "",
"tcp_retransmission.packets": "",
"tcp_retransmission.bytes": "",
"tcp_retransmission.last_5m_bytes": "",
"tcp_retransmission.last_15m_bytes": "",
"tcp_retransmission.last_30m_bytes": "",
"throughput_speed": "",
"is_learned": "",
"is_fully_learned": "",
"is_broadcast": "",
"has_confirmed_data": "",
"_can": {
"link_events": "",
"captured_urls": "",
"trace_requests": ""
},
"alerts": "",
"last_trace_request_time": "",
"_ports": [
{
"tcp": ""
}
],
"active_checks": [],
"_checks": {},
"function_codes": [],
"bpf_filter": "",
"from_zone": "",
"to_zone": ""
}
],
"header": [],
"total": ""
}

operation: Get Node CPE Changes

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve node CPE changes from the Nozomi Networks Guardian server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"node_id": "",
"cpe": "",
"cpe_part": "",
"cpe_vendor": "",
"cpe_product": "",
"cpe_version": "",
"cpe_update": "",
"new_cpe": "",
"new_cpe_vendor": "",
"new_cpe_product": "",
"new_cpe_version": "",
"new_cpe_update": "",
"node_cpe_id": "",
"time": "",
"synchronized": "",
"appliance_id": "",
"appliance_ip": "",
"appliance_host": "",
"human_cpe_vendor": "",
"human_cpe_product": "",
"new_human_cpe_vendor": "",
"new_human_cpe_product": "",
"human_cpe_version": "",
"human_cpe_update": "",
"new_human_cpe_version": "",
"new_human_cpe_update": "",
"likelihood": "",
"new_likelihood": "",
"replicated": "",
"cpe_edition": "",
"new_cpe_edition": "",
"human_cpe_edition": "",
"new_human_cpe_edition": ""
}
],
"header": [],
"error": "",
"total": ""
}

operation: Get Node CPEs

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve node CPEs from the Nozomi Networks Guardian server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"node_id": "",
"cpe": "",
"cpe_part": "",
"cpe_vendor": "",
"cpe_product": "",
"cpe_version": "",
"cpe_update": "",
"time": "",
"synchronized": "",
"appliance_id": "",
"appliance_ip": "",
"appliance_host": "",
"updated": "",
"cpe_translator": "",
"human_cpe_vendor": "",
"human_cpe_product": "",
"human_cpe_version": "",
"human_cpe_update": "",
"likelihood": "",
"replicated": "",
"cpe_edition": "",
"human_cpe_edition": "",
"unique_hw_id": "",
"deleted_at": "",
"asset_id": "",
"node_label": "",
"node_type": "",
"node_vendor": "",
"node_product_name": "",
"node_firmware_version": "",
"zone": "",
"node_os": ""
}
],
"header": [],
"error": "",
"total": ""
}

operation: Get Node CVEs

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve node CVEs from the Nozomi Networks Guardian server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"node_id": "",
"cve": "",
"time": "",
"cwe_id": "",
"cwe_name": "",
"matching_cpes": [],
"likelihood": "",
"resolved": "",
"resolved_reason": "",
"resolved_source": "",
"installed_on": "",
"appliance_id": "",
"appliance_ip": "",
"appliance_host": "",
"zone": "",
"asset_id": "",
"node_label": "",
"node_type": "",
"node_vendor": "",
"node_product_name": "",
"node_firmware_version": "",
"node_os": "",
"resolution_status": "",
"cve_summary": "",
"cve_references": [
{
"name": "",
"reference_type": "",
"source": "",
"url": ""
}
],
"cve_score": "",
"cve_creation_time": "",
"cve_update_time": "",
"cve_source": ""
}
],
"header": [],
"error": "",
"total": ""
}

