Home
Resources
Reference Guides
Additional reference guides with information on items such as Alerts and Incidents and Federal Information Processing Standards (FIPS).
Alerts and Incidents
Alerts
Alerts
A description of alerts in the Nozomi Networks software.

Resources
- Release Notes
  Access the release notes for release-based products.
- N2OS Configuration
  The N2OS Configuration - Reference Guide.
- N2OS Software Development Kit
  The N2OS Software Development Kit (SDK).
- Integration Guides
  Integration guides to help you use applications that integrate with Nozomi Networks products.
- Reference Guides
  Additional reference guides with information on items such as Alerts and Incidents and Federal Information Processing Standards (FIPS).
  - Alerts and Incidents
    - Alerts
      - Alerts
        A description of alerts in the Nozomi Networks software.
        Protocol validations
        An undesired protocol behavior has been detected. This can refer to a wrong single message, to a correct single message not supposed to be transmitted or transmitted at the wrong time (state machines violation) or to a malicious message sequence. Protocol specific error messages indicating misconfigurations also trigger alerts that fall into this category.
        Virtual image
        Virtual image represents a set of information by which Guardian represents the monitored network. This includes for example node properties, links, protocols, function codes, variables, variable values. Such information is collected via learning, smart polling, or external contents, such as Asset Intelligence. Alerts in this group represent deviations from expected behaviors, according to the learned or fed information. When an alert of this category is raised, if the related event is not considered a malicious attack or an anomaly, it can be learned.
        Built-in checks
        Built-in checks are based on specific signatures or hard-coded logics with reference to: known ICS threats (by signatures provided by Threat Intelligence), known malicious operations, system weaknesses, or protocol-compliant operations that can impact the network/ICS functionality. They might also leverage the Learning process to be more accurate.
        Custom checks
        These are checks set in place by the user. Typically the nature of an event related to a custom check cannot generally be referred to a problem per se, if not contextualized to the specific network and installation.
    - Incidents
  - Federal Information Processing Standards
- Quick Start Guides
  Hardware Quick Start Guides.
- Security
  Stay up-to-date with the most recent information and solutions for all vulnerabilities that affect Nozomi Networks products.
- Print format documentation
  A list of all the technical documentation that is available in print format.
- Documentation archive
  Access previous versions of the technical documentation.

Alerts

A description of alerts in the Nozomi Networks software.

Alert types

The Nozomi Networks software generates four categories of alerts. These are:

Protocol validations
Learned behavior
Built-in checks
Custom checks

Some alerts can specify the triggering condition. For example, with some specific information checks, each protocol can instantiate the Malformed Packet Alert.

Type ID

The strict identifier for an alert type. Use this field to setup integrations.

Name

A friendly name identifier.

Security profile

The default security profile the alert type belongs to.

Risk

The default base risk the alert shows. For specific instances, this value is weighted by other factors (the learning state of the involved nodes and their reputation) and it will result in a different number.

Details

General information about the alert event, and what has caused it.

Product Versions

The minimum product versions required to generate the Alert.

Trace

Whether a trace is produced or not.

Note: Traces are always based on buffered data and, depending on the overall network traffic throughput, the buffer might not contain all of the packets responsible for the alert itself. Only the last packet responsible for triggering the alert is always present as the trace is generated.