Home
Reference Guides
Additional reference guides.
Alerts and Incidents
Incidents
Incidents
Incidents are a set of alerts that are related to each other. You can use them to streamline alerts analysis. The user interface (UI) lets you group alerts into incidents. You can toggle the view between Alerts or Incidents.
Built-in checks
Built-in checks are based on specific signatures or hard-coded logics with reference to: known ICS threats (by signatures provided by Threat Intelligence), known malicious operations, system weaknesses, or protocol-compliant operations that can impact the network/ICS functionality. They might also leverage the Learning process to be more accurate.

Reference Guides
Additional reference guides.
- Alerts and Incidents
  - Alerts
  - Incidents
    - Incidents
      Incidents are a set of alerts that are related to each other. You can use them to streamline alerts analysis. The user interface (UI) lets you group alerts into incidents. You can toggle the view between Alerts or Incidents.
      - Protocol validations
        An undesired protocol behavior has been detected. This can refer to a wrong single message, to a correct single message not supposed to be transmitted or transmitted at the wrong time (state machines violation) or to a malicious message sequence. Protocol specific error messages indicating misconfigurations also trigger alerts that fall into this category.
      - Virtual image
        Virtual image represents a set of information by which Guardian represents the monitored network. This includes for example node properties, links, protocols, function codes, variables, variable values. Such information is collected via learning, smart polling, or external contents, such as Asset Intelligence. Alerts in this group represent deviations from expected behaviors, according to the learned or fed information. When an alert of this category is raised, if the related event is not considered a malicious attack or an anomaly, it can be learned.
      - Built-in checks
        Built-in checks are based on specific signatures or hard-coded logics with reference to: known ICS threats (by signatures provided by Threat Intelligence), known malicious operations, system weaknesses, or protocol-compliant operations that can impact the network/ICS functionality. They might also leverage the Learning process to be more accurate.
- Federal Information Processing Standards

Built-in checks

Built-in checks are based on specific signatures or hard-coded logics with reference to: known ICS threats (by signatures provided by Threat Intelligence), known malicious operations, system weaknesses, or protocol-compliant operations that can impact the network/ICS functionality. They might also leverage the Learning process to be more accurate.


Type ID	Name	Details
INCIDENT:BRUTE-FORCE-ATTACK	Brute-force Attack	Several failed login attempts to a node, using a specific protocol, are detected. Investigate on the host attempting the login attempts.
INCIDENT:ENG-OPERATIONS	Engineering Operations	Various operations to modify the configuration, the program, or the status of a device have been detected. Validate the engineering operations.
INCIDENT:FORCE-COMMAND	Force Command	A command to manually force a variable value has been detected. Investigate on the entity that has initiated the forcing.
INCIDENT:FUNCTION-CODE-SCAN	Function Code Scan	A node has performed several actions that are not supported by the target devices. Investigate the source and destination devices configuration.
INCIDENT:ILLEGAL-PARAMETER-SCAN	Illegal Parameter Scan	A node has performed a scan of the parameters available on a device. Investigate the source authenticity.
INCIDENT:MALICIOUS-FILE	Malicious File	A compressed archive with some malware inside has been transferred. Investigate on the malware source and infected device, and consider to remove the file.
INCIDENT:SUSPICIOUS-ACTIVITY	Suspicious Activity	Suspicious activity that can be potentially related to known malware has been detected over two nodes. Investigate on the malware source and infected device.
INCIDENT:WEAK-PASSWORDS	Weak Passwords	Several weak passwords have been detected on this communication. Consider to update to secure communication or evaluate the risks of having this data exposed on the network.