operation: Get Nodes

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve nodes from the Nozomi Networks Guardian server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"appliance_host": "",
"label": "",
"id": "",
"_asset_kb_id": "",
"ip": "",
"mac_address": "",
"mac_address:info": {
"source": "",
"likelihood": "",
"likelihood_level": ""
},
"mac_vendor": "",
"_private_status": "",
"subnet": "",
"vlan_id": "",
"vlan_id:info": {
"source": ""
},
"zone": "",
"level": "",
"type": "",
"type:info": {
"source": ""
},
"os": "",
"os:info": {
"source": ""
},
"vendor": "",
"vendor:info": {
"source": ""
},
"product_name": "",
"product_name:info": {
"source": ""
},
"firmware_version": "",
"firmware_version:info": {
"source": ""
},
"serial_number": "",
"serial_number:info": {
"source": ""
},
"is_broadcast": "",
"is_public": "",
"fields": {},
"reputation": "",
"is_compromised": "",
"is_confirmed": "",
"is_learned": "",
"is_fully_learned": "",
"is_disabled": "",
"_is_licensed": "",
"roles": [],
"links": [
{
"id": "",
"protos": [
{
"name": "",
"last_activity": ""
}
]
}
],
"links_count": "",
"protocols": [],
"created_at": "",
"first_activity_time": "",
"last_activity_time": "",
"received.packets": "",
"received.bytes": "",
"received.last_5m_bytes": "",
"received.last_15m_bytes": "",
"received.last_30m_bytes": "",
"sent.packets": "",
"sent.bytes": "",
"sent.last_5m_bytes": "",
"sent.last_15m_bytes": "",
"sent.last_30m_bytes": "",
"tcp_retransmission.percent": "",
"tcp_retransmission.packets": "",
"tcp_retransmission.bytes": "",
"tcp_retransmission.last_5m_bytes": "",
"tcp_retransmission.last_15m_bytes": "",
"tcp_retransmission.last_30m_bytes": "",
"variables_count": "",
"device_id": "",
"properties": {},
"custom_fields": {},
"bpf_filter": "",
"device_modules": {},
"capture_device": ""
}
],
"header": [],
"total": ""
}

operation: Get Sessions

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve sessions from the Nozomi Networks Guardian server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"status": "",
"direction_is_known": "",
"from": "",
"to": "",
"transport_protocol": "",
"from_zone": "",
"to_zone": "",
"from_port": "",
"to_port": "",
"protocol": "",
"vlan_id": "",
"transferred.packets": "",
"transferred.bytes": "",
"transferred.last_5m_bytes": "",
"transferred.last_15m_bytes": "",
"transferred.last_30m_bytes": "",
"transferred.smallest_packet_bytes": "",
"transferred.biggest_packet_bytes": "",
"transferred.avg_packet_bytes": "",
"throughput_speed": "",
"first_activity_time": "",
"last_activity_time": "",
"key": "",
"bpf_filter": ""
}
],
"header": [],
"total": ""
}

operation: Get Sessions History

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve archived sessions from the Nozomi Networks Guardian server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"status": "",
"direction_is_known": "",
"from": "",
"to": "",
"transport_protocol": "",
"from_zone": "",
"to_zone": "",
"from_port": "",
"to_port": "",
"protocol": "",
"vlan_id": "",
"transferred.packets": "",
"transferred.bytes": "",
"transferred.last_5m_bytes": "",
"transferred.last_15m_bytes": "",
"transferred.last_30m_bytes": "",
"transferred.smallest_packet_bytes": "",
"transferred.biggest_packet_bytes": "",
"transferred.avg_packet_bytes": "",
"throughput_speed": "",
"first_activity_time": "",
"last_activity_time": "",
"key": "",
"bpf_filter": ""
}
],
"header": [],
"total": ""
}

operation: Get Variable History

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve variable history from the Nozomi Networks Guardian server. For example, | head 2

Output

The output contains a non-dictionary value.

