Use the Nozomi Networks Guardian platform to monitor OT/IoT/IT networks. It combines asset discovery, network visualization, vulnerability assessment, risk monitoring, and threat detection in a single solution.
This document provides information about the Nozomi Networks Guardian connector, which facilitates automated interactions, with your Nozomi Networks Guardian server using FortiSOAR™ playbooks. Add the Nozomi Networks Guardian connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving assets and alerts from Nozomi Networks Guardian, importing assets into Nozomi Networks Guardian, running a CLI command on Nozomi Networks Guardian, etc.
Use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents and alerts from Nozomi Networks Guardian. For more information, see the Data Ingestion Support section.
Connector Version: 1.1.0
Authored By: Fortinet
Nozomi Networks Guardian Version Tested On: 22.5.0-10040913_E7B69
Certified: Yes
The following enhancements have been made to the Nozomi Networks Guardian connector in version 1.1.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-nozomi-networks-guardian
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Nozomi Networks Guardian connector card. On the connector popup, click the Configurations tab to enter the required configuration details.
Parameter | Description |
---|---|
Server URL | URL of the Nozomi Networks Guardian server to which you will connect and perform automated operations. |
Username | Username to access the Nozomi Networks Guardian server to which you will connect and perform automated operations. |
Password | Password to access the Nozomi Networks Guardian server to which you will connect and perform automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations FortiSOAR™:
Function | Description | Annotation and Category |
---|---|---|
Get Alerts List | Retrieves all alerts or specific alerts from Nozomi Networks Guardian based on the search query and other input parameters you have specified. | get_alerts Investigation |
Get Alert Trace | Retrieves information about a specific alert from Nozomi Networks Guardian based on the alert ID that you have specified. | get_alert_details Investigation |
Get Assets | Retrieves all assets or specific assets from Nozomi Networks Guardian based on the search query and other input parameters you have specified. | get_assets Investigation |
Import Asset | Imports assets into Nozomi Networks Guardian allowing you to enrich information associated with nodes. The information that you provide affects the nodes that match the specified IP field value. If there are no matches, then new nodes are created. | import_asset Investigation |
Get Appliances | Retrieves all appliances, or appliances based on the search query you have specified, from Nozomi Networks Guardian. | get_appliances Investigation |
Get Assertions | Retrieves all assertions, or assertions based on the search query you have specified, from Nozomi Networks Guardian. | get_assertions Investigation |
Get Captured Logs | Retrieves all captured logs, or captured logs based on the search query you have specified, from Nozomi Networks Guardian. | get_captured_logs Investigation |
Get Captured URLs | Retrieves all captured URLs, or captured URLs based on the search query you have specified, from Nozomi Networks Guardian. | get_captured_urls Investigation |
Get Function Codes | Retrieves all function codes, or function codes based on the search query you have specified, from Nozomi Networks Guardian. | get_function_codes Investigation |
Get Health Log | Retrieves all health logs, or health logs based on the search query you have specified, from Nozomi Networks Guardian. | get_health_log Investigation |
Get Link Events | Retrieves all link events, or link events based on the search query you have specified, from Nozomi Networks Guardian. | get_link_events Investigation |
Get Links | Retrieves all links, or links based on the search query you have specified, from Nozomi Networks Guardian. | get_links Investigation |
Get Node CPE Changes | Retrieves all node CPE changes, or node CPE changes based on the search query you have specified, from Nozomi Networks Guardian. | get_node_cpe_changes Investigation |
Get Node CPEs | Retrieves all node CPEs, or node CPEs based on the search query you have specified, from Nozomi Networks Guardian. | get_node_cpes Investigation |
Get Node CVEs | Retrieves all node CVEs, or node CVEs based on the search query you have specified, from Nozomi Networks Guardian. | get_node_cves Investigation |
Get Nodes | Retrieves all nodes, or nodes based on the search query you have specified, from Nozomi Networks Guardian. | get_nodes Investigation |
Get Sessions | Retrieves all sessions, or sessions based on the search query you have specified, from Nozomi Networks Guardian. | get_sessions Investigation |
Get Sessions History | Retrieves all archived sessions, or archived sessions based on the search query you have specified, from Nozomi Networks Guardian. | get_sessions_history Investigation |
Get Variable History | Retrieves all variable history, or variable history based on the search query you have specified, from Nozomi Networks Guardian. | get_variable_history Investigation |
Get Variables | Retrieves all variables, or variables based on the search query you have specified, from Nozomi Networks Guardian. | get_variables Investigation |
Get Alert Acknowledgement Status | Retrieves all alert acknowledgment statuses from Nozomi Networks Guardian based on the job ID you have specified. | get_alert_ack_status Investigation |
Set Acknowledgment Status | Sets the alert status to Acknowledge or Unacknowledge in Nozomi Networks Guardian based on the alert IDs you have specified. | set_alert_ack Investigation |
Run CLI | Runs the specified CLI command on Nozomi Networks Guardian. | run_cli Investigation |
Fetch All Alerts | Retrieves all alerts, or specific alerts from Nozomi Networks Guardian based on the start DateTime and optionally, the search query you have specified. Note: This operation is used while running Data Ingestion. |
fetch_alerts Investigation |
Create Indicator | Creates a threat intelligence indicator in Nozomi Networks Guardian based on the JSON array list of indicators you have specified. The JSON array must contain the name, threat type, and content of the indicator. | create_threat_intelligence_indicator Investigation |
Get All Indicators | Retrieves all threat intelligence indicators from Nozomi Networks Guardian. | get_all_threat_intelligence_indicators Investigation |
Delete Indicator | Deletes a threat intelligence indicator from Nozomi Networks Guardian based on the JSON array list of indicators you have specified. The JSON array must contain the ID and threat type of the indicator. | delete_threat_intelligence_indicator Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of alerts) is returned.
