About the connector
The Nozomi Networks Guardian platform used to monitor OT/IoT/IT networks. It combines asset discovery, network visualization, vulnerability assessment, risk monitoring and threat detection in a single solution. This integration is used to gather alerts and assets information from Nozomi.
This document provides information about the Nozomi Networks Guardian Connector, which facilitates automated interactions, with a Nozomi Networks Guardian server using FortiSOAR™ playbooks. Add the Nozomi Networks Guardian Connector as a step in FortiSOAR™ playbooks and perform automated operations with Nozomi Networks Guardian.
Version information
Connector Version: 1.2.0
FortiSOAR™ Version Tested on: 7.4.0-3024
Nozomi Networks Guardian Version Tested on: 22.5.0-10040913_E7B69
Authored By: Fortinet
Certified: Yes
Release Notes for version 1.2.0
Following enhancements have been made to the Nozomi Networks Guardian Connector in version 1.2.0:
- Removed the following actions:
- Data Ingestion now uses Get Alerts List action and Data Ingestion wizard supports filtering parameters like Risk Level, Status, and Alert Type.
- Risk Level parameter in Get Alerts List action is changed from integer type to text type.
Installing the connector
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-nozomi-networks-guardian
Prerequisites to configuring the connector
- You must have the URL of Nozomi Networks Guardian server to which you will connect and perform automated operations and credentials to access that server.
- The FortiSOAR™ server should have outbound connectivity to port 443 on the Nozomi Networks Guardian server.
Minimum Permissions Required
- The authenticated user must be in a group that is assigned an admin role.
Configuring the connector
For the procedure to configure a connector, click here
Configuration parameters
In FortiSOAR™, on the Connectors page, click the Nozomi Networks Guardian connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter |
Description |
| Server URL |
URL of the Nozomi Networks Guardian server to which you will connect and perform automated operations. |
| Username |
Username to access the Nozomi Networks Guardian server to which you will connect and perform automated operations. |
| Password |
Password to access the Nozomi Networks Guardian server to which you will connect and perform automated operations. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set to True. |
Actions supported by the connector
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
| Function |
Description |
Annotation and Category |
| Create Indicator |
Creates a threat intelligence indicator in Nozomi Networks Guardian based on the JSON array list of indicators you have specified. The JSON array must contain the name, threat type, and content of the indicator. |
create_threat_intelligence_indicator
Investigation |
| Get All Indicators |
Retrieves all threat intelligence indicators from Nozomi Networks Guardian. |
get_all_threat_intelligence_indicators
Investigation |
| Delete Indicator |
Deletes a threat intelligence indicator from Nozomi Networks Guardian based on the JSON array list of indicators you have specified. The JSON array must contain the ID and threat type of the indicator. |
delete_threat_intelligence_indicator
Investigation |
| Get Alerts List |
Retrieves all alerts or specific alerts from Nozomi Networks Guardian based on the search query and other input parameters you have specified. |
get_alerts
Investigation |
| Get Alert Trace |
Retrieves information about a specific alert from Nozomi Networks Guardian based on the alert ID that you have specified. |
get_alert_details
Investigation |
| Get Assets |
Retrieves all assets or specific assets from Nozomi Networks Guardian based on the search query and other input parameters you have specified. |
get_assets
Investigation |
| Import Asset |
