Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Nozomi Guardian Integration Guide

integrations ot nozomi

Nozomi Guardian is a network-based security solution designed to keep Industrial Control Systems (ICSs) operational. It passively observes network traffic to provide comprehensive OT and IoT asset visibility and monitoring.

The following instructions are for configuring Guardian to facilitate log ingestion into Secureworks® Taegis™ XDR.

Logs can be sent from individual Guardian sensors or the Central Management Console (CMC).


Adding this integration to your XDR tenant requires Taegis™ XDR for OT. Contact your account manager or CSM to acquire the required license.

Connectivity Requirements

Source Destination Port/Protocol
Guardian Sensor or CMC Taegis™ XDR Collector (mgmt IP) UDP/514

Data Provided from Integration

The following Guardian event types are supported by XDR.


Event types not listed above are normalized to the generic schema.

  Antivirus Auth DHCP DNS Email Encrypt File HTTP Management Netflow NIDS Process Thirdparty
Nozomi Guardian                         Y

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections


XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Configure the Guardian Sensor

Follow the instructions in the Nozomi user manual to configure the Guardian sensor to forward events in CEF format to XDR.

Enter the following information:

Parameter Value
Endpoint Configured as Common Event Format (CEF)
To URI udp://<XDR Collector (mgmt IP)>:514

Advanced Search using the Query Language

Nozomi Advanced Search

Nozomi Advanced Search

Example Query Language Searches

To search for thirdparty events from the last 24 hours:

FROM thirdparty WHERE sensor_type = 'Nozomi' and EARLIEST=-24h

To search for events that were classified by Nozomi as "Critical":

WHERE sensor_type = 'Nozomi' AND vendor_severity = 'High'

To search for thirdparty events from a specific Guardian sensor or CMC:

FROM thirdparty WHERE sensor_type = 'Nozomi' AND sensor_id = ''

Event Details

CTD Event Details

Nozomi Event Details

Sample Logs

Guardian Alert

CEF:0|Nozomi Networks|N2OS|23.2.0-08022302_214DC|VI:NEW-LINK-GROUP|New link group|8|app=other dvc= dvchost=nozomi-guardian-1 cs1=7.5 cs2=true cs3=d25c520f-7f79-4820-b5ae-d1b334b05c75 cs5=["013fc297-fef2-5720-8cff-70fe5218dec8"] cs6=3 cs1Label=Risk cs2Label=IsSecurity cs3Label=Id cs5Label=Parents cs6Label=n2os_schema dst= dhost=demo-1.domain.com dmac=AA:11:BB:22:CC:33 dpt=54443 flexString3=New link group flexString3Label=Name msg=New link group with protocol other between and src= shost=hostname-1 smac=AA:11:BB:22:CC:33 spt=50553 proto=TCP start=1698105234260


On this page: