Nozomi Networks

The Nozomi Networks Guardian platform is a hardware or virtual appliance that is used to monitor OT/IoT/IT networks. It combines asset discovery, network visualization, vulnerability assessment, risk monitoring and threat detection in a single solution. This integration is used to gather alert and asset information from Nozomi.

Configure Nozomi Networks on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Nozomi Networks.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
endpointEndpoint urlTrue
usernameUsernameTrue
passwordPasswordTrue
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
isFetchFetch incidentsFalse
fetchTimeGet incidents from lastFalse
riskFromGet incidents from risk levelFalse
fecthAlsoIncidentsFetch also nozomi incidentsFalse
  1. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

nozomi-find-assets#


This command permits you to get some assets from Nozomi, you can use the query filter to to refine your search. With the limits you can decide the max number of assets you can retrieve from Nozomi, the limit can't be bigger than 1000.

Base Command#

nozomi-find-assets

Input#

Argument NameDescriptionRequired
filterYou can add a filter to get exactly the assets you want. For example 'where ip match 10.0.1.10', 'where vendor == Selta Telematica S.p.a'Optional
limitMaximun number of assets get from Nozomi, can't be bigger than 1000Optional

Context Output#

PathTypeDescription
Nozomi.Asset.idStringuniq id of an asset
Nozomi.Asset.levelNumbernetwork layer
Nozomi.Asset.capture_deviceStringsource from which the asset was captured
Nozomi.Asset.ipUnknownarray of asset ip
Nozomi.Asset.mac_addressUnknownarray of asset mac address
Nozomi.asset.mac_vendorUnknownarray of mac vendor
osStringoperating system
vendorStringasset vendor
Nozomi.Asset.firmware_versionStringfirmaware version
serial_numberStringserial number
product_nameStringproduct name
typeStringasset type as 'OT_device'
protocolsUnknownarray of asset protocols

Command Example#

!nozomi-find-assets limit=3 filter="| where level == 4"

Context Example#

{
"Nozomi": {
"Asset": [
{
"name": "10.197.23.146",
"level": "1",
"id": "a3707ec4-7c85-437e-9d46-dbabd39b4dc2",
"appliance_hosts": [
"nozomi-dev"
],
"capture_device": "/vagrant/ids-testapi/fixtures/iec104_mestre_mini.pcap",
"ip": [
"10.197.23.146"
],
"mac_address": [
"00:02:3e:99:fe:1b"
],
"mac_address_level": {
"00:02:3e:99:fe:1b": "unconfirmed"
},
"vlan_id": [],
"mac_vendor": [
"Selta Telematica S.p.a"
],
"os": "",
"roles": [
"slave"
],
"vendor": "",
"_asset_kb_id": "",
"vendor:info": {
"source": "passive"
},
"firmware_version": "",
"firmware_version:info": {
"source": "passive"
},
"os_or_firmware": "",
"serial_number": "",
"serial_number:info": {
"source": "passive"
},
"product_name": "",
"product_name:info": {
"source": "passive"
},
"type": "OT_device",
"type:info": {
"source": "passive"
},
"protocols": [
"iec104"
],
"nodes": [
"10.197.23.146"
],
"zones": [
"RemoteRTU"
],
"custom_fields": {}
}
]
}
}

Human Readable Output#

Nozomi Networks - No assets found

nozomi-close-incidents-as-security#


Close incidents as security

Base Command#

nozomi-close-incidents-as-security

Input#

Argument NameDescriptionRequired
idsList of IDs to close as securityOptional

Context Output#

PathTypeDescription
Nozomi.CloseStatusStringStatus of the request
IdsUnknownIds closed
CloseActionStringAs the incidents are closed

Command Example#

!nozomi-close-incidents-as-security ids=['fa441619-39d4-46c1-a2fb-fc3b285c0b64']

Context Example#

{
"Nozomi": {
"CloseAction": "closed_as_security",
"CloseStatus": "SUCCESS",
"Ids": [
"fa441619-39d4-46c1-a2fb-fc3b285c0b64"
]
}
}

Human Readable Output#

Command changes the status of alerts passed as "closed_as_security" in Nozomi Networks platform.

nozomi-close-incidents-as-change#


Close incidents as change

Base Command#

nozomi-close-incidents-as-change

Input#

Argument NameDescriptionRequired
idsList of IDs to close as change.Optional

Context Output#

PathTypeDescription
Nozomi.CloseStatusStringStatus of the request
IdsUnknownIds closed
CloseActionStringAs the incidents are closed

Command Example#

!nozomi-close-incidents-as-change ids=['fa441619-39d4-46c1-a2fb-fc3b285c0b64']

Context Example#

{
"Nozomi": {
"CloseAction": "closed_as_change",
"CloseStatus": "SUCCESS",
"Ids": [
"fa441619-39d4-46c1-a2fb-fc3b285c0b64"
]
}
}

Human Readable Output#

Command changes the status of alerts passed as "closed_as_change" in Nozomi Networks platform.

nozomi-query#


Can execute a nozomi query to get all the information you want. A query can be something like that: "alerts | select id name status ack | where status == open" Take a look to n2os manual to know how to do a query.

Base Command#

nozomi-query

Input#

Argument NameDescriptionRequired
queryA valid queryRequired

Context Output#

PathTypeDescription
Nozomi.Query.ResultUnknownAn array of items
Nozomi.ErrorStringIn case the query is not correct the errors shows you the reason.

Command Example#

!nozomi-query query="links | where from match 192.168.10.2 | where protocol match ssh"

Context Example#

{
"Nozomi": {
"Result": []
}
}

Human Readable Output#

Nozomi Networks - Results for Query#

No entries.

nozomi-find-ip-by-mac#


Find a node ip from a mac address

Base Command#

nozomi-find-ip-by-mac

Input#

Argument NameDescriptionRequired
maca mac addressRequired
only_nodes_confirmedThis argument permit you to return only the nodes IPs from a mac address of nodes having the status to 'confirmed'. Default value is True.Optional

Context Output#

PathTypeDescription
Nozomi.IpByMac.ipsUnknownArray of ips found for the mac address passed, empty if not found.
Nozomi.ErrorStringUsually an ip not found error

Command Example#

!nozomi-find-ip-by-mac mac='00:0c:29:22:50:26' only_nodes_confirmed='True'

Context Example#

{
"Nozomi": {
"Error": "Ip not found"
}
}

Human Readable Output#

Nozomi Networks - No IP results were found for mac address: '00:0c:29:22:50:26'