Imports assets into Nozomi Networks Guardian allowing you to enrich information associated with nodes. The information that you provide affects the nodes that match the specified IP field value. If there are no matches, then new nodes are created. |
import_asset
Investigation |
| Get Appliances |
Retrieves all appliances, or specific appliances, from Nozomi Networks Guardian based on the search query you have specified. |
get_appliances
Investigation |
| Get Assertions |
Retrieves all assertions, or assertions based on the search query you have specified, from Nozomi Networks Guardian. |
get_assertions
Investigation |
| Get Captured Logs |
Retrieves all captured logs, or captured logs based on the search query you have specified, from Nozomi Networks Guardian. |
get_captured_logs
Investigation |
| Get Captured URLs |
Retrieves all captured URLs, or captured URLs based on the search query you have specified, from Nozomi Networks Guardian. |
get_captured_urls
Investigation |
| Get Function Codes |
Retrieves all function codes, or function codes based on the search query you have specified, from Nozomi Networks Guardian. |
get_function_codes
Investigation |
| Get Health Log |
Retrieves all health logs, or health logs based on the search query you have specified, from Nozomi Networks Guardian. |
get_health_log
Investigation |
| Get Link Events |
Retrieves all link events, or link events based on the search query you have specified, from Nozomi Networks Guardian. |
get_link_events
Investigation |
| Get Links |
Retrieves all links, or links based on the search query you have specified, from Nozomi Networks Guardian. |
get_links
Investigation |
| Get Node CPE Changes |
Retrieves all node CPE changes, or node CPE changes based on the search query you have specified, from Nozomi Networks Guardian. |
get_node_cpe_changes
Investigation |
| Get Node CPEs |
Retrieves all node CPEs, or node CPEs based on the search query you have specified, from Nozomi Networks Guardian. |
get_node_cpes
Investigation |
| Get Node CVEs |
Retrieves all node CVEs, or node CVEs based on the search query you have specified, from Nozomi Networks Guardian. |
get_node_cves
Investigation |
| Get Nodes |
Retrieves all nodes, or nodes based on the search query you have specified, from Nozomi Networks Guardian. |
get_nodes
Investigation |
| Get Sessions |
Retrieves all sessions, or sessions based on the search query you have specified, from Nozomi Networks Guardian. |
get_sessions
Investigation |
| Get Sessions History |
Retrieves all archived sessions, or archived sessions based on the search query you have specified, from Nozomi Networks Guardian. |
get_sessions_history
Investigation |
| Get Variable History |
Retrieves all variable history, or variable history based on the search query you have specified, from Nozomi Networks Guardian. |
get_variable_history
Investigation |
| Get Variables |
Retrieves all variables, or variables based on the search query you have specified, from Nozomi Networks Guardian. |
get_variables
Investigation |
| Get Alert Acknowledgement Status |
Retrieves all alert acknowledgment statuses based on the alert acknowledgment job ID you have specified, from Nozomi Networks Guardian. |
get_alert_ack_status
Investigation |
| Set Acknowledgment Status |
Set alert statuses to Acknowledge or Unacknowledge based on the alert IDs you have specified, from Nozomi Networks Guardian. |
set_alert_ack
Investigation |
| Run CLI |
Runs the specified CLI command on Nozomi Networks Guardian. |
run_cli
Investigation |
operation: Create Indicator
Input parameters
| Parameter |
Description |
| Indicators |
Specify a JSON array list of indicators using which to create a threat intelligence indicator in Nozomi Networks Guardian. You can specify between the following threat types: packet_rules, yara_rules, or stix_indicators. |
Output
The output contains the following populated JSON schema:
{
"name": "",
"type": "",
"id": ""
}
operation: Get All Indicators
Input parameters
None.
