Nozomi Networks
Nozomi Networks Pack.#
This Integration is part of theThe Nozomi Networks Guardian platform is a hardware or virtual appliance that is used to monitor OT/IoT/IT networks. It combines asset discovery, network visualization, vulnerability assessment, risk monitoring and threat detection in a single solution. This integration is used to gather alert and asset information from Nozomi.
#
Configure Nozomi Networks in CortexParameter | Description | Required |
---|---|---|
endpoint | Endpoint url | True |
username | Username | True |
password | Password | True |
insecure | Trust any certificate (not secure) | False |
proxy | Use system proxy settings | False |
isFetch | Fetch incidents | False |
fetchTime | Get incidents from last | False |
riskFrom | Get incidents from risk level | False |
fecthAlsoIncidents | Fetch also nozomi incidents | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
nozomi-find-assetsThis command permits you to get some assets from Nozomi, you can use the query filter to to refine your search. With the limits you can decide the max number of assets you can retrieve from Nozomi, the limit can't be bigger than 1000.
#
Base Commandnozomi-find-assets
#
InputArgument Name | Description | Required |
---|---|---|
filter | You can add a filter to get exactly the assets you want. For example 'where ip match 10.0.1.10', 'where vendor == Selta Telematica S.p.a' | Optional |
limit | Maximun number of assets get from Nozomi, can't be bigger than 1000 | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Nozomi.Asset.id | String | uniq id of an asset |
Nozomi.Asset.level | Number | network layer |
Nozomi.Asset.capture_device | String | source from which the asset was captured |
Nozomi.Asset.ip | Unknown | array of asset ip |
Nozomi.Asset.mac_address | Unknown | array of asset mac address |
Nozomi.asset.mac_vendor | Unknown | array of mac vendor |
os | String | operating system |
vendor | String | asset vendor |
Nozomi.Asset.firmware_version | String | firmaware version |
serial_number | String | serial number |
product_name | String | product name |
type | String | asset type as 'OT_device' |
protocols | Unknown | array of asset protocols |
#
Command Example!nozomi-find-assets limit=3 filter="| where level == 4"
#
Context Example#
Human Readable OutputNozomi Networks - No assets found
#
nozomi-close-incidents-as-securityClose incidents as security
#
Base Commandnozomi-close-incidents-as-security
#
InputArgument Name | Description | Required |
---|---|---|
ids | List of IDs to close as security | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Nozomi.CloseStatus | String | Status of the request |
Ids | Unknown | Ids closed |
CloseAction | String | As the incidents are closed |
#
Command Example!nozomi-close-incidents-as-security ids=['fa441619-39d4-46c1-a2fb-fc3b285c0b64']
#
Context Example#
Human Readable OutputCommand changes the status of alerts passed as "closed_as_security" in Nozomi Networks platform.
#
nozomi-close-incidents-as-changeClose incidents as change
#
Base Commandnozomi-close-incidents-as-change
#
InputArgument Name | Description | Required |
---|---|---|
ids | List of IDs to close as change. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Nozomi.CloseStatus | String | Status of the request |
Ids | Unknown | Ids closed |
CloseAction | String | As the incidents are closed |
#
Command Example!nozomi-close-incidents-as-change ids=['fa441619-39d4-46c1-a2fb-fc3b285c0b64']
#
Context Example#
Human Readable OutputCommand changes the status of alerts passed as "closed_as_change" in Nozomi Networks platform.
#
nozomi-queryCan execute a nozomi query to get all the information you want. A query can be something like that: "alerts | select id name status ack | where status == open" Take a look to n2os manual to know how to do a query.
#
Base Commandnozomi-query
#
InputArgument Name | Description | Required |
---|---|---|
query | A valid query | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Nozomi.Query.Result | Unknown | An array of items |
Nozomi.Error | String | In case the query is not correct the errors shows you the reason. |
#
Command Example!nozomi-query query="links | where from match 192.168.10.2 | where protocol match ssh"
#
Context Example#
Human Readable Output#
Nozomi Networks - Results for QueryNo entries.
#
nozomi-find-ip-by-macFind a node ip from a mac address
#
Base Commandnozomi-find-ip-by-mac
#
InputArgument Name | Description | Required |
---|---|---|
mac | a mac address | Required |
only_nodes_confirmed | This argument permit you to return only the nodes IPs from a mac address of nodes having the status to 'confirmed'. Default value is True. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Nozomi.IpByMac.ips | Unknown | Array of ips found for the mac address passed, empty if not found. |
Nozomi.Error | String | Usually an ip not found error |
#
Command Example!nozomi-find-ip-by-mac mac='00:0c:29:22:50:26' only_nodes_confirmed='True'
#
Context Example#
Human Readable OutputNozomi Networks - No IP results were found for mac address: '00:0c:29:22:50:26'