Parameter | Description |
---|---|
Appliance ID | Specify the ID of the appliance from which you want to retrieve alerts from the Nozomi Networks Guardian. |
Start Time | Specify the starting DateTime using which you want to filter alerts retrieved alerts from Nozomi Networks Guardian. This parameter filters the result set to only include only those items that have been created after the specified timestamp. |
Risk Level | Specify the risk level (0-10) to retrieve only those alerts from Nozomi Networks Guardian whose risk level is equal to or above the specified value. |
Max Alerts | Specify the maximum number of alerts that you want this operation to return in the response. |
Status | Specify the status of the alert to retrieve only those alerts from Nozomi Networks Guardian whose status matches the specified value. |
Alert type | Specify the type of the alert to retrieve only those alerts from Nozomi Networks Guardian whose type matches the specified value. |
Is Incident | Select this option, i.e., set it to 'true' if you want to retrieve only those alerts from Nozomi Networks Guardian that are part of an incident. By default, this option cleared, i.e., set as 'false'. |
Search Query | (Optional) Query using which you want to search and retrieve alerts from Nozomi Networks Guardian. For example, | group_by type_id |
The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"type_id": "",
"name": "",
"description": "",
"severity": "",
"mac_src": "",
"mac_dst": "",
"ip_src": "",
"ip_dst": "",
"risk": "",
"protocol": "",
"src_roles": "",
"dst_roles": "",
"time": "",
"ack": "",
"id_src": "",
"id_dst": "",
"synchronized": "",
"appliance_id": "",
"port_src": "",
"port_dst": "",
"label_src": "",
"label_dst": "",
"trigger_id": "",
"trigger_type": "",
"appliance_host": "",
"appliance_ip": "",
"transport_protocol": "",
"is_security": "",
"note": "",
"appliance_site": "",
"parents": [],
"is_incident": "",
"properties": {
"bad_actor": "",
"base_risk": "",
"is_dst_node_learned": "",
"is_dst_public": "",
"is_dst_reputation_bad": "",
"is_src_node_learned": "",
"is_src_public": "",
"is_src_reputation_bad": "",
"remediation_target": "",
"victims": [],
"mitre_attack/techniques": [
{
"technique": "",
"name": "",
"tactic": ""
}
]
},
"created_time": "",
"incident_keys": [],
"bpf_filter": "",
"closed_time": "",
"status": "",
"session_id": "",
"replicated": "",
"capture_device": "",
"threat_name": "",
"type_name": "",
"sec_profile_visible": "",
"zone_src": "",
"zone_dst": "",
"mitre_attack_techniques": "",
"mitre_attack_tactics": ""
}
],
"header": [],
"error": "",
"total": ""
}
Parameter | Description |
---|---|
Alert ID | Specify the ID of the alert whose information you want to retrieve from Nozomi Networks Guardian. |
The output contains the following populated JSON schema:
{
"id": "",
"@id": "",
"file": {
"id": "",
"@id": "",
"size": "",
"uuid": "",
"@type": "",
"assignee": "",
"filename": "",
"metadata": [],
"mimeType": "",
"thumbnail": "",
"uploadDate": ""
},
"name": "",
"type": "",
"uuid": "",
"@type": "",
"tasks": [],
"alerts": [],
"assets": [],
"owners": [],
"people": [],
"@context": "",
"assignee": "",
"comments": [],
"warrooms": [],
"incidents": [],
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"indicators": [],
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": [],
"userOwners": [],
"description": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of assets) is returned.
Parameter | Description |
---|---|
Appliance ID | Specify the ID of the appliance from which you want to retrieve assets from the Nozomi Networks Guardian. |
Level | Specify the level (0-4) to retrieve only those assets from Nozomi Networks Guardian whose level is equal to the specified value. |
Asset type | Specify the type of the asset to retrieve only those assets from Nozomi Networks Guardian whose type matches the specified value. |
Max Assets | Specify the maximum number of assets that you want this operation to return in the response. |
Search Query | Query using which you want to search and retrieve assets from the Nozomi Networks Guardian server. For example, head 2 |
The output contains the following populated JSON schema:
{
"result": [
{
"name": "",
"level": "",
"id": "",
"appliance_hosts": [],
"capture_device": "",
"ip": [],
"mac_address": [],
"mac_address_level": {},
"vlan_id": [],
"mac_vendor": [],
"os": "",
"roles": [],
"vendor": "",
"_asset_kb_id": "",
"vendor:info": {
"source": ""
},
"firmware_version": "",
"firmware_version:info": {
"source": ""
},
"os_or_firmware": "",
"serial_number": "",
"serial_number:info": {
"source": ""
},
"product_name": "",
"product_name:info": {
"source": ""
},
"type": "",
"type:info": {
"source": ""
},
"protocols": [],
"nodes": [],
"zones": [],
"custom_fields": {},
"fields": {},
"created_at": "",
"last_activity_time": "",
"device_id": ""
}
],
"header": [],
"error": "",
"total": ""
}
Parameter | Description |
---|---|
Import Type | Type of import using which you want to import assets into Nozomi Networks Guardian. You can choose from the following options: JSON or CSV. If you choose 'JSON', then you must specify the following parameter:
|
The output contains the following populated JSON schema:
{
"result": "",
"error": ""
}
Parameter | Description |
---|---|
Search Query | (Optional) Query using which you want to search and retrieve appliances from the Nozomi Networks Guardian server. For example, | head 2 |
The output contains the following populated JSON schema:
{
"error": "",
"total": "",
"header": [],
"result": []
}
Parameter | Description |
---|---|
Search Query | (Optional) Query using which you want to search and retrieve assertions from the Nozomi Networks Guardian server. For example, | head 2 |
The output contains the following populated JSON schema:
{
"error": "",
"total": "",
"header": [],
"result": []
}
Parameter | Description |
---|---|
Search Query | (Optional) Query using which you want to search and retrieve captured logs from the Nozomi Networks Guardian server. For example, | head 2 |
The output contains the following populated JSON schema:
{
"error": "",
"total": "",
"header": [],
"result": []
}
Parameter | Description |
---|---|
Search Query | (Optional) Query using which you want to search and retrieve captured URLs from the Nozomi Networks Guardian server. For example, | head 2 |
The output contains the following populated JSON schema:
{
"error": "",
"total": "",
"header": [],
"result": []
}
Parameter | Description |
---|---|
Search Query | (Optional) Query using which you want to search and retrieve function codes from the Nozomi Networks Guardian server. For example, | head 2 |
The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"protocol": "",
"fc": "",
"count": "",
"description": ""
}
],
"header": [],
"total": ""
}
Parameter | Description |
---|---|
Search Query | (Optional) Query using which you want to search and retrieve health logs from the Nozomi Networks Guardian server. For example, | head 2 |
The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"time": "",
"appliance_id": "",
"appliance_ip": "",
"appliance_host": "",
"synchronized": "",
"info": {
"description": ""
},
"replicated": ""
}
],
"header": [],
"error": "",
"total": ""
}
Parameter | Description |
---|---|
Search Query | (Optional) Query using which you want to search and retrieve link events from the Nozomi Networks Guardian server. For example, | head 2 |
The output contains the following populated JSON schema:
{
"error": "",
"total": "",
"header": [],
"result": []
}
Parameter | Description |
---|---|
