Home
Guardian
Learn how Guardian provides comprehensive asset inventory and network visibility for OT and IoT environments.
User Guide
Information and resources about the main features of Guardian, and the tasks that you can do from the user interface (UI).
Queries
You can use the Nozomi Networks Query Language (N2QL) syntax to create complex data processes to obtain, filter, and analyze lists of information from the Nozomi Networks software.

Guardian
Learn how Guardian provides comprehensive asset inventory and network visibility for OT and IoT environments.
- Introduction
  An overview of Guardian.
- Installation Guide
  Information and resources on how to install Guardian, and the different options and settings that are available.
- Administrator Guide
  Information and resources about the Administration section of Guardian, and the tasks that you can do in this part of the software.
- User Guide
  Information and resources about the main features of Guardian, and the tasks that you can do from the user interface (UI).
  - Sensors
    The Sensors page lets you view all of the sensors that you have in your system.
  - Alerts
    The Alerts page shows all the latest alerts in the system. It lets you view the alerts in different modes, and carry out actions on the alerts.
  - Assets
    The Assets page shows all the physical components and systems in the local network environment and their associated details. It also lets you perform actions on those assets. Depending on the nodes and components involved, assets can range from a simple personal computer to an operational technology (OT) device.
  - Queries
    You can use the Nozomi Networks Query Language (N2QL) syntax to create complex data processes to obtain, filter, and analyze lists of information from the Nozomi Networks software.
  - Smart Polling in Guardian
    The Smart Polling page lets you view and manage Smart Polling.
  - Arc in Guardian
    Arc™ is a host-based sensor that detects and defends against malicious or compromised endpoints, and insider attacks. You can use Arc sensors to aggregate data for analysis and reports, either on-premises, or in the Vantage cloud.
  - Network
    The Network page gives you access to multiple pages that show nodes, links, sessions in tabular format and graphs and traffic in a graphical format.
  - Process
    Process is a set of repeatable functions that a business does to deliver a core value.
  - Reports
    The Reports page lets you manage, generate, schedule and view reports.
  - Assertions
    The Assertions page shows all the assertions and lets you configure them.
  - Time machine
    Time machine lets you load a snapshot, which is a previously saved state, and go back in time, to analyze the data from a past situation. You can load a single snapshot and use the platform as usual or load two snapshots and compare the user interface to highlight changes.
  - Vulnerabilities
    The Nozomi Networks software continuously discovers vulnerabilities in monitored assets.
  - Administration
  - Personal settings
    The personal settings page lets you do actions that are specific to your profile.
- Maintenance Guide
  Information about the maintenance tasks of Guardian, to help you administer and maintain the solution in a production environment.
- Print format documentation
  A list of all the print-format documentation that is available for Guardian.

Queries

You can use the Nozomi Networks Query Language (N2QL) syntax to create complex data processes to obtain, filter, and analyze lists of information from the Nozomi Networks software.

In Nozomi Networks Query Language (N2QL), queries consist of:

Data sources

Queries start by calling a data source. For example:

nodes | sort received.bytes desc | head

This query will show, in table format, the first 10 nodes that received the most bytes. If you add the pie command at the end of the query, the results will show in a pie chart format, where each slice has node id as the label and the received.bytes field as data.

For example:

nodes | sort received.bytes desc | head | pie ip received.bytes

Queries example — Figure 1. Queries example

Functions

You might not achieved your desired result just using queries. Consequently, query syntax supports functions. With functions, you can apply calculations to the fields and use the results as a new temporary field. For example, the query:

nodes | sort sum(sent.bytes,received.bytes) desc | column ip sum(sent.bytes,received.bytes)

uses the sum function to sort on the aggregated parameters, which produces a chart with the columns representing the sum of the sent and received bytes.

Prefix

The $ is a prefix that changes the interpretation of the right hand side (rhs) of a where clause. By default, the rhs is interpreted as a string. With the $ prefix, the interpretation of the rhs changes to a field name.

For example, in a query such as:

nodes | where id == 17.179.252.2

the right side of the == is expected to be a constant. If you create a query such as:

nodes | where id == id

the query tries to match all of the nodes having id equal to the string id.

If, however, you use the $, the second field is interpreted as a field, not a constant:

nodes | where id == $id

and returns the full list of records.