Nozomi Guardian Integration Guide
Nozomi Guardian is a network-based security solution designed to keep Industrial Control Systems (ICSs) operational. It passively observes network traffic to provide comprehensive OT and IoT asset visibility and monitoring.
The following instructions are for configuring Guardian to facilitate log ingestion into Secureworks® Taegis™ XDR.
Logs can be sent from individual Guardian sensors or the Central Management Console (CMC).
Important
Adding this integration to your XDR tenant requires Taegis™ XDR for OT. Contact your account manager or CSM to acquire the required license.
Connectivity Requirements ⫘
| Source | Destination | Port/Protocol |
|---|---|---|
| Guardian Sensor or CMC | Taegis™ XDR Collector (mgmt IP) | UDP/514 |
Data Provided from Integration ⫘
The following Guardian event types are supported by XDR.
- Alert events
Note
Event types not listed above are normalized to the generic schema.
| Antivirus | Auth | DHCP | DNS | Encrypt | File | HTTP | Management | Netflow | NIDS | Process | Thirdparty | ||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Nozomi Guardian | Y |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Configure the Guardian Sensor ⫘
Follow the instructions in the Nozomi user manual to configure the Guardian sensor to forward events in CEF format to XDR.
Enter the following information:
| Parameter | Value |
|---|---|
| Endpoint Configured as | Common Event Format (CEF) |
| To URI | udp://<XDR Collector (mgmt IP)>:514 |
Advanced Search using the Query Language ⫘
Nozomi Advanced Search
Example Query Language Searches ⫘
To search for thirdparty events from the last 24 hours:
FROM thirdparty WHERE sensor_type = 'Nozomi' and EARLIEST=-24h
To search for events that were classified by Nozomi as "Critical":
WHERE sensor_type = 'Nozomi' AND vendor_severity = 'High'
To search for thirdparty events from a specific Guardian sensor or CMC:
FROM thirdparty WHERE sensor_type = 'Nozomi' AND sensor_id = '10.10.10.10'
Event Details ⫘
Nozomi Event Details
Sample Logs ⫘
Guardian Alert ⫘
CEF:0|Nozomi Networks|N2OS|23.2.0-08022302_214DC|VI:NEW-LINK-GROUP|New link group|8|app=other dvc=192.168.10.10 dvchost=nozomi-guardian-1 cs1=7.5 cs2=true cs3=d25c520f-7f79-4820-b5ae-d1b334b05c75 cs5=["013fc297-fef2-5720-8cff-70fe5218dec8"] cs6=3 cs1Label=Risk cs2Label=IsSecurity cs3Label=Id cs5Label=Parents cs6Label=n2os_schema dst=10.10.10.20 dhost=demo-1.domain.com dmac=AA:11:BB:22:CC:33 dpt=54443 flexString3=New link group flexString3Label=Name msg=New link group with protocol other between 192.168.10.20 and 10.10.10.20 src=192.168.10.20 shost=hostname-1 smac=AA:11:BB:22:CC:33 spt=50553 proto=TCP start=1698105234260