Search Query | (Optional) Query using which you want to search and retrieve links from the Nozomi Networks Guardian server. For example, | head 2 |
The output contains the following populated JSON schema:
{
"result": [
{
"from": "",
"to": "",
"is_from_public": "",
"is_to_public": "",
"protocol": "",
"first_activity_time": "",
"last_activity_time": "",
"last_handshake_time": "",
"transport_protocols": [],
"tcp_handshaked_connections.total": "",
"tcp_handshaked_connections.last_5m": "",
"tcp_handshaked_connections.last_15m": "",
"tcp_handshaked_connections.last_30m": "",
"tcp_connection_attempts.total": "",
"tcp_connection_attempts.last_5m": "",
"tcp_connection_attempts.last_15m": "",
"tcp_connection_attempts.last_30m": "",
"transferred.packets": "",
"transferred.bytes": "",
"transferred.last_5m_bytes": "",
"transferred.last_15m_bytes": "",
"transferred.last_30m_bytes": "",
"transferred.smallest_packet_bytes": "",
"transferred.biggest_packet_bytes": "",
"transferred.avg_packet_bytes": "",
"tcp_retransmission.percent": "",
"tcp_retransmission.packets": "",
"tcp_retransmission.bytes": "",
"tcp_retransmission.last_5m_bytes": "",
"tcp_retransmission.last_15m_bytes": "",
"tcp_retransmission.last_30m_bytes": "",
"throughput_speed": "",
"is_learned": "",
"is_fully_learned": "",
"is_broadcast": "",
"has_confirmed_data": "",
"_can": {
"link_events": "",
"captured_urls": "",
"trace_requests": ""
},
"alerts": "",
"last_trace_request_time": "",
"_ports": [
{
"tcp": ""
}
],
"active_checks": [],
"_checks": {},
"function_codes": [],
"bpf_filter": "",
"from_zone": "",
"to_zone": ""
}
],
"header": [],
"total": ""
}
Parameter | Description |
---|---|
Search Query | (Optional) Query using which you want to search and retrieve node CPE changes from the Nozomi Networks Guardian server. For example, | head 2 |
The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"node_id": "",
"cpe": "",
"cpe_part": "",
"cpe_vendor": "",
"cpe_product": "",
"cpe_version": "",
"cpe_update": "",
"new_cpe": "",
"new_cpe_vendor": "",
"new_cpe_product": "",
"new_cpe_version": "",
"new_cpe_update": "",
"node_cpe_id": "",
"time": "",
"synchronized": "",
"appliance_id": "",
"appliance_ip": "",
"appliance_host": "",
"human_cpe_vendor": "",
"human_cpe_product": "",
"new_human_cpe_vendor": "",
"new_human_cpe_product": "",
"human_cpe_version": "",
"human_cpe_update": "",
"new_human_cpe_version": "",
"new_human_cpe_update": "",
"likelihood": "",
"new_likelihood": "",
"replicated": "",
"cpe_edition": "",
"new_cpe_edition": "",
"human_cpe_edition": "",
"new_human_cpe_edition": ""
}
],
"header": [],
"error": "",
"total": ""
}
Parameter | Description |
---|---|
Search Query | (Optional) Query using which you want to search and retrieve node CPEs from the Nozomi Networks Guardian server. For example, | head 2 |
The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"node_id": "",
"cpe": "",
"cpe_part": "",
"cpe_vendor": "",
"cpe_product": "",
"cpe_version": "",
"cpe_update": "",
"time": "",
"synchronized": "",
"appliance_id": "",
"appliance_ip": "",
"appliance_host": "",
"updated": "",
"cpe_translator": "",
"human_cpe_vendor": "",
"human_cpe_product": "",
"human_cpe_version": "",
"human_cpe_update": "",
"likelihood": "",
"replicated": "",
"cpe_edition": "",
"human_cpe_edition": "",
"unique_hw_id": "",
"deleted_at": "",
"asset_id": "",
"node_label": "",
"node_type": "",
"node_vendor": "",
"node_product_name": "",
"node_firmware_version": "",
"zone": "",
"node_os": ""
}
],
"header": [],
"error": "",
"total": ""
}
Parameter | Description |
---|---|
Search Query | (Optional) Query using which you want to search and retrieve node CVEs from the Nozomi Networks Guardian server. For example, | head 2 |
The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"node_id": "",
"cve": "",
"time": "",
"cwe_id": "",
"cwe_name": "",
"matching_cpes": [],
"likelihood": "",
"resolved": "",
"resolved_reason": "",
"resolved_source": "",
"installed_on": "",
"appliance_id": "",
"appliance_ip": "",
"appliance_host": "",
"zone": "",
"asset_id": "",
"node_label": "",
"node_type": "",
"node_vendor": "",
"node_product_name": "",
"node_firmware_version": "",
"node_os": "",
"resolution_status": "",
"cve_summary": "",
"cve_references": [
{
"name": "",
"reference_type": "",
"source": "",
"url": ""
}
],
"cve_score": "",
"cve_creation_time": "",
"cve_update_time": "",
"cve_source": ""
}
],
"header": [],
"error": "",
"total": ""
}
Parameter | Description |
---|---|
Search Query | (Optional) Query using which you want to search and retrieve nodes from the Nozomi Networks Guardian server. For example, | head 2 |
The output contains the following populated JSON schema:
{
"result": [
{
"appliance_host": "",
"label": "",
"id": "",
"_asset_kb_id": "",
"ip": "",
"mac_address": "",
"mac_address:info": {
"source": "",
"likelihood": "",
"likelihood_level": ""
},
"mac_vendor": "",
"_private_status": "",
"subnet": "",
"vlan_id": "",
"vlan_id:info": {
"source": ""
},
"zone": "",
"level": "",
"type": "",
"type:info": {
"source": ""
},
"os": "",
"os:info": {
"source": ""
},
"vendor": "",
"vendor:info": {
"source": ""
},
"product_name": "",
"product_name:info": {
"source": ""
},
"firmware_version": "",
"firmware_version:info": {
"source": ""
},
"serial_number": "",
"serial_number:info": {
"source": ""
},
"is_broadcast": "",
"is_public": "",
"fields": {},
"reputation": "",
"is_compromised": "",
"is_confirmed": "",
"is_learned": "",
"is_fully_learned": "",
"is_disabled": "",
"_is_licensed": "",
"roles": [],
"links": [
{
"id": "",
"protos": [
{
"name": "",
"last_activity": ""
}
]
}
],
"links_count": "",
"protocols": [],
"created_at": "",
"first_activity_time": "",
"last_activity_time": "",
"received.packets": "",
"received.bytes": "",
"received.last_5m_bytes": "",
"received.last_15m_bytes": "",
"received.last_30m_bytes": "",
"sent.packets": "",
"sent.bytes": "",
"sent.last_5m_bytes": "",
"sent.last_15m_bytes": "",
"sent.last_30m_bytes": "",
"tcp_retransmission.percent": "",
"tcp_retransmission.packets": "",
"tcp_retransmission.bytes": "",
"tcp_retransmission.last_5m_bytes": "",
"tcp_retransmission.last_15m_bytes": "",
"tcp_retransmission.last_30m_bytes": "",
"variables_count": "",
"device_id": "",
"properties": {},
"custom_fields": {},
"bpf_filter": "",
"device_modules": {},
"capture_device": ""
}
],
"header": [],
"total": ""
}
Parameter | Description |
---|---|
Search Query | (Optional) Query using which you want to search and retrieve sessions from the Nozomi Networks Guardian server. For example, | head 2 |
The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"status": "",
"direction_is_known": "",
"from": "",
"to": "",
"transport_protocol": "",
"from_zone": "",
"to_zone": "",
"from_port": "",
"to_port": "",
"protocol": "",
"vlan_id": "",
"transferred.packets": "",
"transferred.bytes": "",
"transferred.last_5m_bytes": "",
"transferred.last_15m_bytes": "",
"transferred.last_30m_bytes": "",
"transferred.smallest_packet_bytes": "",
"transferred.biggest_packet_bytes": "",
"transferred.avg_packet_bytes": "",
"throughput_speed": "",
"first_activity_time": "",
"last_activity_time": "",
"key": "",
"bpf_filter": ""
}
],
"header": [],
"total": ""
}
Parameter | Description |
---|---|
Search Query | (Optional) Query using which you want to search and retrieve archived sessions from the Nozomi Networks Guardian server. For example, | head 2 |
The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"status": "",
"direction_is_known": "",
"from": "",
"to": "",
"transport_protocol": "",
"from_zone": "",
"to_zone": "",
"from_port": "",
"to_port": "",
"protocol": "",
"vlan_id": "",
"transferred.packets": "",
"transferred.bytes": "",
"transferred.last_5m_bytes": "",
"transferred.last_15m_bytes": "",
"transferred.last_30m_bytes": "",
"transferred.smallest_packet_bytes": "",
"transferred.biggest_packet_bytes": "",
"transferred.avg_packet_bytes": "",
"throughput_speed": "",
"first_activity_time": "",
"last_activity_time": "",
"key": "",
"bpf_filter": ""
}
],
"header": [],
"total": ""
}
Parameter | Description |
---|---|
Search Query | (Optional) Query using which you want to search and retrieve variable history from the Nozomi Networks Guardian server. For example, | head 2 |
The output contains the following populated JSON schema:
{
"error": "",
"total": "",
"header": [],
"result": []
}
Parameter | Description |
---|---|
Search Query | (Optional) Query using which you want to search and retrieve variables from the Nozomi Networks Guardian server. For example, | head 2 |
The output contains the following populated JSON schema:
{
"result": [
{
"var_key": "",
"host": "",
"host_label": "",
"RTU_ID": "",
"name": "",
"label": "",
"unit": "",
"scale": "",
"offset": "",
"type": "",
"is_numeric": "",
"min_value": "",
"max_value": "",
"value": "",
"last_value": "",
"last_value_is_valid": "",
"last_value_quality": [],
"last_cause": "",
"protocol": "",
"last_function_code_info": "",
"last_function_code": "",
"first_activity_time": "",
"last_range_change_time": "",
"last_activity_time": "",
"last_update_time": "",
"last_valid_quality_time": "",
"request_count": "",
"changes_count": "",
"last_client": "",
"history_status": "",
"active_checks": [],
"_checks": {},
"flow_status": "",
"flow_anomalies": "",
"flow_anomaly_in_progress": "",
"flow_hiccups_percent": "",
"flow_stats.avg": "",
"flow_stats.var": ""
}
],
"header": [],
"total": ""
}
Parameter | Description |
---|---|
Job ID | Specify the ID of the alert acknowledgment job whose acknowledgment status you want to retrieve from Nozomi Networks Guardian. Note: You can retrieve the Job ID using the 'Set Acknowledgment Status' operation. |
The output contains the following populated JSON schema:
{
"result": {
"status": ""
}
}
Parameter | Description |
---|---|
Alert IDs | List of comma-separated alert IDs whose acknowledgment status you want to set in Nozomi Networks Guardian. |
Acknowledgment Status | Select this checkbox to set the acknowledgment status of specified alerts to 'Acknowledge' or clear this checkbox to set the acknowledgment status of specified alerts to 'UnAcknowledge' in Nozomi Networks Guardian. |
The output contains the following populated JSON schema:
{
"result": {
"id": ""
},
"error": ""
}
Parameter | Description |
---|---|
Command | Specify the CLI command that you want to run on Nozomi Networks Guardian. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Indicators | Specify a JSON array list of indicators using which you want to create a threat intelligence indicator in Nozomi Networks Guardian. You can specify between the following threat types: packet_rules , yara_rules , or stix_indicators . |
The output contains the following populated JSON schema:
{
"name": "",
"type": "",
"id": ""
}
None.
The output contains the following populated JSON schema:
{
"name": "",
"type": "",
"id": ""
}
Parameter | Description |
---|---|
Indicators | Specify a JSON array list of indicators using which you want to delete a threat intelligence indicator in Nozomi Networks Guardian. You can specify between the following threat types: packet_rules , yara_rules , or stix_indicators . |
The output contains the following populated JSON schema:
{
"id": "",
"type": ""
}
Parameter | Description |
---|---|
Start Time | Specify the starting DateTime using which you want to filter alerts retrieved alerts from Nozomi Networks Guardian. This parameter filters the result set to only include only those items that have been created after the specified timestamp. |
Search Query | (Optional) Query using which you want to search and retrieve alerts from the Nozomi Networks Guardian server. For example, | head 2 |
The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"type_id": "",
"name": "",
"description": "",
"severity": "",
"mac_src": "",
"mac_dst": "",
"ip_src": "",
"ip_dst": "",
"risk": "",
"protocol": "",
"src_roles": "",
"dst_roles": "",
"time": "",
"ack": "",
"id_src": "",
"id_dst": "",
"synchronized": "",
"appliance_id": "",
"port_src": "",
"port_dst": "",
"label_src": "",
"label_dst": "",
"trigger_id": "",
"trigger_type": "",
"appliance_host": "",
"appliance_ip": "",
"transport_protocol": "",
"is_security": "",
"note": "",
"appliance_site": "",
"parents": [],
"is_incident": "",
"properties": {
"bad_actor": "",
"base_risk": "",
"is_dst_node_learned": "",
"is_dst_public": "",
"is_dst_reputation_bad": "",
"is_src_node_learned": "",
"is_src_public": "",
"is_src_reputation_bad": "",
"remediation_target": "",
"victims": [],
"mitre_attack/techniques": [
{
"technique": "",
"name": "",
"tactic": ""
}
]
},
"created_time": "",
"incident_keys": [],
"bpf_filter": "",
"closed_time": "",
"status": "",
"session_id": "",
"replicated": "",
"capture_device": "",
"threat_name": "",
"type_name": "",
"sec_profile_visible": "",
"zone_src": "",
"zone_dst": "",
"mitre_attack_techniques": "",
"mitre_attack_tactics": ""
}
],
"header": [],
"error": "",
"total": ""
}
The Sample - Nozomi Networks Guardian - 1.1.0
playbook collection comes bundled with the Nozomi Networks Guardian connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Nozomi Networks Guardian connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Nozomi Networks Guardian. Currently, "incidents" in Nozomi Networks Guardian are mapped to "incidents" in FortiSOAR™. An incident in Nozomi contains alerts, i.e., each alert in Nozomi contains an is_incident
parameter that states whether that alert is part of an incident. If the alert is part of an incident, then the is_incident parameter will be set to "true" (else "false"). Therefore, when mapping incidents from Nozomi, i.e., the is_incident
parameter is set to "true", then both "Incident" and correlated "Alert" records are created in FortiSOAR. If the is_incident
parameter is set to false, then only alert records are created in FortiSOAR.
Important: It is recommended that Data Ingestion of Nozomi Networks Guardian should be done with the default selected "Incidents" module. Selecting a module other than "Incidents" might cause the data ingestion to fail.
For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.
You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming Nozomi Networks Guardian "incidents" to FortiSOAR™ "incidents".
The Data Ingestion Wizard enables you to configure the scheduled pulling of data from Nozomi Networks Guardian into FortiSOAR™. It also lets you pull some sample data from Nozomi Networks Guardian using which you can define the mapping of data between Nozomi Networks Guardian and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the Nozomi Networks Guardian incident.
Field Mapping
screen displays the Sample Data on the right side and the Field Mapping (FortiSOAR™ fields) on the left side. The sample data is in the form of a Key-Value pair.id_src
parameter of a Nozomi Networks Guardian incident to the Source IP
parameter of a FortiSOAR™ incident, click the Source IP field and then click the id_src field to populate its keys:5
, and in the minute box enter 0
:Summary
screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks.Use the Nozomi Networks Guardian platform to monitor OT/IoT/IT networks. It combines asset discovery, network visualization, vulnerability assessment, risk monitoring, and threat detection in a single solution.