operation: Get Variables

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve variables from the Nozomi Networks Guardian server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"var_key": "",
"host": "",
"host_label": "",
"RTU_ID": "",
"name": "",
"label": "",
"unit": "",
"scale": "",
"offset": "",
"type": "",
"is_numeric": "",
"min_value": "",
"max_value": "",
"value": "",
"last_value": "",
"last_value_is_valid": "",
"last_value_quality": [],
"last_cause": "",
"protocol": "",
"last_function_code_info": "",
"last_function_code": "",
"first_activity_time": "",
"last_range_change_time": "",
"last_activity_time": "",
"last_update_time": "",
"last_valid_quality_time": "",
"request_count": "",
"changes_count": "",
"last_client": "",
"history_status": "",
"active_checks": [],
"_checks": {},
"flow_status": "",
"flow_anomalies": "",
"flow_anomaly_in_progress": "",
"flow_hiccups_percent": "",
"flow_stats.avg": "",
"flow_stats.var": ""
}
],
"header": [],
"total": ""
}

operation: Get Alert Acknowledgement Status

Input parameters

Parameter Description
Job ID ID of the alert acknowledgment job whose information you want to retrieve from Nozomi Networks Guardian.

Output

The output contains a non-dictionary value.

operation: Set Acknowledgment Status

Input parameters

Parameter Description
Alert IDs List of comma-separated alert IDs based on which you want to set acknowledgment status of alerts in Nozomi Networks Guardian.
Acknowledgment Status Select this checkbox to set the acknowledgment status of specified alerts to 'Acknowledge' or clear this checkbox to set the acknowledgment status of specified alerts to 'UnAcknowledge' in Nozomi Networks Guardian.

Output

The output contains the following populated JSON schema:
{
"result": {
"id": ""
},
"error": ""
}

operation: Run CLI

Input parameters

Parameter Description
Command CLI command that you want to run on Executes a CLI command on Nozomi Networks Guardian.

Output

The output contains a non-dictionary value.

Included playbooks

The Sample - Nozomi Networks Guardian - 1.0.0 playbook collection comes bundled with the Nozomi Networks Guardian connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Nozomi Networks Guardian connector.

  • Get Alert Acknowledgement Status
  • Get Alert Details
  • Get Appliances
  • Get Assertions
  • Get Captured Logs
  • Get Captured URLs
  • Get Function Codes
  • Get Health Log
  • Get Link Events
  • Get Links
  • Get Node CPE Changes
  • Get Node CPEs
  • Get Node CVEs
  • Get Nodes
  • Get Sessions
  • Get Sessions History
  • Get Variable History
  • Get Variables
  • Import Asset
  • List All Alerts
  • List All Assets
  • > NozomiNetworks > Fetch
  • NozomiNetworks > Ingest
  • >> NozomiNetworks > Init Macros
  • Run CLI
  • Set Acknowledgment Status

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Previous
Next

About the connector

The Nozomi Networks Guardian platform used to monitor OT/IoT/IT networks. It combines asset discovery, network visualization, vulnerability assessment, risk monitoring, and threat detection in a single solution.

This document provides information about the Nozomi Networks Guardian connector, which facilitates automated interactions, with your Nozomi Networks Guardian server using FortiSOAR™ playbooks. Add the Nozomi Networks Guardian connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving assets and alerts from Nozomi Networks Guardian, importing assets into Nozomi Networks Guardian, running a CLI command on Nozomi Networks Guardian, etc.

