Home
Reference Guides
Additional reference guides.
Alerts and Incidents
Incidents
Incidents are a set of alerts that are related to each other. You can use them to streamline alerts analysis. The user interface (UI) lets you group alerts into incidents. You can toggle the view between Alerts or Incidents.
Hybrid threat detection
The Hybrid Category is assigned when Alerts belonging to different categories as defined in the Alerts Dictionary are grouped within such one incident. The other categories are as defined in the Alerts Dictionary.

Reference Guides
Additional reference guides.
- Alerts and Incidents
  - Alerts
    A description of alerts in the Nozomi Networks software.
  - Incidents
    Incidents are a set of alerts that are related to each other. You can use them to streamline alerts analysis. The user interface (UI) lets you group alerts into incidents. You can toggle the view between Alerts or Incidents.
    - Protocol validations
      An undesired protocol behavior has been detected. This can refer to a wrong single message, to a correct single message not supposed to be transmitted or transmitted at the wrong time (state machines violation) or to a malicious message sequence. Protocol specific error messages indicating misconfigurations also trigger alerts that fall into this category.
    - Virtual image
      Virtual image represents a set of information by which Guardian represents the monitored network. This includes for example node properties, links, protocols, function codes, variables, variable values. Such information is collected via learning, smart polling, or external contents, such as Asset Intelligence. Alerts in this group represent deviations from expected behaviors, according to the learned or fed information. When an alert of this category is raised, if the related event is not considered a malicious attack or an anomaly, it can be learned.
    - Built-in checks
      Built-in checks are based on specific signatures or hard-coded logics with reference to: known ICS threats (by signatures provided by Threat Intelligence), known malicious operations, system weaknesses, or protocol-compliant operations that can impact the network/ICS functionality. They might also leverage the Learning process to be more accurate.
    - Hybrid threat detection
      The Hybrid Category is assigned when Alerts belonging to different categories as defined in the Alerts Dictionary are grouped within such one incident. The other categories are as defined in the Alerts Dictionary.
- Federal Information Processing Standards

Hybrid threat detection

The Hybrid Category is assigned when Alerts belonging to different categories as defined in the Alerts Dictionary are grouped within such one incident. The other categories are as defined in the Alerts Dictionary.


Type ID	Name	Details
INCIDENT:NEW-COMMUNICATIONS	New Communications	A node has started to communicate with a new protocol. Investigate whether such communication is legitimate.
INCIDENT:NEW-NODE	New Node	A new node has started to send packets in the network. Validate the set of events and learn them if legitimate, or treat them as anomalies.
INCIDENT:PORT-SCAN	Network Scan	A node has executed a series of scans in the network. Investigate whether it is an expected behavior or a malicious scan activity is undergoing.