Output
The output contains the following populated JSON schema:
{
"name": "",
"type": "",
"id": ""
}
operation: Delete Indicator
Input parameters
| Parameter |
Description |
| Indicators |
Specify a JSON array list of indicators using which to delete a threat intelligence indicator in Nozomi Networks Guardian. You can specify between the following threat types: packet_rules, yara_rules, or stix_indicators. |
Output
The output contains the following populated JSON schema:
{
"id": "",
"type": ""
}
operation: Get Alerts List
Input parameters
| Parameter |
Description |
| Appliance ID |
Specify the ID of the appliance to retrieve alerts from the Nozomi Networks Guardian. |
| Start Time |
Specify the start DateTime of the duration using which to filter retrieved alerts from Nozomi Networks Guardian. This parameter filters the result set to include only those items that have been created after the specified timestamp. |
| Risk Level |
Specify the risk level (0-10) to retrieve only those alerts from Nozomi Networks Guardian whose risk level is equal to or above the specified value. |
| Max Alerts |
Specify the maximum number of alerts that this operation should return in the response. |
| Status |
Specify the status to retrieve only those alerts from Nozomi Networks Guardian whose status matches the specified value. |
| Alert type |
Specify the alert type to retrieve only those alerts from Nozomi Networks Guardian whose type matches the specified value. |
| Is Incident |
Select this option, i.e., set it to true if to retrieve only those alerts from Nozomi Networks Guardian that are part of an incident. By default, this option cleared, i.e., set to false. |
| Search Query |
(Optional) Specify the query using which to search and retrieve alerts from Nozomi Networks Guardian. For example, | group_by type_id. |
Output
The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"type_id": "",
"name": "",
"description": "",
"severity": "",
"mac_src": "",
"mac_dst": "",
"ip_src": "",
"ip_dst": "",
"risk": "",
"protocol": "",
"src_roles": "",
"dst_roles": "",
"time": "",
"ack": "",
"id_src": "",
"id_dst": "",
"synchronized": "",
"appliance_id": "",
"port_src": "",
"port_dst": "",
"label_src": "",
"label_dst": "",
"trigger_id": "",
"trigger_type": "",
"appliance_host": "",
"appliance_ip": "",
"transport_protocol": "",
"is_security": "",
"note": "",
"appliance_site": "",
"parents": [],
"is_incident": "",
"properties": {
"bad_actor": "",
"base_risk": "",
"is_dst_node_learned": "",
"is_dst_public": "",
"is_dst_reputation_bad": "",
"is_src_node_learned": "",
"is_src_public": "",
"is_src_reputation_bad": "",
"remediation_target": "",
"victims": [],
"mitre_attack/techniques": [
{
"technique": "",
"name": "",
"tactic": ""
}
]
},
"created_time": "",
"incident_keys": [],
"bpf_filter": "",
"closed_time": "",
"status": "",
"session_id": "",
"replicated": "",
"capture_device": "",
"threat_name": "",
"type_name": "",
"sec_profile_visible": "",
"zone_src": "",
"zone_dst": "",
"mitre_attack_techniques": "",
"mitre_attack_tactics": ""
}
],
"header": [],
"error": "",
"total": ""
}
operation: Get Alert Trace
Input parameters
| Parameter |
Description |
| Alert ID |
Specify the alert ID to retrieve its information from Nozomi Networks Guardian. |
Output
The output contains the following populated JSON schema:
{
"id": "",
"@id": "",
"file": {
"id": "",
"@id": "",
"size": "",
"uuid": "",
"@type": "",
"assignee": "",
"filename": "",
"metadata": [],
"mimeType": "",
"thumbnail": "",
"uploadDate": ""
},
"name": "",
"type": "",
"uuid": "",
"@type": "",
"tasks": [],
"alerts": [],
"assets": [],
"owners": [],
"people": [],
"@context": "",
"assignee": "",
"comments": [],
"warrooms": [],
"incidents": [],
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"indicators": [],
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": [],
"userOwners": [],
"description": ""
}
operation: Get Assets
Input parameters
| Parameter |
Description |
| Appliance ID |
Specify the ID of the appliance to retrieve assets from the Nozomi Networks Guardian. |
| Level |
Specify the level (0-4) to retrieve only those assets from Nozomi Networks Guardian whose level is equal to the specified value. |
| Asset type |
Specify the asset type to retrieve only those assets from Nozomi Networks Guardian whose type matches the specified value. |
| Max Assets |
Specify the maximum number of assets that this operation should return in the response. |
| Search Query |
(Optional) Specify the query using which to search and retrieve assets from the Nozomi Networks Guardian server. For example, head 2. |
Output
The output contains the following populated JSON schema:
{
"result": [
{
"name": "",
"level": "",
"id": "",
"appliance_hosts": [],
"capture_device": "",
"ip": [],
"mac_address": [],
"mac_address_level": {},
"vlan_id": [],
"mac_vendor": [],
"os": "",
"roles": [],
"vendor": "",
"_asset_kb_id": "",
"vendor:info": {
"source": ""
},
"firmware_version": "",
"firmware_version:info": {
"source": ""
},
"os_or_firmware": "",
"serial_number": "",
"serial_number:info": {
"source": ""
},
"product_name": "",
"product_name:info": {
"source": ""
},
"type": "",
"type:info": {
"source": ""
},
"protocols": [],
"nodes": [],
"zones": [],
"custom_fields": {},
"fields": {},
"created_at": "",
"last_activity_time": "",
"device_id": ""
}
],
"header": [],
"error": "",
"total": ""
}
operation: Import Asset
Input parameters
| Parameter |
Description |
| Import Type |
Select the import type using which to import assets into Nozomi Networks Guardian. You can choose from the following options:
- JSON: Specify a list of items and their values in the JSON format, to import as an asset into Nozomi Networks Guardian, in the Assets field.
