Anomaly detection

The anomaly detection feature of the Nozomi Networks platform continuously monitors network behavior to identify unusual activity that may indicate security threats or operational issues, providing early warnings through real-time analysis, threat intelligence, and comparison tools.

The Nozomi Networks platform uses advanced techniques to find unusual things that happen on the network. It watches the network all the time to understand what normal behavior looks like, and it flags anything different that could mean a security problem or an operational issue. Examples of these anomalies are unexpected communication, unauthorized access, or abnormal device behavior. When the platform detects such an anomaly, it raises an alert, helping you find possible cyber threats or internal problems early, even if they are hard to notice or brand new.

The platform also has a tool called Time Machine that lets you compare how the network looked at different times to figure out what changes might have caused problems. It also uses threat intelligence and deep packet inspection to find threats and can be scaled to fit different industries.

Alerts

An alert describes a potentially problematic event detected in the monitored network. The platform notifies you in real time when an alert is raised.

Alerts provide context such as the alert type, involved assets, communication details, and risk level. You can use this information to prioritize investigation and response.

Alert deduplication

In supported product workflows, alert deduplication groups repeated alerts into a single entry. This behavior reduces noise from frequent repeated events and helps you focus on unique issues.

When deduplication is enabled, matching alerts are grouped based on alert type and deduplication key values. The grouped alert represents all occurrences and can include:

  • First occurrence: first occurrence timestamp.
  • Most recent occurrence: most recent occurrence timestamp.
  • Total count: the number of occurrences merged into the alert.
  • Occurrence timeline: up to 100 of the most recent occurrence timestamps.

Where these values appear in the interface depends on the product workflow. For exact UI labels and locations, see the product-specific alerts documentation.

If a new occurrence appears for an alert that was already closed, the system reopens the alert automatically.