Home
Reference Guides
Additional reference guides.
Alerts and Incidents
Alerts
Alerts
A description of alerts in the Nozomi Networks software.

Reference Guides
Additional reference guides.
- Alerts and Incidents
  - Alerts
    - Alerts
      A description of alerts in the Nozomi Networks software.
      - Protocol validations
        An undesired protocol behavior has been detected. This can refer to a wrong single message, to a correct single message not supposed to be transmitted or transmitted at the wrong time (state machines violation) or to a malicious message sequence. Protocol specific error messages indicating misconfigurations also trigger alerts that fall into this category.
      - Virtual image
        Virtual image represents a set of information by which Guardian represents the monitored network. This includes for example node properties, links, protocols, function codes, variables, variable values. Such information is collected via learning, smart polling, or external contents, such as Asset Intelligence. Alerts in this group represent deviations from expected behaviors, according to the learned or fed information. When an alert of this category is raised, if the related event is not considered a malicious attack or an anomaly, it can be learned.
      - Built-in checks
        Built-in checks are based on specific signatures or hard-coded logics with reference to: known ICS threats (by signatures provided by Threat Intelligence), known malicious operations, system weaknesses, or protocol-compliant operations that can impact the network/ICS functionality. They might also leverage the Learning process to be more accurate.
      - Custom checks
        These are checks set in place by the user. Typically the nature of an event related to a custom check cannot generally be referred to a problem per se, if not contextualized to the specific network and installation.
  - Incidents
- Federal Information Processing Standards

Alerts

A description of alerts in the Nozomi Networks software.

Alert types

The Nozomi Networks software generates four categories of alerts. These are:

Protocol validations
Learned behavior
Built-in checks
Custom checks

Some alerts can specify the triggering condition. For example, with some specific information checks, each protocol can instantiate the Malformed Packet Alert.

Type ID

The strict identifier for an alert type. Use this field to setup integrations.

Name

A friendly name identifier.

Security profile

The default security profile the alert type belongs to.

Risk

The default base risk the alert shows. For specific instances, this value is weighted by other factors (the learning state of the involved nodes and their reputation) and it will result in a different number.

Details

General information about the alert event, and what has caused it.

Product Versions

The minimum product versions required to generate the Alert.

Trace

Whether a trace is produced or not.

Note: Traces are always based on buffered data and, depending on the overall network traffic throughput, the buffer might not contain all of the packets responsible for the alert itself. Only the last packet responsible for triggering the alert is always present as the trace is generated.