- CSV: Specify values in the following fields:
- Type: Select from Attachment ID or File IRI.
- Reference ID: Reference ID that is used to access the attachment metadata from FortiSOAR™'s Attachments module. If you have selected Attachment ID, this defaults to the
{{vars.attachment_id}} value. If you have selected File IRI, then this defaults to the {{vars.file_iri}} value.
|
Output
The output contains the following populated JSON schema:
{
"result": "",
"error": ""
}
operation: Get Appliances
Input parameters
| Parameter |
Description |
| Search Query |
(Optional) Specify the query to search and retrieve appliances from the Nozomi Networks Guardian server. For example, | head 2 |
Output
The output contains the following populated JSON schema:
{
"error": "",
"total": "",
"header": [],
"result": []
}
operation: Get Assertions
Input parameters
| Parameter |
Description |
| Search Query |
(Optional) Specify the query using which to search and retrieve assertions from the Nozomi Networks Guardian server. For example, | head 2. |
Output
The output contains the following populated JSON schema:
{
"error": "",
"total": "",
"header": [],
"result": []
}
operation: Get Captured Logs
Input parameters
| Parameter |
Description |
| Search Query |
(Optional) Specify the query using which to search and retrieve captured logs from the Nozomi Networks Guardian server. For example, | head 2. |
Output
The output contains the following populated JSON schema:
{
"error": "",
"total": "",
"header": [],
"result": []
}
operation: Get Captured URLs
Input parameters
| Parameter |
Description |
| Search Query |
(Optional) Specify the query using which to search and retrieve captured URLs from the Nozomi Networks Guardian server. For example, | head 2. |
Output
The output contains the following populated JSON schema:
{
"error": "",
"total": "",
"header": [],
"result": []
}
operation: Get Function Codes
Input parameters
| Parameter |
Description |
| Search Query |
(Optional) Specify the query using which to search and retrieve function codes from the Nozomi Networks Guardian server. For example, | head 2. |
Output
The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"protocol": "",
"fc": "",
"count": "",
"description": ""
}
],
"header": [],
"total": ""
}
operation: Get Health Log
Input parameters
| Parameter |
Description |
| Search Query |
(Optional) Specify the query using which to search and retrieve health logs from the Nozomi Networks Guardian server. For example, | head 2. |
Output
The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"time": "",
"appliance_id": "",
"appliance_ip": "",
"appliance_host": "",
"synchronized": "",
"info": {
"description": ""
},
"replicated": ""
}
],
"header": [],
"error": "",
"total": ""
}
operation: Get Link Events
Input parameters
| Parameter |
Description |
| Search Query |
(Optional) Specify the query using which to search and retrieve link events from the Nozomi Networks Guardian server. For example, | head 2. |
Output
The output contains the following populated JSON schema:
{
"error": "",
"total": "",
"header": [],
"result": []
}
operation: Get Links
Input parameters
| Parameter |
Description |
| Search Query |
(Optional) Specify the query using which to search and retrieve links from the Nozomi Networks Guardian server. For example, | head 2. |
Output
The output contains the following populated JSON schema:
{
"result": [
{
"from": "",
"to": "",
"is_from_public": "",
"is_to_public": "",
"protocol": "",
"first_activity_time": "",
"last_activity_time": "",
"last_handshake_time": "",