This document provides information about the Nozomi Networks Guardian connector, which facilitates automated interactions, with your Nozomi Networks Guardian server using FortiSOAR™ playbooks. Add the Nozomi Networks Guardian connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving assets and alerts from Nozomi Networks Guardian, importing assets into Nozomi Networks Guardian, running a CLI command on Nozomi Networks Guardian, etc.
Use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents and alerts from Nozomi Networks Guardian. For more information, see the Data Ingestion Support section.
Connector Version: 1.1.0
Authored By: Fortinet
Nozomi Networks Guardian Version Tested On: 22.5.0-10040913_E7B69
Certified: Yes
The following enhancements have been made to the Nozomi Networks Guardian connector in version 1.1.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-nozomi-networks-guardian
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Nozomi Networks Guardian connector card. On the connector popup, click the Configurations tab to enter the required configuration details.
Parameter | Description |
---|---|
Server URL | URL of the Nozomi Networks Guardian server to which you will connect and perform automated operations. |
Username | Username to access the Nozomi Networks Guardian server to which you will connect and perform automated operations. |
Password | Password to access the Nozomi Networks Guardian server to which you will connect and perform automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations FortiSOAR™:
Function | Description | Annotation and Category |
---|---|---|
Get Alerts List | Retrieves all alerts or specific alerts from Nozomi Networks Guardian based on the search query and other input parameters you have specified. | get_alerts Investigation |
Get Alert Trace | Retrieves information about a specific alert from Nozomi Networks Guardian based on the alert ID that you have specified. | get_alert_details Investigation |
Get Assets | Retrieves all assets or specific assets from Nozomi Networks Guardian based on the search query and other input parameters you have specified. | get_assets Investigation |
Import Asset | Imports assets into Nozomi Networks Guardian allowing you to enrich information associated with nodes. The information that you provide affects the nodes that match the specified IP field value. If there are no matches, then new nodes are created. | import_asset Investigation |
Get Appliances | Retrieves all appliances, or appliances based on the search query you have specified, from Nozomi Networks Guardian. | get_appliances Investigation |
Get Assertions | Retrieves all assertions, or assertions based on the search query you have specified, from Nozomi Networks Guardian. | get_assertions Investigation |
Get Captured Logs | Retrieves all captured logs, or captured logs based on the search query you have specified, from Nozomi Networks Guardian. | get_captured_logs Investigation |
Get Captured URLs | Retrieves all captured URLs, or captured URLs based on the search query you have specified, from Nozomi Networks Guardian. | get_captured_urls Investigation |
Get Function Codes | Retrieves all function codes, or function codes based on the search query you have specified, from Nozomi Networks Guardian. | get_function_codes Investigation |
Get Health Log | Retrieves all health logs, or health logs based on the search query you have specified, from Nozomi Networks Guardian. | get_health_log Investigation |
Get Link Events | Retrieves all link events, or link events based on the search query you have specified, from Nozomi Networks Guardian. | get_link_events Investigation |
Get Links | Retrieves all links, or links based on the search query you have specified, from Nozomi Networks Guardian. | get_links Investigation |
Get Node CPE Changes | Retrieves all node CPE changes, or node CPE changes based on the search query you have specified, from Nozomi Networks Guardian. | get_node_cpe_changes Investigation |
Get Node CPEs | Retrieves all node CPEs, or node CPEs based on the search query you have specified, from Nozomi Networks Guardian. | get_node_cpes Investigation |
Get Node CVEs | Retrieves all node CVEs, or node CVEs based on the search query you have specified, from Nozomi Networks Guardian. | get_node_cves Investigation |
Get Nodes | Retrieves all nodes, or nodes based on the search query you have specified, from Nozomi Networks Guardian. | get_nodes Investigation |
Get Sessions | Retrieves all sessions, or sessions based on the search query you have specified, from Nozomi Networks Guardian. | get_sessions Investigation |
Get Sessions History | Retrieves all archived sessions, or archived sessions based on the search query you have specified, from Nozomi Networks Guardian. | get_sessions_history Investigation |
Get Variable History | Retrieves all variable history, or variable history based on the search query you have specified, from Nozomi Networks Guardian. | get_variable_history Investigation |
Get Variables | Retrieves all variables, or variables based on the search query you have specified, from Nozomi Networks Guardian. | get_variables Investigation |
Get Alert Acknowledgement Status | Retrieves all alert acknowledgment statuses from Nozomi Networks Guardian based on the job ID you have specified. | get_alert_ack_status Investigation |
Set Acknowledgment Status | Sets the alert status to Acknowledge or Unacknowledge in Nozomi Networks Guardian based on the alert IDs you have specified. | set_alert_ack Investigation |
Run CLI | Runs the specified CLI command on Nozomi Networks Guardian. | run_cli Investigation |
Fetch All Alerts | Retrieves all alerts, or specific alerts from Nozomi Networks Guardian based on the start DateTime and optionally, the search query you have specified. Note: This operation is used while running Data Ingestion. |
fetch_alerts Investigation |
Create Indicator | Creates a threat intelligence indicator in Nozomi Networks Guardian based on the JSON array list of indicators you have specified. The JSON array must contain the name, threat type, and content of the indicator. | create_threat_intelligence_indicator Investigation |
Get All Indicators | Retrieves all threat intelligence indicators from Nozomi Networks Guardian. | get_all_threat_intelligence_indicators Investigation |
Delete Indicator | Deletes a threat intelligence indicator from Nozomi Networks Guardian based on the JSON array list of indicators you have specified. The JSON array must contain the ID and threat type of the indicator. | delete_threat_intelligence_indicator Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of alerts) is returned.
Parameter | Description |
---|---|
Appliance ID | Specify the ID of the appliance from which you want to retrieve alerts from the Nozomi Networks Guardian. |
Start Time | Specify the starting DateTime using which you want to filter alerts retrieved alerts from Nozomi Networks Guardian. This parameter filters the result set to only include only those items that have been created after the specified timestamp. |
Risk Level | Specify the risk level (0-10) to retrieve only those alerts from Nozomi Networks Guardian whose risk level is equal to or above the specified value. |
Max Alerts | Specify the maximum number of alerts that you want this operation to return in the response. |
Status | Specify the status of the alert to retrieve only those alerts from Nozomi Networks Guardian whose status matches the specified value. |
Alert type | Specify the type of the alert to retrieve only those alerts from Nozomi Networks Guardian whose type matches the specified value. |
Is Incident | Select this option, i.e., set it to 'true' if you want to retrieve only those alerts from Nozomi Networks Guardian that are part of an incident. By default, this option cleared, i.e., set as 'false'. |
Search Query | (Optional) Query using which you want to search and retrieve alerts from Nozomi Networks Guardian. For example, | group_by type_id |
The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"type_id": "",
"name": "",
"description": "",
"severity": "",
"mac_src": "",
"mac_dst": "",
"ip_src": "",
"ip_dst": "",
"risk": "",
"protocol": "",
"src_roles": "",
"dst_roles": "",
"time": "",
"ack": "",
"id_src": "",
"id_dst": "",
"synchronized": "",
"appliance_id": "",
"port_src": "",
"port_dst": "",
"label_src": "",
"label_dst": "",
"trigger_id": "",
"trigger_type": "",
"appliance_host": "",
"appliance_ip": "",
"transport_protocol": "",
"is_security": "",
"note": "",
"appliance_site": "",
"parents": [],
"is_incident": "",
"properties": {
"bad_actor": "",
"base_risk": "",
"is_dst_node_learned": "",
"is_dst_public": "",
"is_dst_reputation_bad": "",
"is_src_node_learned": "",
"is_src_public": "",
"is_src_reputation_bad": "",
"remediation_target": "",
"victims": [],
"mitre_attack/techniques": [
{
"technique": "",
"name": "",
"tactic": ""
}
]
},
"created_time": "",
"incident_keys": [],
"bpf_filter": "",
"closed_time": "",
"status": "",
"session_id": "",
"replicated": "",
"capture_device": "",
"threat_name": "",
"type_name": "",
"sec_profile_visible": "",
"zone_src": "",
"zone_dst": "",
"mitre_attack_techniques": "",
"mitre_attack_tactics": ""
}
],
"header": [],
"error": "",
"total": ""
}
Parameter | Description |
---|---|
Alert ID | Specify the ID of the alert whose information you want to retrieve from Nozomi Networks Guardian. |
The output contains the following populated JSON schema:
{
"id": "",
"@id": "",
"file": {
"id": "",
"@id": "",
"size": "",
"uuid": "",
"@type": "",
"assignee": "",
"filename": "",
"metadata": [],
"mimeType": "",
"thumbnail": "",
"uploadDate": ""
},
"name": "",
"type": "",
"uuid": "",
"@type": "",
"tasks": [],
"alerts": [],
"assets": [],
"owners": [],
"people": [],
"@context": "",
"assignee": "",
"comments": [],
"warrooms": [],
"incidents": [],
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"indicators": [],
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": [],
"userOwners": [],
"description": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of assets) is returned.
Parameter | Description |
---|---|
Appliance ID | Specify the ID of the appliance from which you want to retrieve assets from the Nozomi Networks Guardian. |
Level | Specify the level (0-4) to retrieve only those assets from Nozomi Networks Guardian whose level is equal to the specified value. |
Asset type | Specify the type of the asset to retrieve only those assets from Nozomi Networks Guardian whose type matches the specified value. |
Max Assets | Specify the maximum number of assets that you want this operation to return in the response. |
Search Query | Query using which you want to search and retrieve assets from the Nozomi Networks Guardian server. For example, head 2 |
The output contains the following populated JSON schema:
{
"result": [
{
"name": "",
"level": "",
"id": "",
"appliance_hosts": [],
"capture_device": "",
"ip": [],
"mac_address": [],
"mac_address_level": {},
"vlan_id": [],
"mac_vendor": [],
"os": "",
"roles": [],
"vendor": "",
"_asset_kb_id": "",
"vendor:info": {
"source": ""
},
"firmware_version": "",
"firmware_version:info": {
"source": ""
},
"os_or_firmware": "",
"serial_number": "",
"serial_number:info": {
"source": ""
},
"product_name": "",
"product_name:info": {
"source": ""
},
"type": "",
"type:info": {
"source": ""
},
"protocols": [],
"nodes": [],
"zones": [],
"custom_fields": {},
"fields": {},
"created_at": "",
"last_activity_time": "",
"device_id": ""
}
],
"header": [],
"error": "",
"total": ""
}
Parameter | Description |
---|---|
Import Type | Type of import using which you want to import assets into Nozomi Networks Guardian. You can choose from the following options: JSON or CSV. If you choose 'JSON', then you must specify the following parameter:
|
The output contains the following populated JSON schema:
{
"result": "",
"error": ""
}
Parameter | Description |
---|---|
Search Query | (Optional) Query using which you want to search and retrieve appliances from the Nozomi Networks Guardian server. For example, | head 2 |
The output contains the following populated JSON schema:
{
"error": "",
"total": "",
"header": [],
"result": []
}
Parameter | Description |
---|---|
Search Query | (Optional) Query using which you want to search and retrieve assertions from the Nozomi Networks Guardian server. For example, | head 2 |
The output contains the following populated JSON schema:
{
"error": "",
"total": "",
"header": [],
"result": []
}
Parameter | Description |
---|---|
Search Query | (Optional) Query using which you want to search and retrieve captured logs from the Nozomi Networks Guardian server. For example, | head 2 |
The output contains the following populated JSON schema:
{
"error": "",
"total": "",
"header": [],
"result": []
}
Parameter | Description |
---|---|
Search Query | (Optional) Query using which you want to search and retrieve captured URLs from the Nozomi Networks Guardian server. For example, | head 2 |
The output contains the following populated JSON schema:
{
"error": "",
"total": "",
"header": [],
"result": []
}
Parameter | Description |
---|---|
Search Query | (Optional) Query using which you want to search and retrieve function codes from the Nozomi Networks Guardian server. For example, | head 2 |
The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"protocol": "",
"fc": "",
"count": "",
"description": ""
}
],
"header": [],
"total": ""
}
Parameter | Description |
---|---|
Search Query | (Optional) Query using which you want to search and retrieve health logs from the Nozomi Networks Guardian server. For example, | head 2 |
The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"time": "",
"appliance_id": "",
"appliance_ip": "",
"appliance_host": "",
"synchronized": "",
"info": {
"description": ""
},
"replicated": ""
}
],
"header": [],
"error": "",
"total": ""
}
Parameter | Description |
---|---|
Search Query | (Optional) Query using which you want to search and retrieve link events from the Nozomi Networks Guardian server. For example, | head 2 |
The output contains the following populated JSON schema:
{
"error": "",
"total": "",
"header": [],
"result": []
}