Version information

Connector Version: 1.0.0

Authored By: Community

Certified: No

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:

yum install cyops-connector-nozomi-networks-guardian

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Nozomi Networks Guardian connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:

Parameter Description
Server URL URL of the Nozomi Networks Guardian server to which you will connect and perform automated operations.
Username Username to access the Nozomi Networks Guardian server to which you will connect and perform automated operations.
Password Password to access the Nozomi Networks Guardian server to which you will connect and perform automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:

Function Description Annotation and Category
List All Alerts Retrieves all alerts, or alerts based on the search query you have specified, from Nozomi Networks Guardian. get_alerts
Investigation
Get Alert Details Retrieves information about a specific alert from Nozomi Networks Guardian based on the alert ID that you have specified. get_alert_details
Investigation
List All Assets Retrieves all assets, or assets based on the search query you have specified, from Nozomi Networks Guardian. get_assets
Investigation
Import Asset Imports assets into Nozomi Networks Guardian allowing you to enrich information associated with nodes. The information that you provide affects the nodes that match the specified IP field value. If there are no matches, then new nodes are created. import_asset
Investigation
Get Appliances Retrieves all appliances, or appliances based on the search query you have specified, from Nozomi Networks Guardian. get_appliances
Investigation
Get Assertions Retrieves all assertions, or assertions based on the search query you have specified, from Nozomi Networks Guardian. get_assertions
Investigation
Get Captured Logs Retrieves all captured logs, or captured logs based on the search query you have specified, from Nozomi Networks Guardian. get_captured_logs
Investigation
Get Captured URLs Retrieves all captured URLs, or captured URLs based on the search query you have specified, from Nozomi Networks Guardian. get_captured_urls
Investigation
Get Function Codes Retrieves all function codes, or function codes based on the search query you have specified, from Nozomi Networks Guardian. get_function_codes
Investigation
Get Health Log Retrieves all health logs, or health logs based on the search query you have specified, from Nozomi Networks Guardian. get_health_log
Investigation
Get Link Events Retrieves all link events, or link events based on the search query you have specified, from Nozomi Networks Guardian. get_link_events
Investigation
Get Links Retrieves all links, or links based on the search query you have specified, from Nozomi Networks Guardian. get_links
Investigation
Get Node CPE Changes Retrieves all node CPE changes, or node CPE changes based on the search query you have specified, from Nozomi Networks Guardian. get_node_cpe_changes
Investigation
Get Node CPEs Retrieves all node CPEs, or node CPEs based on the search query you have specified, from Nozomi Networks Guardian. get_node_cpes
Investigation
Get Node CVEs Retrieves all node CVEs, or node CVEs based on the search query you have specified, from Nozomi Networks Guardian. get_node_cves
Investigation
Get Nodes Retrieves all nodes, or nodes based on the search query you have specified, from Nozomi Networks Guardian. get_nodes
Investigation
Get Sessions Retrieves all sessions, or sessions based on the search query you have specified, from Nozomi Networks Guardian. get_sessions
Investigation
Get Sessions History Retrieves all archived sessions, or archived sessions based on the search query you have specified, from Nozomi Networks Guardian. get_sessions_history
Investigation
Get Variable History Retrieves all variable history, or variable history based on the search query you have specified, from Nozomi Networks Guardian. get_variable_history
Investigation
Get Variables Retrieves all variables, or variables based on the search query you have specified, from Nozomi Networks Guardian. get_variables
Investigation
Get Alert Acknowledgement Status Retrieves all alert acknowledgment statuses based on the alert acknowledgment job ID you have specified, from Nozomi Networks Guardian. get_alert_ack_status
Investigation
Set Acknowledgment Status Set alert statuses to Acknowledge or Unacknowledge based on the alert IDs you have specified, from Nozomi Networks Guardian. set_alert_ack
Investigation
Run CLI Runs the specified CLI command on Nozomi Networks Guardian. run_cli
Investigation

operation: List All Alerts

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve alerts from the Nozomi Networks Guardian server. For example, | count

