Virtual image
Virtual image represents a set of information by which Guardian represents the monitored network. This includes for example node properties, links, protocols, function codes, variables, variable values. Such information is collected via learning, smart polling, or external contents, such as Asset Intelligence. Alerts in this group represent deviations from expected behaviors, according to the learned or fed information. When an alert of this category is raised, if the related event is not considered a malicious attack or an anomaly, it can be learned.
| Type ID | Name | Security Profile | Risk | Details | Product Versions | Trace |
|---|---|---|---|---|---|---|
| SIGN:WIRELESS:CELLULAR-ROGUE | Rogue Cell Tower Detected | LOW | 7 |
Rogue Cell Towers are false base stations that hijack nearby mobile device connections, performing active or passive attacks against devices. They trick the mobile device into thinking it is connected to an authorized cell tower, leaving it vulnerable to man-in-the-middle attacks and increasing threats to privacy. In this way, an attacker can collect private information about you indirectly through metadata, as well as tracing users' location and capturing the content of messages or calls. To date, the detection of Rogue Cell Towers can't be done by the mobile device's operating system. Usually, the attacker is not very far from the targeted devices: if possible, start an investigation to find suspicious antennas. Also, if supported, it is advisable to use your mobile device's full 5G connection, less vulnerable than 3G (UMTS) and 4G (LTE) connections. |
Guardian Air 1.0.1 | YES |
| VI:CONF-MISMATCH | Configuration Mismatch | MEDIUM | 7 |
A parameter describing a configuration version that was previously imported from a project has been observed having a different value in the traffic. Validate the event and learn it if legitimate, or treat it as anomaly. |
Guardian 20.0.0 | YES |
| VI:GLOBAL:NEW-FUNC-CODE | New global function code | MEDIUM | 5 |
A previously unknown protocol Function Code for has appeared in the network. Validate the event and learn it if legitimate, or treat it as anomaly. |
Guardian 19.0.0 | YES |
| VI:GLOBAL:NEW-MAC-VENDOR | New global MAC vendor | MEDIUM | 5 |
A previously unknown MAC vendor has appeared in the network. Validate the event and learn it if legitimate, or treat it as anomaly. |
Guardian 19.0.4 | YES |
| VI:GLOBAL:NEW-VAR-PRODUCER | New global variable producer | HIGH | 5 |
A node has started sending variables. It can be a new command, a new object, or a tentative of enumerating existing variables from a malicious attacker. Validate the event and learn it if legitimate, or treat it as anomaly. |
Guardian 21.3.0 | YES |
| VI:KB:UNKNOWN-FUNC-CODE | Unknown asset function code | HIGH | 5 |
The node has communicated using a function code that is not known for this kind of Asset. This detection is possible by knowing the specific Asset's profile. Validate the event and learn it if legitimate, or treat it as anomaly. |
Asset Intelligence | YES |
| VI:KB:UNKNOWN-PROTOCOL | Unknown asset's protocol | HIGH | 5 |
The node has communicated using a protocol that is not known for this kind of Asset. This detection is possible by knowing the specific Asset's profile. Validate the event and learn it if legitimate, or treat it as anomaly. |
Asset Intelligence | YES |
| VI:NEW-ARP | New ARP | HIGH | 4 |
A new MAC Address has started requesting ARP information. Validate the event and learn it if legitimate, or treat it as anomaly. |
Guardian 18.0.0 | YES |
| VI:NEW-FUNC-CODE | New function code | HIGH | 6 |
A known protocol between two nodes has started using a new function code (i.e. message type). For example, if a client A normally uses a function code 'read' when talking to server B, this alert is raised if client A begins to use a function code 'write'. Validate the event and learn it if legitimate, or treat it as anomaly. |