Parameter | Description |
---|---|
Search Query | (Optional) Query using which you want to search and retrieve links from the Nozomi Networks Guardian server. For example, | head 2 |
The output contains the following populated JSON schema:
{
"result": [
{
"from": "",
"to": "",
"is_from_public": "",
"is_to_public": "",
"protocol": "",
"first_activity_time": "",
"last_activity_time": "",
"last_handshake_time": "",
"transport_protocols": [],
"tcp_handshaked_connections.total": "",
"tcp_handshaked_connections.last_5m": "",
"tcp_handshaked_connections.last_15m": "",
"tcp_handshaked_connections.last_30m": "",
"tcp_connection_attempts.total": "",
"tcp_connection_attempts.last_5m": "",
"tcp_connection_attempts.last_15m": "",
"tcp_connection_attempts.last_30m": "",
"transferred.packets": "",
"transferred.bytes": "",
"transferred.last_5m_bytes": "",
"transferred.last_15m_bytes": "",
"transferred.last_30m_bytes": "",
"transferred.smallest_packet_bytes": "",
"transferred.biggest_packet_bytes": "",
"transferred.avg_packet_bytes": "",
"tcp_retransmission.percent": "",
"tcp_retransmission.packets": "",
"tcp_retransmission.bytes": "",
"tcp_retransmission.last_5m_bytes": "",
"tcp_retransmission.last_15m_bytes": "",
"tcp_retransmission.last_30m_bytes": "",
"throughput_speed": "",
"is_learned": "",
"is_fully_learned": "",
"is_broadcast": "",
"has_confirmed_data": "",
"_can": {
"link_events": "",
"captured_urls": "",
"trace_requests": ""
},
"alerts": "",
"last_trace_request_time": "",
"_ports": [
{
"tcp": ""
}
],
"active_checks": [],
"_checks": {},
"function_codes": [],
"bpf_filter": "",
"from_zone": "",
"to_zone": ""
}
],
"header": [],
"total": ""
}
Parameter | Description |
---|---|
Search Query | (Optional) Query using which you want to search and retrieve node CPE changes from the Nozomi Networks Guardian server. For example, | head 2 |
The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"node_id": "",
"cpe": "",
"cpe_part": "",
"cpe_vendor": "",
"cpe_product": "",
"cpe_version": "",
"cpe_update": "",
"new_cpe": "",
"new_cpe_vendor": "",
"new_cpe_product": "",
"new_cpe_version": "",
"new_cpe_update": "",
"node_cpe_id": "",
"time": "",
"synchronized": "",
"appliance_id": "",
"appliance_ip": "",
"appliance_host": "",
"human_cpe_vendor": "",
"human_cpe_product": "",
"new_human_cpe_vendor": "",
"new_human_cpe_product": "",
"human_cpe_version": "",
"human_cpe_update": "",
"new_human_cpe_version": "",
"new_human_cpe_update": "",
"likelihood": "",
"new_likelihood": "",
"replicated": "",
"cpe_edition": "",
"new_cpe_edition": "",
"human_cpe_edition": "",
"new_human_cpe_edition": ""
}
],
"header": [],
"error": "",
"total": ""
}
Parameter | Description |
---|---|
Search Query | (Optional) Query using which you want to search and retrieve node CPEs from the Nozomi Networks Guardian server. For example, | head 2 |
The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"node_id": "",
"cpe": "",
"cpe_part": "",
"cpe_vendor": "",
"cpe_product": "",
"cpe_version": "",
"cpe_update": "",
"time": "",
"synchronized": "",
"appliance_id": "",
"appliance_ip": "",
"appliance_host": "",
"updated": "",
"cpe_translator": "",
"human_cpe_vendor": "",
"human_cpe_product": "",
"human_cpe_version": "",
"human_cpe_update": "",
"likelihood": "",
"replicated": "",
"cpe_edition": "",
"human_cpe_edition": "",
"unique_hw_id": "",
"deleted_at": "",
"asset_id": "",
"node_label": "",
"node_type": "",
"node_vendor": "",
"node_product_name": "",
"node_firmware_version": "",
"zone": "",
"node_os": ""
}
],
"header": [],
"error": "",
"total": ""
}
Parameter | Description |
---|---|
Search Query | (Optional) Query using which you want to search and retrieve node CVEs from the Nozomi Networks Guardian server. For example, | head 2 |
The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"node_id": "",
"cve": "",
"time": "",
"cwe_id": "",
"cwe_name": "",
"matching_cpes": [],
"likelihood": "",
"resolved": "",
"resolved_reason": "",
"resolved_source": "",
"installed_on": "",
"appliance_id": "",
"appliance_ip": "",
"appliance_host": "",
"zone": "",
"asset_id": "",
"node_label": "",
"node_type": "",
"node_vendor": "",
"node_product_name": "",
"node_firmware_version": "",
"node_os": "",
"resolution_status": "",
"cve_summary": "",
"cve_references": [
{
"name": "",
"reference_type": "",
"source": "",
"url": ""
}
],
"cve_score": "",
"cve_creation_time": "",
"cve_update_time": "",
"cve_source": ""
}
],
"header": [],
"error": "",
"total": ""
}
Parameter | Description |
---|---|
Search Query | (Optional) Query using which you want to search and retrieve nodes from the Nozomi Networks Guardian server. For example, | head 2 |
The output contains the following populated JSON schema:
{
"result": [
{
"appliance_host": "",
"label": "",
"id": "",
"_asset_kb_id": "",
"ip": "",
"mac_address": "",
"mac_address:info": {
"source": "",
"likelihood": "",
"likelihood_level": ""
},
"mac_vendor": "",
"_private_status": "",
"subnet": "",
"vlan_id": "",
"vlan_id:info": {
"source": ""
},
"zone": "",
"level": "",
"type": "",
"type:info": {
"source": ""
},
"os": "",
"os:info": {
"source": ""
},
"vendor": "",
"vendor:info": {
"source": ""
},
"product_name": "",
"product_name:info": {
"source": ""
},
"firmware_version": "",
"firmware_version:info": {
"source": ""
},
"serial_number": "",
"serial_number:info": {
"source": ""
},
"is_broadcast": "",
"is_public": "",
"fields": {},
"reputation": "",
"is_compromised": "",
"is_confirmed": "",
"is_learned": "",
"is_fully_learned": "",
"is_disabled": "",
"_is_licensed": "",
"roles": [],
"links": [
{
"id": "",
"protos": [
{
"name": "",
"last_activity": ""
}
]
}
],
"links_count": "",
"protocols": [],
"created_at": "",
"first_activity_time": "",
"last_activity_time": "",
"received.packets": "",
"received.bytes": "",
"received.last_5m_bytes": "",
"received.last_15m_bytes": "",
"received.last_30m_bytes": "",
"sent.packets": "",
"sent.bytes": "",
"sent.last_5m_bytes": "",
"sent.last_15m_bytes": "",
"sent.last_30m_bytes": "",
"tcp_retransmission.percent": "",
"tcp_retransmission.packets": "",
"tcp_retransmission.bytes": "",
"tcp_retransmission.last_5m_bytes": "",
"tcp_retransmission.last_15m_bytes": "",
"tcp_retransmission.last_30m_bytes": "",
"variables_count": "",
"device_id": "",
"properties": {},
"custom_fields": {},
"bpf_filter": "",
"device_modules": {},
"capture_device": ""
}
],
"header": [],
"total": ""
}
Parameter | Description |
---|---|
Search Query | (Optional) Query using which you want to search and retrieve sessions from the Nozomi Networks Guardian server. For example, | head 2 |
The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"status": "",
"direction_is_known": "",
"from": "",
"to": "",
"transport_protocol": "",
"from_zone": "",
"to_zone": "",
"from_port": "",
"to_port": "",
"protocol": "",
"vlan_id": "",
"transferred.packets": "",
"transferred.bytes": "",
"transferred.last_5m_bytes": "",
"transferred.last_15m_bytes": "",
"transferred.last_30m_bytes": "",
"transferred.smallest_packet_bytes": "",
"transferred.biggest_packet_bytes": "",
"transferred.avg_packet_bytes": "",
"throughput_speed": "",
"first_activity_time": "",
"last_activity_time": "",
"key": "",
"bpf_filter": ""
}
],
"header": [],
"total": ""
}
Parameter | Description |
---|---|
Search Query | (Optional) Query using which you want to search and retrieve archived sessions from the Nozomi Networks Guardian server. For example, | head 2 |
The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"status": "",
"direction_is_known": "",
"from": "",
"to": "",
"transport_protocol": "",
