Home
Guardian
Administrator Guide
Information and resources about the Administration section of Guardian, and the tasks that you can do in this part of the software.
Administration
Settings
Data integration
Common Event Format (CEF)
CEF lets you send alerts and health logs in CEF format. You can also enable encryption of the data through the TLS checkbox and check the validity of the CEF server’s certificate with the CA-emitted TLS certificate checkbox.
Custom fields
The Nozomi Networks solution has defined custom label fields in our common event format (CEF) implementation. Ensure that your integration recognizes these custom labels and deals with them appropriately.

Guardian
- Introduction
  An overview of Guardian.
- Installation Guide
  Information and resources on how to install Guardian, and the different options and settings that are available.
- Administrator Guide
  Information and resources about the Administration section of Guardian, and the tasks that you can do in this part of the software.
  - Administration
    - Administration page
      The administration page lets a user with administrator privileges configure settings and do other tasks.
    - Settings
      - Security control panel
        The Security control panel page shows an overview of the current status of the learning process and lets you configure the features that manage the: learning, security profile, zones, alerts tuning, and alert closing options.
      - Features control panel
        The Features control panel page shows an overview of the current status of system features configuration and lets you fine tune specific values.
      - Users management
        The Users management page shows all the pages that you need to let you manage authentication and authorization policies for users and groups.
      - CLI
        The CLI page lets you change configuration parameters and perform troubleshooting activities.
      - Dashboards
        The Dashboards page lets you create and configure widget-based dashboards that provide information about your network. The dashboards created here will show on the Guardian home page, and give an overview of the monitored environment.
      - Threat Intelligence
        The Threat Intelligence page lets you manage packet rules, YARA rules, Sigma rules, structured threat information expression (STIX) indicators and vulnerabilities to provide detailed threat information.
      - Data model
        The Data model page lets you create a custom field to the Nodes (All-In-One CMC only) and Assets tables. A custom field lets you add information that might be relevant to your organization, and cannot be extracted from network traffic.
      - Data integration
        Data integration overview
        An overview of Data integration in the Nozomi Networks software.
        Data integration
        The Data integration page lets you exchange data with different third-party platforms.
        Google Chronicle (Ingestion API - UDM)
        This integration lets you forward alerts, asset information and vulnerabilities to an instance of Google Chronicle.
        IBM QRadar (LEEF)
        The IBM QRadar integration lets you send all alerts, and optionally health logs, in LEEF format. You can also send asset information to QRadar beginning with version 2.0.0 of the QRadar App.
        Common Event Format (CEF)
        CEF lets you send alerts and health logs in CEF format. You can also enable encryption of the data through the TLS checkbox and check the validity of the CEF server’s certificate with the CA-emitted TLS certificate checkbox.
        Custom fields
        The Nozomi Networks solution has defined custom label fields in our common event format (CEF) implementation. Ensure that your integration recognizes these custom labels and deals with them appropriately.
        ServiceNow
        The ServiceNow integration allows you to forward incident and asset information to a ServiceNow instance. Using the options below, you can decide to send just new incidents or historical incidents. You can also choose if currently existing assets in ServiceNow need to be updated with the information present in the sensor or if assets in ServiceNow will only be created if they do not exist there yet.
        Tanium
        This integration enables seamless forwarding of node and asset data to a Tanium instance, facilitating centralized management and enhanced visibility within your network.
        Splunk - Common Information Model (JSON)
        If you need to send alerts to a Splunk - JavaScript Object Notation (JSON) instance, you can use integration. Data are sent in JSON format and you are also able to filter on alerts. You can also send health logs and audit logs.
        SMTP forwarding
        To send reports, alerts and/or health logs to an email address, you can configure a simple mail transfer protocol (SMTP) forwarding endpoint. In this case, you are also able to filter alerts.
        SNMP trap
        Use this kind of integration to send alerts through a simple network management protocol (SNMP) trap.
        Syslog Forwarder
        Use this type of integration to send syslog events captured from monitored traffic to a syslog endpoint.
        Custom JSON
        This type of integration uses the JavaScript Object Notation (JSON) format to send the results of the related query to a specific uniform resource identifier (URI).
        Custom CSV
        This type of integration sends the results of the specified query to a specific URI in comma-separated value (CSV) format.
        DNS Reverse Lookup
        This integration sends reverse domain name server (DNS) requests for the nodes in the environment and uses the names provided by the DNS as nodes' labels. You can pre-filter the nodes by specifying a query filter.
        Kafka
        The Kafka integration allows you to send the results of custom queries in JavaScript Object Notation (JSON) format to existing topics of a Kafka cluster.
        Cisco ISE
        With the Cisco ISE integration, you can use the simple text-oriented messaging-protocol (STOMP) to send the results of custom node queries to Cisco's ISE asset information.
        External Storage
        The external storage integration uploads files to an external machine. This enables the external machine to keep remote copies of files that are kept beyond the retention settings.
        Microsoft Endpoint Configuration Manager (WinRM RPC)
        With the Windows Remote Management (WinRM) RPC, you can collect information coming from the Microsoft Endpoint Configuration Manager to update Windows nodes.
        Microsoft Endpoint Configuration Manager (DB)
        The goal of this integration is to collect information from the Microsoft Endpoint Configuration Manager DB to update the existing Windows nodes.
        NetWitness
        If you require sending alerts to a NetWitness instance, you can utilize this integration. Data is transmitted in JavaScript Object Notation (JSON) format prepended by the NOZOMI: header. You can also apply filters, and determine whether historical data should be sent or not.
        Aruba ClearPass
        This integration lets you send node information to Aruba ClearPass. Only nodes with confirmed media access control (MAC) addresses are sent. You can specify a query filter to pre-filter the nodes. If Enable update Node information is not selected, nodes are only sent once.
        CarbonBlack Defense
        The strategy runs once a day by default. The strategy uses its representational state transfer (REST) application programming interface (API) over hypertext transfer protocol secure (HTTPS) to extract information about nodes from an external CarbonBlack service.
        Nozomi syslog data events and syslog messages
        For customers implementing syslog, Guardian generates three types of syslog events: alerts, health, and audit.
        Configure data integration
        The Data integration page lets you configure one of the available options.
      - Firewall integration
        The Firewall integrations page shows all the firewall integrations and lets you add new ones.
      - Credentials manager
        The Credentials manager is a tool that lets you centralize the management of monitored endpoints to make it easier to create, delete, or update the credentials that are needed to access those endpoints.
      - Zone configurations
        The Zone configurations page shows all the zone configurations in your environment and lets you add new zone configurations and edit them.
      - Synchronization settings
        The Synchronization settings page lets you customize the parameters related to Vantage or Central Management Console (CMC).
      - Alert playbooks
    - System
- User Guide
  Information and resources about the main features of Guardian, and the tasks that you can do from the user interface (UI).
- Maintenance Guide
  Information about the maintenance tasks of Guardian, to help you administer and maintain the solution in a production environment.
- Print format documentation
  A list of all the print-format documentation that is available for Guardian.

