Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
Nozomi Alerts | ✅ | nozomi_alerts | NDJSON | API |
Overview
Nozomi Networks specializes in providing cybersecurity solutions and services, particularly in the areas of operational technology (OT) and Internet of Things (IoT) security.
The core of Nozomi Networks' offerings revolves around securing critical infrastructure from cyber threats, vulnerabilities, and attacks that could lead to downtime, safety hazards, and financial losses. They leverage machine learning and artificial intelligence to monitor and analyze network traffic and device behavior in real-time, enabling them to detect anomalies, intrusions, and potential threats with high accuracy.
Supported data types
Nozomi Alerts
Table name: nozomi_alerts
Nozomi Networks Alerts are notifications generated by their cybersecurity solutions, specifically designed to inform users about potential security incidents, vulnerabilities, or other relevant events within their operational technology (OT), Internet of Things (IoT), and industrial control system (ICS) environments. These alerts are a critical component of Nozomi Networks' approach to ensuring the cybersecurity and operational integrity of critical infrastructure and industrial operations.
Send data to Hunters
Hunters support API collection for Nozomi Alerts.
To connect Nozomi Networks logs to Hunters:
Follow the steps in this guide by Nozomi Networks and acquire the following information:
Key name
Key token
Host
Complete the process on the Hunters platform, following this guide.
Expected format
Logs are expected in JSON format.
{
"ack": false,
"appliance_host": "a.b.com",
"appliance_ip": null,
"bpf_filter": "(ip host 1.2.3.4 and ip host 1.2.3.4` and (tcp port 445 or tcp port 139)) or (vlan and ip host 1.2.3.4 and ip host 1.2.3.4` and (tcp port 445 or tcp port 139))",
"capture_device": "em1",
"close_option": null,
"closed_time": 0,
"created_time": 1710254564969,
"description": "Multiple 'access denied' events detected with protocol smb. The username '<empty>' attempted at least 40 connections in 15 seconds. Last path trying to access path",
"dst_roles": "consumer, web_server, dns_server",
"grouped_visible": true,
"id": "021443c2-5042-450b-a0ac-f17915c43e2a",
"id_dst": "1.2.3.4`",
"id_src": "1.2.3.4",
"ip_dst": "1.2.3.4`",
"ip_src": "1.2.3.4",
"is_incident": false,
"is_security": true,
"label_dst": "a.b.com",
"label_src": "GIW00207",
"mac_dst": "00:50:56:9a:97:dd",
"mac_src": "8c:ec:4b:42:48:90",
"name": "Multiple Access Denied events",
"note": null,
"parents": [],
"playbook_contents": null,
"port_dst": 445,
"port_src": 62311,
"properties": {
"alert_data": [
{
"hosts": "1.2.3.4",
"passwords": "",
"paths": "path",
"usernames": ""
},
{
"hosts": "1.2.3.4",
"passwords": "",
"paths": "path",
"usernames": ""
},
{
"hosts": "1.2.3.4",
"passwords": "",
"paths": "path",
"usernames": ""
},
{
"hosts": "1.2.3.4",
"passwords": "",
"paths": "path",
"usernames": ""
},
{
"hosts": "1.2.3.4",
"passwords": "",
"paths": "path",
"usernames": ""
},
{
"hosts": "1.2.3.4",
"passwords": "",
"paths": "path",
"usernames": ""
},
{
"hosts": "1.2.3.4",
"passwords": "",
"paths": "path",
"usernames": ""
},
{
"hosts": "1.2.3.4",
"passwords": "",
"paths": "path",
"usernames": ""
},
{
"hosts": "1.2.3.4",
"passwords": "",
"paths": "path",
"usernames": ""
},
{
"hosts": "1.2.3.4",
"passwords": "",
"paths": "path",
"usernames": ""
}
],
"bad_actor": "1.2.3.4",
"from_id": "1.2.3.4",
"is_dst_node_learned": true,
"is_dst_public": false,
"is_dst_reputation_bad": false,
"is_src_node_learned": true,
"is_src_public": false,
"is_src_reputation_bad": false,
"mitre_attack_enterprise": {
"techniques": [
{
"id": "T1110",
"name": "Brute Force",
"tactic": "Credential Access"
}
]
},
"mitre_attack_for_ics": {
"destination": {
"types": [
"Engineering Workstation"
]
},
"source": {
"types": [
"Engineering Workstation"
]
}
},
"raised_by": "n2os_ids",
"remediation_target": "1.2.3.4",
"solution": "Investigate the host '1.2.3.4' that triggered the alert",
"src_sec_profile": "medium",
"to_id": "1.2.3.4`",
"usernames": [
"<empty>"
],
"victims": [
"1.2.3.4`"
]
},
"protocol": "smb",
"record_created_at": 1710255014514,
"risk": 8.0,
"sec_profile_visible": true,
"severity": 10,
"src_roles": "terminal, web_server, dns_server",
"status": "open",
"threat_name": "",
"time": 1710254564969,
"trace_sha1": null,
"trace_status": null,
"transport_protocol": "tcp",
"trigger_id": null,
"trigger_type": null,
"type_id": "SIGN:MULTIPLE-ACCESS-DENIED",
"type_name": "Multiple Access Denied events",
"zone_dst": "File/Print",
"zone_src": "1234 - zone test"
}
```