Home
Resources
Reference Guides
Additional reference guides with information on items such as Alerts and Incidents and Federal Information Processing Standards (FIPS).
Alerts and Incidents
Incidents
Incidents
Incidents are a set of alerts that are related to each other. You can use them to streamline alerts analysis. The user interface (UI) lets you group alerts into incidents. You can toggle the view between Alerts or Incidents.
Built-in checks
Built-in checks are based on specific signatures or hard-coded logics with reference to: known ICS threats (by signatures provided by Threat Intelligence), known malicious operations, system weaknesses, or protocol-compliant operations that can impact the network/ICS functionality. They might also leverage the Learning process to be more accurate.

Resources
- Release Notes
  Access the release notes for release-based products.
- N2OS Configuration
  The N2OS Configuration - Reference Guide.
- N2OS Software Development Kit
  The N2OS Software Development Kit (SDK).
- Integration Guides
  Integration guides to help you use applications that integrate with Nozomi Networks products.
- Reference Guides
  Additional reference guides with information on items such as Alerts and Incidents and Federal Information Processing Standards (FIPS).
  - Alerts and Incidents
    - Alerts
    - Incidents
      - Incidents
        Incidents are a set of alerts that are related to each other. You can use them to streamline alerts analysis. The user interface (UI) lets you group alerts into incidents. You can toggle the view between Alerts or Incidents.
        Protocol validations
        An undesired protocol behavior has been detected. This can refer to a wrong single message, to a correct single message not supposed to be transmitted or transmitted at the wrong time (state machines violation) or to a malicious message sequence. Protocol specific error messages indicating misconfigurations also trigger alerts that fall into this category.
        Virtual image
        Virtual image represents a set of information by which Guardian represents the monitored network. This includes for example node properties, links, protocols, function codes, variables, variable values. Such information is collected via learning, smart polling, or external contents, such as Asset Intelligence. Alerts in this group represent deviations from expected behaviors, according to the learned or fed information. When an alert of this category is raised, if the related event is not considered a malicious attack or an anomaly, it can be learned.
        Built-in checks
        Built-in checks are based on specific signatures or hard-coded logics with reference to: known ICS threats (by signatures provided by Threat Intelligence), known malicious operations, system weaknesses, or protocol-compliant operations that can impact the network/ICS functionality. They might also leverage the Learning process to be more accurate.
  - Federal Information Processing Standards
- Quick Start Guides
  Hardware Quick Start Guides.
- Security
  Stay up-to-date with the most recent information and solutions for all vulnerabilities that affect Nozomi Networks products.
- Print format documentation
  A list of all the technical documentation that is available in print format.
- Documentation archive
  Access previous versions of the technical documentation.

Built-in checks

Built-in checks are based on specific signatures or hard-coded logics with reference to: known ICS threats (by signatures provided by Threat Intelligence), known malicious operations, system weaknesses, or protocol-compliant operations that can impact the network/ICS functionality. They might also leverage the Learning process to be more accurate.


Type ID	Name	Details
INCIDENT:BRUTE-FORCE-ATTACK	Brute-force Attack	Several failed login attempts to a node, using a specific protocol, are detected. Investigate on the host attempting the login attempts.
INCIDENT:ENG-OPERATIONS	Engineering Operations	Various operations to modify the configuration, the program, or the status of a device have been detected. Validate the engineering operations.
INCIDENT:FORCE-COMMAND	Force Command	A command to manually force a variable value has been detected. Investigate on the entity that has initiated the forcing.
INCIDENT:FUNCTION-CODE-SCAN	Function Code Scan	A node has performed several actions that are not supported by the target devices. Investigate the source and destination devices configuration.
INCIDENT:ILLEGAL-PARAMETER-SCAN	Illegal Parameter Scan	A node has performed a scan of the parameters available on a device. Investigate the source authenticity.
INCIDENT:MALICIOUS-FILE	Malicious File	A compressed archive with some malware inside has been transferred. Investigate on the malware source and infected device, and consider to remove the file.
INCIDENT:SUSPICIOUS-ACTIVITY	Suspicious Activity	Suspicious activity that can be potentially related to known malware has been detected over two nodes. Investigate on the malware source and infected device.
INCIDENT:WEAK-PASSWORDS	Weak Passwords	Several weak passwords have been detected on this communication. Consider to update to secure communication or evaluate the risks of having this data exposed on the network.