Guardian 18.0.0 | YES |
| VI:NEW-LINK | New link | HIGH | 4 |
Two nodes have started communicating with each other with a new protocol. Validate the event and learn it if legitimate, or treat it as anomaly. |
Guardian 18.0.0 | YES |
| VI:NEW-LINK-CONFIRMED | New confirmed link | HIGH | 5 |
Two nodes have started communicating with each other with a new, confirmed protocol. Validate the event and learn it if legitimate, or treat it as anomaly. |
Guardian 18.0.0 | YES |
| VI:NEW-LINK-GROUP | New link group | HIGH | 5 |
Two nodes have started communicating with each other. Validate the event and learn it if legitimate, or treat it as anomaly. |
Guardian 18.0.0 | YES |
| VI:NEW-MAC | New MAC address | HIGH | 6 |
A new MAC Address has appeared in the network. Validate the event and learn it if legitimate, or treat it as anomaly. |
Guardian 18.0.0 | YES |
| VI:NEW-NET-DEV | New network device | MEDIUM | 3 |
A new network device (switch or router) has appeared on the network. Validate the event and learn it if legitimate, or treat it as anomaly. |
Guardian 18.0.0 | YES |
| VI:NEW-NODE | New node | MEDIUM | 5 |
A new node has appeared on the network. Validate the event and learn it if legitimate, or treat it as anomaly. |
Guardian 18.0.0 | YES |
| VI:NEW-NODE:DUALUSE-IP | DUALUSE IP (new node) | MEDIUM | 4 |
A node with a suspicious IP has been detected. It is suggested to validate the health status of communicating nodes, as they may be infected by some malware. Validate the event and learn it if legitimate, or treat it as anomaly. |
Guardian 24.0.0 | YES |
| VI:NEW-NODE:MALICIOUS-IP | Bad IP reputation (new node) | LOW | 5 |
A node with a bad reputation IP has been detected. It is suggested to validate the health status of communicating nodes, as they may be infected by some malware. Validate the event and learn it if legitimate, or treat it as anomaly. |
Guardian 20.0.0 | YES |
| VI:NEW-NODE:PUA-IP | PUA IP (new node) | MEDIUM | 4 |
A potentially unwanted application has contacted one of its IP address. This is normally less dangerous than a malware but may have some undesired privacy effects. Verify that the applications installed on the involved asset are correct. |
Guardian 24.0.0 | YES |
| VI:NEW-NODE:TARGET | New target node | HIGH | 4 |
A new target node has appeared on the network. This node is not yet confirmed to exist as it still has not sent back any data. Validate the event and learn it if legitimate, or treat it as anomaly. |
Guardian 18.0.0 | YES |
| VI:PROC:NEW-VALUE | New OT variable value | HIGH | 6 |
A variable has been set to a value never seen before. Validate the event and learn it if legitimate, or treat it as anomaly. |
Guardian 18.0.0 | YES |
| VI:PROC:NEW-VAR | New OT variable | HIGH | 6 |
A new variable has been sent, or accessed by a client. It can be a new command, a new object, or a tentative of enumerating existing variables from a malicious attacker. Validate the event and learn it if legitimate, or treat it as anomaly. |
Guardian 18.0.0 | YES |
| VI:PROC:PROTOCOL-FLOW-ANOMALY | Protocol flow anomaly | HIGH | 8 |
A message aimed at reading/writing one or multiple variables which is sent cyclically, has changed its transmission interval time. Example: a iec104 command breaking its normal transmission cycle. Validate the event and learn it if legitimate, or treat it as anomaly. |
Guardian 18.0.0 | YES |
| VI:PROC:VARIABLE-FLOW-ANOMALY | Variable flow anomaly | HIGH | 6 |
A variable which is sent cyclically has changed its transmission interval time. Validate the event and learn it if legitimate, or treat it as anomaly. |
Guardian 18.0.0 | YES |
| VI:WIRELESS:ROGUE-AP | Rogue Access Point | LOW | 8 |
A new Access Point has been detected with a known SSID. However, the vendor of the newly discovered Access Point differs from the existing ones. Check if the discovered Access Point is a legit network equipment. |
Guardian Air 1.0.2 | NO |