Home
Guardian
Learn how Guardian provides comprehensive asset inventory and network visibility for OT and IoT environments.
User Guide
Information and resources about the main features of Guardian, and the tasks that you can do from the user interface (UI).
Queries
You can use the Nozomi Networks Query Language (N2QL) syntax to create complex data processes to obtain, filter, and analyze lists of information from the Nozomi Networks software.
Basic operators

Guardian
Learn how Guardian provides comprehensive asset inventory and network visibility for OT and IoT environments.
- Introduction
  An overview of Guardian.
- Installation Guide
  Information and resources on how to install Guardian, and the different options and settings that are available.
- Administrator Guide
  Information and resources about the Administration section of Guardian, and the tasks that you can do in this part of the software.
- User Guide
  Information and resources about the main features of Guardian, and the tasks that you can do from the user interface (UI).
  - Sensors
    The Sensors page lets you view all of the sensors that you have in your system.
  - Alerts
    The Alerts page shows all the latest alerts in the system. It lets you view the alerts in different modes, and carry out actions on the alerts.
  - Assets
    The Assets page shows all the physical components and systems in the local network environment and their associated details. It also lets you perform actions on those assets. Depending on the nodes and components involved, assets can range from a simple personal computer to an operational technology (OT) device.
  - Queries
    You can use the Nozomi Networks Query Language (N2QL) syntax to create complex data processes to obtain, filter, and analyze lists of information from the Nozomi Networks software.
  - Smart Polling in Guardian
    The Smart Polling page lets you view and manage Smart Polling.
  - Arc in Guardian
    Arc™ is a host-based sensor that detects and defends against malicious or compromised endpoints, and insider attacks. You can use Arc sensors to aggregate data for analysis and reports, either on-premises, or in the Vantage cloud.
  - Network
    The Network page gives you access to multiple pages that show nodes, links, sessions in tabular format and graphs and traffic in a graphical format.
  - Graph
    The Graph pages gives a graphical representation of the nodes in the environment.
  - Process
    Process is a set of repeatable functions that a business does to deliver a core value.
  - Reports
    The Reports page lets you manage, generate, schedule and view reports.
  - Assertions
    The Assertions page shows all the assertions and lets you configure them.
  - Time machine
    Time machine lets you load a snapshot, which is a previously saved state, and go back in time, to analyze the data from a past situation. You can load a single snapshot and use the platform as usual or load two snapshots and compare the user interface to highlight changes.
  - Vulnerabilities
    The Nozomi Networks software continuously discovers vulnerabilities in monitored assets.
  - Administration
  - Personal settings
    The personal settings page lets you do actions that are specific to your profile.
- Maintenance Guide
  Information about the maintenance tasks of Guardian, to help you administer and maintain the solution in a production environment.
- Print format documentation
  A list of all the print-format documentation that is available for Guardian.

Basic operators


Operator	`\|`(pipe, AND logical operator)
Description	Add a where clause with a logical AND, append it using the pipe character (`\|`). For example, the query below returns links that are from 192.168.254.0/24 `AND` going to 172.217.168.0/24.
Example	links \| where from in_subnet? 192.168.254.0/24 \| where to in_subnet? 172.217.168.0/24


Operator	`OR`
Description	To add a where clause with a logical OR, append it using the OR operator. For example, the query below returns links with either the http `OR` the https protocols.
Example	links \| where protocol == http OR protocol == https


Operator	`!` (exclamation point, NOT logical operator)
Description	Put an exclamation point (`!`) before a term to negate it. For example, the query below returns links that do NOT (`!`) belong to 192.168.254.0/24.
Example	nodes \| where ip !in_subnet? 192.168.254.0/24 \| count


Operator	`->`
Description	To change a column name, select it and use the `->` operator followed by the new name. It is worth noting that specific suffixes are parsed and used to visualize the column content differently. For example: `_time` data is shown in a timestamp format (1647590986549 becomes 2022-03-18 09:09:46.549) `_bytes` adds KB or MB, as applicable (50 becomes 50.0 B) `_percent` adds a percentage sign (50 becomes 50%) `_speed` adds a throughput speed in Mb/s (189915 becomes 1.8 Mb/s) `_date` converts numbers into a date format (2022-06-22 15:43:31.297 becomes 2022-06-2214:24:09.280 becomes 2022-06-24 (current day)) `_packets` adds pp after the number of packets (50 becomes 50 pp)
Example 1	`nodes \| select created_at created_at->my_integer \| where my_integer > 946684800000`
Example 2	`nodes \| select created_at->my_creation_time`
Example 3	`nodes \| select tcp_retransmission.bytes->my_retrans_bytes`


Operators	`==`, `=`, `<`, `>`, `<=`, and `>=`
Description	Queries support the mathematical operators listed above.


Operator	`"` (Quotation marks)
Description	Use quotation marks (`"`) to specify an empty string. Consider these two cases where this technique is useful: Finding non-empty values. Example 1 below returns assets where the `os` field is not blank. Specifying that a value in the query is a string (if its type is ambiguous). Example 2 below tells concat to treat the `"--"` parameter as a fixed string to use rather than as a field from the alerts table.
Example 1	`assets \| where os != ""`
Example 2	`alerts \| select concat(id_src,"--",id_dst)`


Operator	`in?`
Description	`in?` is only used with arrays; the field `type` must be an array. The query looks for the text strings you specify using `in?` and returns arrays that match one of them. The example below uses `in?` to find any node having `computer` or `printer` as elements in the array.
Example	`assets \| where type in? ["computer","printer_scanner"]`


Operator	`include?`
Description	The query looks for the text string you specify using `include?` and returns strings that match it. The example below uses `include?` to find assets where the os field contains the string Win.
Example	`assets \| where os include? Win`