"transport_protocols": [],
"tcp_handshaked_connections.total": "",
"tcp_handshaked_connections.last_5m": "",
"tcp_handshaked_connections.last_15m": "",
"tcp_handshaked_connections.last_30m": "",
"tcp_connection_attempts.total": "",
"tcp_connection_attempts.last_5m": "",
"tcp_connection_attempts.last_15m": "",
"tcp_connection_attempts.last_30m": "",
"transferred.packets": "",
"transferred.bytes": "",
"transferred.last_5m_bytes": "",
"transferred.last_15m_bytes": "",
"transferred.last_30m_bytes": "",
"transferred.smallest_packet_bytes": "",
"transferred.biggest_packet_bytes": "",
"transferred.avg_packet_bytes": "",
"tcp_retransmission.percent": "",
"tcp_retransmission.packets": "",
"tcp_retransmission.bytes": "",
"tcp_retransmission.last_5m_bytes": "",
"tcp_retransmission.last_15m_bytes": "",
"tcp_retransmission.last_30m_bytes": "",
"throughput_speed": "",
"is_learned": "",
"is_fully_learned": "",
"is_broadcast": "",
"has_confirmed_data": "",
"_can": {
"link_events": "",
"captured_urls": "",
"trace_requests": ""
},
"alerts": "",
"last_trace_request_time": "",
"_ports": [
{
"tcp": ""
}
],
"active_checks": [],
"_checks": {},
"function_codes": [],
"bpf_filter": "",
"from_zone": "",
"to_zone": ""
}
],
"header": [],
"total": ""
}
operation: Get Node CPE Changes
Input parameters
| Parameter |
Description |
| Search Query |
(Optional) Specify the query using which to search and retrieve node CPE changes from the Nozomi Networks Guardian server. For example, | head 2. |
Output
The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"node_id": "",
"cpe": "",
"cpe_part": "",
"cpe_vendor": "",
"cpe_product": "",
"cpe_version": "",
"cpe_update": "",
"new_cpe": "",
"new_cpe_vendor": "",
"new_cpe_product": "",
"new_cpe_version": "",
"new_cpe_update": "",
"node_cpe_id": "",
"time": "",
"synchronized": "",
"appliance_id": "",
"appliance_ip": "",
"appliance_host": "",
"human_cpe_vendor": "",
"human_cpe_product": "",
"new_human_cpe_vendor": "",
"new_human_cpe_product": "",
"human_cpe_version": "",
"human_cpe_update": "",
"new_human_cpe_version": "",
"new_human_cpe_update": "",
"likelihood": "",
"new_likelihood": "",
"replicated": "",
"cpe_edition": "",
"new_cpe_edition": "",
"human_cpe_edition": "",
"new_human_cpe_edition": ""
}
],
"header": [],
"error": "",
"total": ""
}
operation: Get Node CPEs
Input parameters
| Parameter |
Description |
| Search Query |
(Optional) Specify the query using which to search and retrieve node CPEs from the Nozomi Networks Guardian server. For example, | head 2. |
Output
The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"node_id": "",
"cpe": "",
"cpe_part": "",
"cpe_vendor": "",
"cpe_product": "",
"cpe_version": "",
"cpe_update": "",
"time": "",
"synchronized": "",
"appliance_id": "",
"appliance_ip": "",
"appliance_host": "",
"updated": "",
"cpe_translator": "",
"human_cpe_vendor": "",
"human_cpe_product": "",
"human_cpe_version": "",
"human_cpe_update": "",
"likelihood": "",
"replicated": "",
"cpe_edition": "",
"human_cpe_edition": "",
"unique_hw_id": "",
"deleted_at": "",
"asset_id": "",
"node_label": "",
"node_type": "",
"node_vendor": "",
"node_product_name": "",
"node_firmware_version": "",
"zone": "",
"node_os": ""
}
],
"header": [],
"error": "",
"total": ""
}
operation: Get Node CVEs
Input parameters
| Parameter |
Description |
| Search Query |
(Optional) Specify the query using which to search and retrieve node CVEs from the Nozomi Networks Guardian server. For example, | head 2. |
Output
The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"node_id": "",
"cve": "",