Output

The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"type_id": "",
"name": "",
"description": "",
"severity": "",
"mac_src": "",
"mac_dst": "",
"ip_src": "",
"ip_dst": "",
"risk": "",
"protocol": "",
"src_roles": "",
"dst_roles": "",
"time": "",
"ack": "",
"id_src": "",
"id_dst": "",
"synchronized": "",
"appliance_id": "",
"port_src": "",
"port_dst": "",
"label_src": "",
"label_dst": "",
"trigger_id": "",
"trigger_type": "",
"appliance_host": "",
"appliance_ip": "",
"transport_protocol": "",
"is_security": "",
"note": "",
"appliance_site": "",
"parents": [],
"is_incident": "",
"properties": {
"bad_actor": "",
"base_risk": "",
"is_dst_node_learned": "",
"is_dst_public": "",
"is_dst_reputation_bad": "",
"is_src_node_learned": "",
"is_src_public": "",
"is_src_reputation_bad": "",
"remediation_target": "",
"victims": [],
"mitre_attack/techniques": [
{
"technique": "",
"name": "",
"tactic": ""
}
]
},
"created_time": "",
"incident_keys": [],
"bpf_filter": "",
"closed_time": "",
"status": "",
"session_id": "",
"replicated": "",
"capture_device": "",
"threat_name": "",
"type_name": "",
"sec_profile_visible": "",
"zone_src": "",
"zone_dst": "",
"mitre_attack_techniques": "",
"mitre_attack_tactics": ""
}
],
"header": [],
"error": "",
"total": ""
}

operation: Get Alert Details

Input parameters

Parameter Description
Alert ID ID of the alert whose information you want to retrieve from Nozomi Networks Guardian.

Output

The output contains a non-dictionary value.

operation: List All Assets

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve assets from the Nozomi Networks Guardian server. For example, | count

Output

The output contains the following populated JSON schema:
{
"result": [
{
"name": "",
"level": "",
"id": "",
"appliance_hosts": [],
"capture_device": "",
"ip": [],
"mac_address": [],
"mac_address_level": {},
"vlan_id": [],
"mac_vendor": [],
"os": "",
"roles": [],
"vendor": "",
"_asset_kb_id": "",
"vendor:info": {
"source": ""
},
"firmware_version": "",
"firmware_version:info": {
"source": ""
},
"os_or_firmware": "",
"serial_number": "",
"serial_number:info": {
"source": ""
},
"product_name": "",
"product_name:info": {
"source": ""
},
"type": "",
"type:info": {
"source": ""
},
"protocols": [],
"nodes": [],
"zones": [],
"custom_fields": {},
"fields": {},
"created_at": "",
"last_activity_time": "",
"device_id": ""
}
],
"header": [],
"error": "",
"total": ""
}

operation: Import Asset

Input parameters

Parameter Description
Import Type Type of import using which you want to import assets into Nozomi Networks Guardian. You can choose from the following options: JSON or CSV.
If you choose 'JSON', then you must specify the following parameter:
  • Asset: Provide a list of items and their values in the JSON format that you want to import as an asset into Nozomi Networks Guardian.
If you choose 'CSV', then you must specify the following parameters:
  • Type: Choose between Attachment ID or a File IRI.
  • Reference ID: Reference ID that is used to access the attachment metadata from the FortiSOAR™ Attachments module.
    In the playbook, if you select 'Attachment ID', this defaults to the {{vars.attachment_id}} value or if you select 'File IRI', then this defaults to the {{vars.file_iri}} value.

Output

The output contains the following populated JSON schema:
{
"result": "",
"error": ""
}

operation: Get Appliances

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve appliances from the Nozomi Networks Guardian server. For example, | head 2

Output

The output contains a non-dictionary value.

operation: Get Assertions

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve assertions from the Nozomi Networks Guardian server. For example, | head 2

Output

The output contains a non-dictionary value.

operation: Get Captured Logs

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve captured logs from the Nozomi Networks Guardian server. For example, | head 2

Output

The output contains a non-dictionary value.

operation: Get Captured URLs

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve captured URLs from the Nozomi Networks Guardian server. For example, | head 2

Output

The output contains a non-dictionary value.

