Home
Guardian
Learn how Guardian provides comprehensive asset inventory and network visibility for OT and IoT environments.
User Guide
Information and resources about the main features of Guardian, and the tasks that you can do from the user interface (UI).
Alerts
The Alerts page shows all the latest alerts in the system. It lets you view the alerts in different modes, and carry out actions on the alerts.
Actions menu
The Actions menu gives you access to all the actions that you can do for the related alert.
Download a malicious file
Once a sensor has detected a malicious file, it is possible to download it for analysis.

Guardian
Learn how Guardian provides comprehensive asset inventory and network visibility for OT and IoT environments.
- Introduction
  An overview of Guardian.
- Installation Guide
  Information and resources on how to install Guardian, and the different options and settings that are available.
- Administrator Guide
  Information and resources about the Administration section of Guardian, and the tasks that you can do in this part of the software.
- User Guide
  Information and resources about the main features of Guardian, and the tasks that you can do from the user interface (UI).
  - Sensors
    The Sensors page lets you view all of the sensors that you have in your system.
  - Alerts
    The Alerts page shows all the latest alerts in the system. It lets you view the alerts in different modes, and carry out actions on the alerts.
    - Standard mode
      You can view alerts in standard mode to give you an overview of the latest anomalies.
    - Expert mode
      You can view alerts in expert mode to give you a detailed view of the alerts in the system. This lets you filter, sort, and analyze the information in detail.
    - View alerts in standard mode
      You can view alerts in standard mode to give you an overview of the latest anomalies.
    - View alerts in expert mode
      You can view alerts in expert mode to give you a detailed view of the alerts in the system. This lets you filter, sort, and analyze the information in detail.
    - Closing alerts
      When you close an alert, or incident, a dialog lets you select a reason, and specify the learning process.
    - Actions menu
      The Actions menu gives you access to all the actions that you can do for the related alert.
      - Open the Actions menu in standard mode
        You can open the Actions menu to give you access to additional operations. When you are in standard mode, there are two different options available to open the menu.
      - Open the Actions menu in expert mode
        You can open the Actions menu to give you access to additional operations.
      - Configure an alert
        You can use the Configure alert option to create a new alert rule for future events that are similar to the current one.
      - Acknowledge an alert
        Once an alert or incident shows, you can mark it as acknowledged. You can also change the status back to unacknowledged again.
      - Close an alert
        Once an alert or incident shows, you can mark it as closed, and choose the type of learning operation to perform.
      - Download a trace
        If a trace is available, you can choose to download it. The trace contains the packet that triggered the alert, along with an extract of the same session before and after that packet. Traces might be unavailable if the appliance is under stress.
      - Download a malicious file
        Once a sensor has detected a malicious file, it is possible to download it for analysis.
      - Edit a note for an alert
        Once an alert or incident shows, you can write a note for it, or edit an existing one.
      - View a diff from an alert
        This automatic feature will use the previous and subsequent snapshots according to the time of the alert.
      - Navigate from an alert
        Alerts and incidents have related nodes, links, vulnerabilities, or sessions. The actions menu lets you navigate to these links.
    - Edit a playbook associated with an alert
      A playbook associated with an alert can be modified. A change you make on the playbook only affects the playbook related to that specific alert.
  - Assets
    The Assets page shows all the physical components and systems in the local network environment and their associated details. It also lets you perform actions on those assets. Depending on the nodes and components involved, assets can range from a simple personal computer to an operational technology (OT) device.
  - Queries
    You can use the Nozomi Networks Query Language (N2QL) syntax to create complex data processes to obtain, filter, and analyze lists of information from the Nozomi Networks software.
  - Smart Polling in Guardian
    The Smart Polling page lets you view and manage Smart Polling.
  - Arc in Guardian
    Arc™ is a host-based sensor that detects and defends against malicious or compromised endpoints, and insider attacks. You can use Arc sensors to aggregate data for analysis and reports, either on-premises, or in the Vantage cloud.
  - Network
    The Network page gives you access to multiple pages that show nodes, links, sessions in tabular format and graphs and traffic in a graphical format.
  - Process
    Process is a set of repeatable functions that a business does to deliver a core value.
  - Reports
    The Reports page lets you manage, generate, schedule and view reports.
  - Assertions
    The Assertions page shows all the assertions and lets you configure them.
  - Time machine
    Time machine lets you load a snapshot, which is a previously saved state, and go back in time, to analyze the data from a past situation. You can load a single snapshot and use the platform as usual or load two snapshots and compare the user interface to highlight changes.
  - Vulnerabilities
    The Nozomi Networks software continuously discovers vulnerabilities in monitored assets.
  - Administration
  - Personal settings
    The personal settings page lets you do actions that are specific to your profile.
- Maintenance Guide
  Information about the maintenance tasks of Guardian, to help you administer and maintain the solution in a production environment.
- Print format documentation
  A list of all the print-format documentation that is available for Guardian.

Download a malicious file

Once a sensor has detected a malicious file, it is possible to download it for analysis.

About this task

Only qualified personnel should download malicious files. Before you do this procedure, make sure that you have the correct permissions.

Procedure

Open the Actions menu for the applicable file with one of the these options:
- Open the Actions menu in standard mode
- Open the Actions menu in expert mode
Select Download file causing the alert.

A dialog shows.
If you want to proceed, select Yes.

Important:
Nozomi Networks recommends that only qualified personnel download malicious, or unwanted, files. Download these files at your own risk.

The file downloads to your downloads folder and a password dialog that contains a randomized, single-use password shows.
Copy the password, and select Ok.
Go to the folder where the file was downloaded to.
Double-click the ZIP file to open it.
A dialog that prompts you to enter a password shows.
Paste the password into the password field and select OK.
You can now access the file.