"time": "",
"cwe_id": "",
"cwe_name": "",
"matching_cpes": [],
"likelihood": "",
"resolved": "",
"resolved_reason": "",
"resolved_source": "",
"installed_on": "",
"appliance_id": "",
"appliance_ip": "",
"appliance_host": "",
"zone": "",
"asset_id": "",
"node_label": "",
"node_type": "",
"node_vendor": "",
"node_product_name": "",
"node_firmware_version": "",
"node_os": "",
"resolution_status": "",
"cve_summary": "",
"cve_references": [
{
"name": "",
"reference_type": "",
"source": "",
"url": ""
}
],
"cve_score": "",
"cve_creation_time": "",
"cve_update_time": "",
"cve_source": ""
}
],
"header": [],
"error": "",
"total": ""
}
operation: Get Nodes
Input parameters
| Parameter |
Description |
| Search Query |
(Optional) Specify the query using which to search and retrieve nodes from the Nozomi Networks Guardian server. For example, | head 2. |
Output
The output contains the following populated JSON schema:
{
"result": [
{
"appliance_host": "",
"label": "",
"id": "",
"_asset_kb_id": "",
"ip": "",
"mac_address": "",
"mac_address:info": {
"source": "",
"likelihood": "",
"likelihood_level": ""
},
"mac_vendor": "",
"_private_status": "",
"subnet": "",
"vlan_id": "",
"vlan_id:info": {
"source": ""
},
"zone": "",
"level": "",
"type": "",
"type:info": {
"source": ""
},
"os": "",
"os:info": {
"source": ""
},
"vendor": "",
"vendor:info": {
"source": ""
},
"product_name": "",
"product_name:info": {
"source": ""
},
"firmware_version": "",
"firmware_version:info": {
"source": ""
},
"serial_number": "",
"serial_number:info": {
"source": ""
},
"is_broadcast": "",
"is_public": "",
"fields": {},
"reputation": "",
"is_compromised": "",
"is_confirmed": "",
"is_learned": "",
"is_fully_learned": "",
"is_disabled": "",
"_is_licensed": "",
"roles": [],
"links": [
{
"id": "",
"protos": [
{
"name": "",
"last_activity": ""
}
]
}
],
"links_count": "",
"protocols": [],
"created_at": "",
"first_activity_time": "",
"last_activity_time": "",
"received.packets": "",
"received.bytes": "",
"received.last_5m_bytes": "",
"received.last_15m_bytes": "",
"received.last_30m_bytes": "",
"sent.packets": "",
"sent.bytes": "",
"sent.last_5m_bytes": "",
"sent.last_15m_bytes": "",
"sent.last_30m_bytes": "",
"tcp_retransmission.percent": "",
"tcp_retransmission.packets": "",
"tcp_retransmission.bytes": "",
"tcp_retransmission.last_5m_bytes": "",
"tcp_retransmission.last_15m_bytes": "",
"tcp_retransmission.last_30m_bytes": "",
"variables_count": "",
"device_id": "",
"properties": {},
"custom_fields": {},
"bpf_filter": "",
"device_modules": {},
"capture_device": ""
}
],
"header": [],
"total": ""
}
operation: Get Sessions
Input parameters
| Parameter |
Description |
| Search Query |
(Optional) Specify the query using which to search and retrieve sessions from the Nozomi Networks Guardian server. For example, | head 2. |
Output
The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"status": "",
"direction_is_known": "",
"from": "",
"to": "",
"transport_protocol": "",
"from_zone": "",
"to_zone": "",
"from_port": "",
"to_port": "",
"protocol": "",
"vlan_id": "",
"transferred.packets": "",
"transferred.bytes": "",
"transferred.last_5m_bytes": "",
"transferred.last_15m_bytes": "",
"transferred.last_30m_bytes": "",
"transferred.smallest_packet_bytes": "",
"transferred.biggest_packet_bytes": "",
"transferred.avg_packet_bytes": "",
"throughput_speed": "",
"first_activity_time": "",
"last_activity_time": "",
"key": "",
"bpf_filter": ""
}
],
"header": [],
"total": ""
}
operation: Get Sessions History
Input parameters
| Parameter |
Description |
| Search Query |
(Optional) Specify the query using which to search and retrieve archived sessions from the Nozomi Networks Guardian server. For example, | head 2. |
Output
The output contains the following populated JSON schema:
{
"result": [
{
"id": "",
"status": "",
"direction_is_known": "",
"from": "",
"to": "",
"transport_protocol": "",
"from_zone": "",
"to_zone": "",
"from_port": "",
"to_port": "",
"protocol": "",
"vlan_id": "",
"transferred.packets": "",
"transferred.bytes": "",
"transferred.last_5m_bytes": "",
"transferred.last_15m_bytes": "",
"transferred.last_30m_bytes": "",
"transferred.smallest_packet_bytes": "",
"transferred.biggest_packet_bytes": "",
"transferred.avg_packet_bytes": "",
"throughput_speed": "",
"first_activity_time": "",
"last_activity_time": "",
"key": "",
"bpf_filter": ""
}
],
"header": [],
"total": ""
}
operation: Get Variable History
Input parameters
| Parameter |
Description |
| Search Query |
(Optional) Specify the query using which to search and retrieve variable history from the Nozomi Networks Guardian server. For example, | head 2. |
Output
The output contains the following populated JSON schema:
{
"error": "",
"total": "",
"header": [],
"result": []
}
operation: Get Variables
Input parameters
| Parameter |
Description |
| Search Query |
(Optional) Specify the query using which to search and retrieve variables from the Nozomi Networks Guardian server. For example, | head 2. |
Output
The output contains the following populated JSON schema:
{
"result": [
{
"var_key": "",
"host": "",
"host_label": "",
"RTU_ID": "",
"name": "",
"label": "",
"unit": "",
"scale": "",
"offset": "",
"type": "",
"is_numeric": "",
"min_value": "",
"max_value": "",
"value": "",
"last_value": "",
"last_value_is_valid": "",
"last_value_quality": [],
"last_cause": "",
"protocol": "",
"last_function_code_info": "",
"last_function_code": "",
"first_activity_time": "",
"last_range_change_time": "",
"last_activity_time": "",
"last_update_time": "",
"last_valid_quality_time": "",
"request_count": "",
"changes_count": "",
"last_client": "",
"history_status": "",
"active_checks": [],
"_checks": {},
"flow_status": "",
"flow_anomalies": "",
"flow_anomaly_in_progress": "",
"flow_hiccups_percent": "",
"flow_stats.avg": "",
"flow_stats.var": ""
}
],
"header": [],
"total": ""
}
operation: Get Alert Acknowledgement Status
Input parameters
| Parameter |
Description |
| Job ID |
Specify the alert ID to retrieve its acknowledgment status from Nozomi Networks Guardian. |
Output
The output contains the following populated JSON schema:
{
"result": {
"status": ""
}
}
operation: Set Acknowledgment Status
Input parameters
| Parameter |
Description |
| Alert IDs |
Specify the list of comma-separated alert IDs based on which to set acknowledgment status of alerts in Nozomi Networks Guardian. |
| Acknowledgment Status |
Select this checkbox to set the acknowledgment status of specified alerts to Acknowledge. Clear this checkbox to set the acknowledgment status of specified alerts to UnAcknowledge in Nozomi Networks Guardian. |
Output
The output contains the following populated JSON schema:
{
"result": {
"id": ""
},
"error": ""
}
operation: Run CLI
Input parameters
| Parameter |
Description |
| Command |
Specify the CLI command to run on Nozomi Networks Guardian. |
Output
The output contains a non-dictionary value.
Included playbooks
The Sample - Nozomi Networks Guardian - 1.2.0 playbook collection comes bundled with the Nozomi Networks Guardian connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Nozomi Networks Guardian connector.