operation: Get Function Codes

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve function codes from the Nozomi Networks Guardian server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"protocol": "",
"fc": "",
"count": "",
"description": ""
}
],
"header": [],
"total": ""
}

operation: Get Health Log

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve health logs from the Nozomi Networks Guardian server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"time": "",
"appliance_id": "",
"appliance_ip": "",
"appliance_host": "",
"synchronized": "",
"info": {
"description": ""
},
"replicated": ""
}
],
"header": [],
"error": "",
"total": ""
}

operation: Get Link Events

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve link events from the Nozomi Networks Guardian server. For example, | head 2

Output

The output contains a non-dictionary value.

operation: Get Links

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve links from the Nozomi Networks Guardian server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"from": "",
"to": "",
"is_from_public": "",
"is_to_public": "",
"protocol": "",
"first_activity_time": "",
"last_activity_time": "",
"last_handshake_time": "",
"transport_protocols": [],
"tcp_handshaked_connections.total": "",
"tcp_handshaked_connections.last_5m": "",
"tcp_handshaked_connections.last_15m": "",
"tcp_handshaked_connections.last_30m": "",
"tcp_connection_attempts.total": "",
"tcp_connection_attempts.last_5m": "",
"tcp_connection_attempts.last_15m": "",
"tcp_connection_attempts.last_30m": "",
"transferred.packets": "",
"transferred.bytes": "",
"transferred.last_5m_bytes": "",
"transferred.last_15m_bytes": "",
"transferred.last_30m_bytes": "",
"transferred.smallest_packet_bytes": "",
"transferred.biggest_packet_bytes": "",
"transferred.avg_packet_bytes": "",
"tcp_retransmission.percent": "",
"tcp_retransmission.packets": "",
"tcp_retransmission.bytes": "",
"tcp_retransmission.last_5m_bytes": "",
"tcp_retransmission.last_15m_bytes": "",
"tcp_retransmission.last_30m_bytes": "",
"throughput_speed": "",
"is_learned": "",
"is_fully_learned": "",
"is_broadcast": "",
"has_confirmed_data": "",
"_can": {
"link_events": "",
"captured_urls": "",
"trace_requests": ""
},
"alerts": "",
"last_trace_request_time": "",
"_ports": [
{
"tcp": ""
}
],
"active_checks": [],
"_checks": {},
"function_codes": [],
"bpf_filter": "",
"from_zone": "",
"to_zone": ""
}
],
"header": [],
"total": ""
}

operation: Get Node CPE Changes

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve node CPE changes from the Nozomi Networks Guardian server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"node_id": "",
"cpe": "",
"cpe_part": "",
"cpe_vendor": "",
"cpe_product": "",
"cpe_version": "",
"cpe_update": "",
"new_cpe": "",
"new_cpe_vendor": "",
"new_cpe_product": "",
"new_cpe_version": "",
"new_cpe_update": "",
"node_cpe_id": "",
"time": "",
"synchronized": "",
"appliance_id": "",
"appliance_ip": "",
"appliance_host": "",
"human_cpe_vendor": "",
"human_cpe_product": "",
"new_human_cpe_vendor": "",
"new_human_cpe_product": "",
"human_cpe_version": "",
"human_cpe_update": "",
"new_human_cpe_version": "",
"new_human_cpe_update": "",
"likelihood": "",
"new_likelihood": "",
"replicated": "",
"cpe_edition": "",
"new_cpe_edition": "",
"human_cpe_edition": "",
"new_human_cpe_edition": ""
}
],
"header": [],
"error": "",
"total": ""
}

operation: Get Node CPEs

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve node CPEs from the Nozomi Networks Guardian server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"node_id": "",
"cpe": "",
"cpe_part": "",
"cpe_vendor": "",
"cpe_product": "",
"cpe_version": "",
"cpe_update": "",
"time": "",
"synchronized": "",
"appliance_id": "",
"appliance_ip": "",
"appliance_host": "",
"updated": "",
"cpe_translator": "",
"human_cpe_vendor": "",
"human_cpe_product": "",
"human_cpe_version": "",
"human_cpe_update": "",
"likelihood": "",
"replicated": "",
"cpe_edition": "",
"human_cpe_edition": "",
"unique_hw_id": "",
"deleted_at": "",
"asset_id": "",
"node_label": "",
"node_type": "",
"node_vendor": "",
"node_product_name": "",
"node_firmware_version": "",
"zone": "",
"node_os": ""
}
],
"header": [],
"error": "",
"total": ""
}

operation: Get Node CVEs

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve node CVEs from the Nozomi Networks Guardian server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"node_id": "",
"cve": "",
"time": "",
"cwe_id": "",
"cwe_name": "",
"matching_cpes": [],
"likelihood": "",
"resolved": "",
"resolved_reason": "",
"resolved_source": "",
"installed_on": "",
"appliance_id": "",
"appliance_ip": "",
"appliance_host": "",
"zone": "",
"asset_id": "",
"node_label": "",
"node_type": "",
"node_vendor": "",
"node_product_name": "",
"node_firmware_version": "",
"node_os": "",
"resolution_status": "",
"cve_summary": "",
"cve_references": [
{
"name": "",
"reference_type": "",
"source": "",
"url": ""
}
],
"cve_score": "",
"cve_creation_time": "",
"cve_update_time": "",
"cve_source": ""
}
],
"header": [],
"error": "",
"total": ""
}

operation: Get Nodes

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve nodes from the Nozomi Networks Guardian server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"appliance_host": "",
"label": "",
"id": "",
"_asset_kb_id": "",
"ip": "",
"mac_address": "",
"mac_address:info": {
"source": "",
"likelihood": "",
"likelihood_level": ""
},
"mac_vendor": "",
"_private_status": "",
"subnet": "",
"vlan_id": "",
"vlan_id:info": {
"source": ""
},
"zone": "",
"level": "",
"type": "",
"type:info": {
"source": ""
},
"os": "",
"os:info": {
"source": ""
},
"vendor": "",
"vendor:info": {
"source": ""
},
"product_name": "",
"product_name:info": {
"source": ""
},
"firmware_version": "",
"firmware_version:info": {
"source": ""
},
"serial_number": "",
"serial_number:info": {
"source": ""
},
"is_broadcast": "",
"is_public": "",
"fields": {},
"reputation": "",
"is_compromised": "",
"is_confirmed": "",
"is_learned": "",
"is_fully_learned": "",
"is_disabled": "",
"_is_licensed": "",
"roles": [],
"links": [
{
"id": "",
"protos": [
{
"name": "",
"last_activity": ""
}
]
}
],
"links_count": "",
"protocols": [],
"created_at": "",
"first_activity_time": "",
"last_activity_time": "",
"received.packets": "",
"received.bytes": "",
"received.last_5m_bytes": "",
"received.last_15m_bytes": "",
"received.last_30m_bytes": "",
"sent.packets": "",
"sent.bytes": "",
"sent.last_5m_bytes": "",
"sent.last_15m_bytes": "",
"sent.last_30m_bytes": "",
"tcp_retransmission.percent": "",
"tcp_retransmission.packets": "",
"tcp_retransmission.bytes": "",
"tcp_retransmission.last_5m_bytes": "",
"tcp_retransmission.last_15m_bytes": "",
"tcp_retransmission.last_30m_bytes": "",
"variables_count": "",
"device_id": "",
"properties": {},
"custom_fields": {},
"bpf_filter": "",
"device_modules": {},
"capture_device": ""
}
],
"header": [],
"total": ""
}

operation: Get Sessions

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve sessions from the Nozomi Networks Guardian server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"status": "",
"direction_is_known": "",
"from": "",
"to": "",
"transport_protocol": "",
"from_zone": "",
"to_zone": "",
"from_port": "",
"to_port": "",
"protocol": "",
"vlan_id": "",
"transferred.packets": "",
"transferred.bytes": "",
"transferred.last_5m_bytes": "",
"transferred.last_15m_bytes": "",
"transferred.last_30m_bytes": "",
"transferred.smallest_packet_bytes": "",
"transferred.biggest_packet_bytes": "",
"transferred.avg_packet_bytes": "",
"throughput_speed": "",
"first_activity_time": "",
"last_activity_time": "",
"key": "",
"bpf_filter": ""
}
],
"header": [],
"total": ""
}

operation: Get Sessions History

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve archived sessions from the Nozomi Networks Guardian server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"status": "",
"direction_is_known": "",
"from": "",
"to": "",
"transport_protocol": "",
"from_zone": "",
"to_zone": "",
"from_port": "",
"to_port": "",
"protocol": "",
"vlan_id": "",
"transferred.packets": "",
"transferred.bytes": "",
"transferred.last_5m_bytes": "",
"transferred.last_15m_bytes": "",
"transferred.last_30m_bytes": "",
"transferred.smallest_packet_bytes": "",
"transferred.biggest_packet_bytes": "",
"transferred.avg_packet_bytes": "",
"throughput_speed": "",
"first_activity_time": "",
"last_activity_time": "",
"key": "",
"bpf_filter": ""
}
],
"header": [],
"total": ""
}

operation: Get Variable History

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve variable history from the Nozomi Networks Guardian server. For example, | head 2

Output

The output contains a non-dictionary value.

operation: Get Variables

Input parameters

Parameter Description
Search Query (Optional) Query using which you want to search and retrieve variables from the Nozomi Networks Guardian server. For example, | head 2

Output

The output contains the following populated JSON schema:
{
"result": [
{
"var_key": "",
"host": "",
"host_label": "",
"RTU_ID": "",
"name": "",
"label": "",
"unit": "",
"scale": "",
"offset": "",
"type": "",
"is_numeric": "",
"min_value": "",
"max_value": "",
"value": "",
"last_value": "",
"last_value_is_valid": "",
"last_value_quality": [],
"last_cause": "",
"protocol": "",
"last_function_code_info": "",
"last_function_code": "",
"first_activity_time": "",
"last_range_change_time": "",
"last_activity_time": "",
"last_update_time": "",
"last_valid_quality_time": "",
"request_count": "",
"changes_count": "",
"last_client": "",
"history_status": "",
"active_checks": [],
"_checks": {},
"flow_status": "",
"flow_anomalies": "",
"flow_anomaly_in_progress": "",
"flow_hiccups_percent": "",
"flow_stats.avg": "",
"flow_stats.var": ""
}
],
"header": [],
"total": ""
}

operation: Get Alert Acknowledgement Status

Input parameters

Parameter Description
Job ID ID of the alert acknowledgment job whose information you want to retrieve from Nozomi Networks Guardian.

Output

The output contains a non-dictionary value.

operation: Set Acknowledgment Status

Input parameters

Parameter Description
Alert IDs List of comma-separated alert IDs based on which you want to set acknowledgment status of alerts in Nozomi Networks Guardian.
Acknowledgment Status Select this checkbox to set the acknowledgment status of specified alerts to 'Acknowledge' or clear this checkbox to set the acknowledgment status of specified alerts to 'UnAcknowledge' in Nozomi Networks Guardian.

Output

The output contains the following populated JSON schema:
{
"result": {
"id": ""
},
"error": ""
}

operation: Run CLI

Input parameters

Parameter Description
Command CLI command that you want to run on Executes a CLI command on Nozomi Networks Guardian.

Output

The output contains a non-dictionary value.

Included playbooks

The Sample - Nozomi Networks Guardian - 1.0.0 playbook collection comes bundled with the Nozomi Networks Guardian connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Nozomi Networks Guardian connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Previous
Next