"from_zone": "",
"to_zone": "",
"from_port": "",
"to_port": "",
"protocol": "",
"vlan_id": "",
"transferred.packets": "",
"transferred.bytes": "",
"transferred.last_5m_bytes": "",
"transferred.last_15m_bytes": "",
"transferred.last_30m_bytes": "",
"transferred.smallest_packet_bytes": "",
"transferred.biggest_packet_bytes": "",
"transferred.avg_packet_bytes": "",
"throughput_speed": "",
"first_activity_time": "",
"last_activity_time": "",
"key": "",
"bpf_filter": ""
}
],
"header": [],
"total": ""
}
Parameter | Description |
---|---|
Search Query | (Optional) Query using which you want to search and retrieve variable history from the Nozomi Networks Guardian server. For example, | head 2 |
The output contains the following populated JSON schema:
{
"error": "",
"total": "",
"header": [],
"result": []
}
Parameter | Description |
---|---|
Search Query | (Optional) Query using which you want to search and retrieve variables from the Nozomi Networks Guardian server. For example, | head 2 |
The output contains the following populated JSON schema:
{
"result": [
{
"var_key": "",
"host": "",
"host_label": "",
"RTU_ID": "",
"name": "",
"label": "",
"unit": "",
"scale": "",
"offset": "",
"type": "",
"is_numeric": "",
"min_value": "",
"max_value": "",
"value": "",
"last_value": "",
"last_value_is_valid": "",
"last_value_quality": [],
"last_cause": "",
"protocol": "",
"last_function_code_info": "",
"last_function_code": "",
"first_activity_time": "",
"last_range_change_time": "",
"last_activity_time": "",
"last_update_time": "",
"last_valid_quality_time": "",
"request_count": "",
"changes_count": "",
"last_client": "",
"history_status": "",
"active_checks": [],
"_checks": {},
"flow_status": "",
"flow_anomalies": "",
"flow_anomaly_in_progress": "",
"flow_hiccups_percent": "",
"flow_stats.avg": "",
"flow_stats.var": ""
}
],
"header": [],
"total": ""
}
Parameter | Description |
---|---|
Job ID | Specify the ID of the alert acknowledgment job whose acknowledgment status you want to retrieve from Nozomi Networks Guardian. Note: You can retrieve the Job ID using the 'Set Acknowledgment Status' operation. |
The output contains the following populated JSON schema:
{
"result": {
"status": ""
}
}
Parameter | Description |
---|---|
Alert IDs | List of comma-separated alert IDs whose acknowledgment status you want to set in Nozomi Networks Guardian. |
Acknowledgment Status | Select this checkbox to set the acknowledgment status of specified alerts to 'Acknowledge' or clear this checkbox to set the acknowledgment status of specified alerts to 'UnAcknowledge' in Nozomi Networks Guardian. |
The output contains the following populated JSON schema:
{
"result": {
"id": ""
},
"error": ""
}
Parameter | Description |
---|---|
Command | Specify the CLI command that you want to run on Nozomi Networks Guardian. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Indicators | Specify a JSON array list of indicators using which you want to create a threat intelligence indicator in Nozomi Networks Guardian. You can specify between the following threat types: packet_rules , yara_rules , or stix_indicators . |
The output contains the following populated JSON schema:
{
"name": "",
"type": "",
"id": ""
}
None.
The output contains the following populated JSON schema:
{
"name": "",
"type": "",
"id": ""
}
Parameter | Description |
---|---|
Indicators | Specify a JSON array list of indicators using which you want to delete a threat intelligence indicator in Nozomi Networks Guardian. You can specify between the following threat types: packet_rules , yara_rules , or stix_indicators . |
The output contains the following populated JSON schema:
{
"id": "",
"type": ""
}
Parameter | Description |
---|---|
Start Time | Specify the starting DateTime using which you want to filter alerts retrieved alerts from Nozomi Networks Guardian. This parameter filters the result set to only include only those items that have been created after the specified timestamp. |
Search Query | (Optional) Query using which you want to search and retrieve alerts from the Nozomi Networks Guardian server. For example, | head 2 |
The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"type_id": "",
"name": "",
"description": "",
"severity": "",
"mac_src": "",
"mac_dst": "",
"ip_src": "",
"ip_dst": "",
"risk": "",
"protocol": "",
"src_roles": "",
"dst_roles": "",
"time": "",
"ack": "",
"id_src": "",
"id_dst": "",
"synchronized": "",
"appliance_id": "",
"port_src": "",
"port_dst": "",
"label_src": "",
"label_dst": "",
"trigger_id": "",
"trigger_type": "",
"appliance_host": "",
"appliance_ip": "",
"transport_protocol": "",
"is_security": "",
"note": "",
"appliance_site": "",
"parents": [],
"is_incident": "",
"properties": {
"bad_actor": "",
"base_risk": "",
"is_dst_node_learned": "",
"is_dst_public": "",
"is_dst_reputation_bad": "",
"is_src_node_learned": "",
"is_src_public": "",
"is_src_reputation_bad": "",
"remediation_target": "",
"victims": [],
"mitre_attack/techniques": [
{
"technique": "",
"name": "",
"tactic": ""
}
]
},
"created_time": "",
"incident_keys": [],
"bpf_filter": "",
"closed_time": "",
"status": "",
"session_id": "",
"replicated": "",
"capture_device": "",
"threat_name": "",
"type_name": "",
"sec_profile_visible": "",
"zone_src": "",
"zone_dst": "",
"mitre_attack_techniques": "",
"mitre_attack_tactics": ""
}
],
"header": [],
"error": "",
"total": ""
}
The Sample - Nozomi Networks Guardian - 1.1.0
playbook collection comes bundled with the Nozomi Networks Guardian connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Nozomi Networks Guardian connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Nozomi Networks Guardian. Currently, "incidents" in Nozomi Networks Guardian are mapped to "incidents" in FortiSOAR™. An incident in Nozomi contains alerts, i.e., each alert in Nozomi contains an is_incident
parameter that states whether that alert is part of an incident. If the alert is part of an incident, then the is_incident parameter will be set to "true" (else "false"). Therefore, when mapping incidents from Nozomi, i.e., the is_incident
parameter is set to "true", then both "Incident" and correlated "Alert" records are created in FortiSOAR. If the is_incident
parameter is set to false, then only alert records are created in FortiSOAR.
Important: It is recommended that Data Ingestion of Nozomi Networks Guardian should be done with the default selected "Incidents" module. Selecting a module other than "Incidents" might cause the data ingestion to fail.
For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.
You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming Nozomi Networks Guardian "incidents" to FortiSOAR™ "incidents".
The Data Ingestion Wizard enables you to configure the scheduled pulling of data from Nozomi Networks Guardian into FortiSOAR™. It also lets you pull some sample data from Nozomi Networks Guardian using which you can define the mapping of data between Nozomi Networks Guardian and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the Nozomi Networks Guardian incident.
Field Mapping
screen displays the Sample Data on the right side and the Field Mapping (FortiSOAR™ fields) on the left side. The sample data is in the form of a Key-Value pair.id_src
parameter of a Nozomi Networks Guardian incident to the Source IP
parameter of a FortiSOAR™ incident, click the Source IP field and then click the id_src field to populate its keys:5
, and in the minute box enter 0
:Summary
screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks.