Threat Intelligence overview

Threat Intelligence (TI) is an add-on feature which enriches assets with additional information to improve detection of malware and anomalies

Threat Intelligence (TI) constantly monitors operational technology (OT) / Internet of Things (IoT) threat and vulnerability intelligence. This improves malware anomaly detection. This includes managing packet rules, Yara rules, Structured Threat Information Expression (STIX) indicators and vulnerabilities.

Threat Intelligence permits new content to be:
  • Added
  • Edited
  • Deleted
It also lets existing content to be enabled, or disabled.
In order to identify malicious events, TI continuously analyzes network traffic and asset configuration details, and compares them with:

TI packages can be controlled at a modular level to:

  • Disable or enable individual rules
  • Manually add rules to investigate and deliver customer alerts
TI is a subscription service that is curated and proprietary. You can use it with Nozomi Networks products, or with 3rd party software. This subscription lets you receive an automatic, and continuous flow of updated threat intelligence information into Guardian sensors to detect the most up-to-date methods of attack. You can manage TI content from:

This makes it easy to propagate TI contents to an unlimited number of Nozomi Networks sensors.

You can set TI contents to update automatically, or you can upload a local file to manually update the Nozomi Networks sensors. This lets you operate the system in a fully air-gapped environment.


To provide detailed threat information, the TI screen lets you manage:
  • Packet rules
  • YARA rules
  • STIX indicators
  • Vulnerabilities

Packet rules

Packet rules are executed on every packet. If a match is detected, they raise an alert of type SIGN:PACKET-RULE.

For more details on how to format packet rules, see the Packet Rules Reference.

YARA rules

Protocols like hypertext transfer protocol (HTTP) or server message block (SMB) execute YARA rules on every file transferred over the network. When a match is detected, an alert of type SIGN:MALWARE-DETECTED is raised. YARA rules conform to the specifications found at YARA Rules.

STIX indicators

The information that STIX indicators contain:

This information enriches existing alerts, and raises new ones.


Vulnerabilities are assigned to each node, depending on the installed hardware and operating system, and the software identified in the traffic. The Nozomi Networks solution leverages Common Vulnerabilities and Exposures (CVE), a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities and exposures.