Custom fields

The Nozomi Networks solution has defined custom label fields in our common event format (CEF) implementation. Ensure that your integration recognizes these custom labels and deals with them appropriately.


Field Value	Label Value	Label Sample	Field Sample
cs1	cs1Label	Risk	Risk level for the alert
cs2	cs2Label	IsSecurity	Is this a security alert
cs3	cs3Label	Id	Alert ID (not Alert Type ID) of the alert in the Nozomi system
cs4	cs4Label	Detail	Alert details
cs5	cs5Label	Parents	Parent IDs of the alert if related to others
cs6	cs6Label	n2os_schema	This is the Nozomi Schema version
flexString1	flexString1Label	mitre_attack_techniques	T0843
flexString2	flexString2Label	mitre_attack_tactics	Impair Process Control, Inhibit Response Function, Persistence
flexString3	flexString3Label	Name	Suspicious Activity

The common event format (CEF) data integration now sends the name attribute of alerts in the flexString CEF field. For example:

nozomi-ids.local n2osevents[0]: CEF:0|Nozomi Networks|N2OS|
21.9.0-01051414_C13FC|SIGN:MULTIPLE-UNSUCCESSFUL-LOGINS|Multiple
unsuccessful logins|8|
app=smb
dvc=172.16.193.105
dvchost=nozomi-ids.local
cs1=8.0
cs2=true
cs5=["22114bf0-813c-434c-b4d7-933d2a54b4e1"]
cs6=3 cs1Label=Risk
cs2Label=IsSecurity
cs3Label=Id
cs5Label=Parents
cs6Label=n2os_schema
flexString1=T0843
flexString1Label=mitre_attack_techniques
flexString2=impair_process_control, inhibit_response_function, persistence
flexString2Label=mitre_attack_tactics
flexString3=suspicious_activity
flexString3Label=name
dst=192.168.1.77
dmac=f0:1f:af:f1:40:5c
dpt=445
msg=Multiple unsuccessful logins detected with protocol smb. The usernames
'', 'DOMAIN\VCA07_12$' attempted at least 40 connections in 15 seconds
src=192.168.1.227
smac=d8:9e:f3:3a:cb:3a
spt=57280
proto=TCP
start=1651456283700