- > Nozomi Networks Guardian > Fetch Alerts
- Create Indicator
- Delete Indicator
- Get Alert Acknowledgement Status
- Get Alert Trace
- Get Alerts List
- Get All Indicators
- Get Assertions
- Get Assets
- Get Captured Logs
- Get Captured URLs
- Get Function Codes
- Get Health Log
- Get Link Events
- Get Links
- Get Node CPE Changes
- Get Node CPEs
- Get Node CVEs
- Get Nodes
- Get Sessions
- Get Sessions History
- Get Variable History
- Get Variables
- Import Asset
- Nozomi Networks Guardian > Create Alerts
- Nozomi Networks Guardian > Ingest
- Run CLI
- Set Acknowledgment Status
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
Data Ingestion Support
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling incidents from Nozomi Networks Guardian. Currently, incidents in Nozomi Networks Guardian are mapped to incidents in FortiSOAR™. An incident in Nozomi contains alerts, i.e., each alert in Nozomi contains an is_incident parameter that states whether that alert is part of an incident. If the alert is part of an incident, then the is_incident parameter will be set to true (else false). Therefore, when mapping incidents from Nozomi, i.e., the is_incident parameter is set to true, then both Incident and correlated Alert records are created in FortiSOAR™. If the is_incident parameter is set to false, then only alert records are created in FortiSOAR™.
Important: It is recommended that Data Ingestion of Nozomi Networks Guardian should be done with the default selected Incidents module. Selecting a module other than Incidents might cause the data ingestion to fail.
For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.
Configure Data Ingestion
You can configure data ingestion using the Data Ingestion Wizard to seamlessly map the incoming Nozomi Networks Guardian incidents to FortiSOAR™ incidents.
The Data Ingestion Wizard enables you to configure the scheduled pulling of data from Nozomi Networks Guardian into FortiSOAR™. It also lets you pull some sample data from Nozomi Networks Guardian using which you can define the mapping of data between Nozomi Networks Guardian and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the Nozomi Networks Guardian incident.
- To begin configuring data ingestion, click Configure Data Ingestion on the Nozomi Networks Guardian connector's Configurations page.
Click Let's Start by fetching some data, to open the Fetch Sample Data screen:
Sample data is required to create a field mapping between Nozomi Networks Guardian data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
- On the Fetch Data screen, provide the configurations required to fetch Nozomi Networks Guardian incidents. In the Pull Threats from Last X Minutes field, type the time in minutes from when to pull incidents from Nozomi Networks Guardian. This parameter filters the result set to only include only those incidents that have been created after the specified timestamp.
Once you have completed specifying the configurations, click Fetch Data.
- On the Field Mapping screen, map the fields of a Nozomi Networks Guardian incident to the fields of an incident present in FortiSOAR™. The
Field Mapping screen displays the Sample Data on the right side and the Field Mapping (FortiSOAR™ fields) on the left side. The sample data is in the form of a Key-Value pair.
From the Module drop-down list that appears next to Field Mapping, select the FortiSOAR™ module for which to map the fields. The default module, which is Incident is already selected.
Note: It is recommended that you do not change the default selected module Selecting a module other than the default might cause the data ingestion to fail, and you will require to remap all the fields.
Also, some fields such as Name and some picklists can come pre-mapped with their jinja value. You do not require to re-map these fields unless to override their default values.
To map a field, click the key in the sample data to add the Jinja value of the field. For example, to map the id_src parameter of a Nozomi Networks Guardian incident to the Source IP parameter of a FortiSOAR™ incident, click the Source IP field and then click the id_src field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the Connectors Guide in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
- Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Nozomi Networks Guardian, so that the content gets pulled from the Nozomi Networks Guardian into FortiSOAR™.
On the Scheduling screen, from the Do to schedule the ingestion? drop-down list, select Yes.
In the Configure Schedule Settings section, specify the Cron expression for the schedule. For example, if to pull data from Nozomi Networks Guardian every morning at 5 am, click Daily, and in the hour box enter 5 , and in the minute box enter 0:
Once you have completed scheduling, click Save Settings & Continue.
- The
Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks.
Click Done to complete the data ingestion and exit the Data Ingestion Wizard.
