Home
Guardian
Learn how Guardian provides comprehensive asset inventory and network visibility for OT and IoT environments.
User Guide
Information and resources about the main features of Guardian, and the tasks that you can do from the user interface (UI).
Queries
You can use the Nozomi Networks Query Language (N2QL) syntax to create complex data processes to obtain, filter, and analyze lists of information from the Nozomi Networks software.
Commands

Guardian
Learn how Guardian provides comprehensive asset inventory and network visibility for OT and IoT environments.
- Introduction
  An overview of Guardian.
- Installation Guide
  Information and resources on how to install Guardian, and the different options and settings that are available.
- Administrator Guide
  Information and resources about the Administration section of Guardian, and the tasks that you can do in this part of the software.
- User Guide
  Information and resources about the main features of Guardian, and the tasks that you can do from the user interface (UI).
  - Sensors
    The Sensors page lets you view all of the sensors that you have in your system.
  - Alerts
    The Alerts page shows all the latest alerts in the system. It lets you view the alerts in different modes, and carry out actions on the alerts.
  - Assets
    The Assets page shows all the physical components and systems in the local network environment and their associated details. It also lets you perform actions on those assets. Depending on the nodes and components involved, assets can range from a simple personal computer to an operational technology (OT) device.
  - Queries
    You can use the Nozomi Networks Query Language (N2QL) syntax to create complex data processes to obtain, filter, and analyze lists of information from the Nozomi Networks software.
  - Smart Polling in Guardian
    The Smart Polling page lets you view and manage Smart Polling.
  - Arc in Guardian
    Arc™ is a host-based sensor that detects and defends against malicious or compromised endpoints, and insider attacks. You can use Arc sensors to aggregate data for analysis and reports, either on-premises, or in the Vantage cloud.
  - Network
    The Network page gives you access to multiple pages that show nodes, links, sessions in tabular format and graphs and traffic in a graphical format.
  - Process
    Process is a set of repeatable functions that a business does to deliver a core value.
  - Reports
    The Reports page lets you manage, generate, schedule and view reports.
  - Assertions
    The Assertions page shows all the assertions and lets you configure them.
  - Time machine
    Time machine lets you load a snapshot, which is a previously saved state, and go back in time, to analyze the data from a past situation. You can load a single snapshot and use the platform as usual or load two snapshots and compare the user interface to highlight changes.
  - Vulnerabilities
    The Nozomi Networks software continuously discovers vulnerabilities in monitored assets.
  - Administration
  - Personal settings
    The personal settings page lets you do actions that are specific to your profile.
- Maintenance Guide
  Information about the maintenance tasks of Guardian, to help you administer and maintain the solution in a production environment.
- Print format documentation
  A list of all the print-format documentation that is available for Guardian.

Commands


Syntax	`select <field1> <field2> ... <fieldN>`
Parameters	the list of field(s) to output
Description	The select command takes all the input items and outputs them with only the selected fields


Syntax	`exclude <field1> <field2> ... <fieldN>`
Parameters	the list of field(s) to remove from the output
Description	The exclude command takes all the input items and outputs them without the specified field(s)


Syntax	where <field> <==\|!=\|<\|>\|<=\|>=\|in?\|include?\|start_with?\|end_with?\|in_subnet?> <value>
Parameters	field: the name of the field to which the operator will be applied operator value: the value used for the comparison. It can be a number, a string, or other data type. Advanced operators can use other data types, such as: a list (using JSON syntax) when using the in? operator, for example: `nodes \| where ip in? ["172.18.41.44"]` another property when using the '$' symbol, for example: `nodes \| where ip != $id`
Description	The where command will send to the output only the items which fulfill the specified criterion, many clauses can be concatenated using the boolean OR operator
Example	`nodes \| where roles include? consumer OR zone == office` `nodes \| where ip in_subnet? 192.168.1.0/24` `<value>` can also be another `<field>`, as in: `links \| where from_zone == $to_zone \| select from_zone to_zone`


Syntax	`sort <field> [asc\|desc]`
Parameters	field: the field used for sorting asc\|desc: the sorting direction
Description	The sort command will sort all the items according to the field and the direction specified, it automatically understands if the field is a number or a string


Syntax	`group_by <field> [ [avg\|sum] [field2] ]`
Parameters	field: the field used for grouping avg\|sum: if specified, the relative operation will be applied on field2
Description	The group_by command will output a grouping of the items using the field value. By default the output will be the count of the occurrences of distinct values. If an operator and a field2 are specified, the output will be the average or the sum of the field2 values


Syntax	`head [count]`
Parameters	count: the number of items to output
Description	The head command will take the first count items, if count is not specified the default is 10


Syntax	`uniq [<field1> <field2> ... <fieldN>]`
Parameters	an optional list of fields on which to calculate the uniqueness
Description	The uniq command will remove from the output the duplicated items


Syntax	`expand <field>`
Parameters	field: the field containing the list of values to be expanded
Description	The expand command will take the list of values contained in field and for each of them it will duplicate the original item substituting the original field value with the current value of the iteration


Syntax	`expand_recursive <field>`
Parameters	field: the field to be recursively expanded
Description	The expand_recursive command will recursively parse the content of field, expanding each array or json structure until a scalar value is found. It generates a new row for each array element or json field. For each new row, it duplicates the original item substituting the original field value with the current value of the iteration and adding a new field that represents the current iteration path from the root


Syntax	`sub <field>`
Parameters	field: the field containing the list of objects
Description	The sub command will output the items contained in field


Syntax	`count`
Parameters
Description	The count command outputs the number of items


Syntax	`pie <label_field> <value_field>`
Parameters	label_field: the field used for each slice label value_field: the field used for the value of the slice, must be a numeric field
Description	The pie command will output a pie chart according to the specified parameters


Syntax	`column <label_field> <value_field ...>`
Parameters	label_field: the field used for each column label value_field: one or more field used for the values of the columns
Description	The column command will output a histogram; for each label a group of columns is displayed with the value from the specified value_field(s). The variant `column_colored_by_label` returns bars of different colors depending on their labels.


Syntax	`history <count_field> <time_field>`
Parameters	count_field: the field used to draw the Y value time_field: the field used to draw the X points of the time series
Description	The history command will draw a chart representing an historic series of values


Syntax	`distance <id_field> <distance_field>`
Parameters	id_field: the field used to tag the resulting distances. distance_field: the field on which distances are computed among entries.
Description	The distance command calculates a series of distances (that is, differences) from the original series of `distance_field`. Each distance value is calculated as the difference between a value and its subsequent occurrence, and tagged using the id_field. For example, assuming we're working with an id and a time field, entering alerts \| distance id time returns a table where each distance entry is characterised by the from_id, to_id, and time_distance fields that represent time differences between the selected alerts.


Syntax	`bucket <field> <range>`
Parameters	field: the field on which the buckets are calculated range: the range of tolerance in which values are grouped
Description	The bucket command will group data in different buckets, different records will be put in the same bucket when the values fall in the same multiple of <range>


Syntax	`join <other_source> <field> <other_source_field>`
Parameters	other_source: the name of the other data source field: the field of the original source used to match the object to join other_source_field: the field of the other data source used to match the object to join
Description	The join command will take two records and will join them in one record when <field> and <other_source_field> have the same value


Syntax	`gauge <field> [min] [max]`
Parameters	field: the value to draw min: the minimum value to put on the gauge scale max: the maximum value to put on the gauge scale
Description	The gauge command will take a value and represent it in a graphical way


Syntax	`value <field>`
Parameters	field: the value to draw
Description	The value command will take a value and represent it in a textual way


Syntax	`reduce <field> [sum\|avg]`
Parameters	field: the field on which the reduction will be performed sum or avg: the reduce operation to perform, it is sum if not specified
Description	The reduce command will take a series of values and calculate a single value


Syntax	size()
Parameters	field: the field to calculate the size of
Description	If the field is an array, then the size function returns the number of entries in the array. If the field contains a string, then the size function returns the number of characters in the string. Note: The size function may only be used on the following data sources: alerts, assets, captured_files, links, nodes, packet_rules, sessions, stix_indicators, subnets, variables, yara_rules, zones, and zone_links.
Example:	`assets \| where size(ip) > 1`