Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions)
based on subdomain and content analysis. Restores 11 skills corrupted during
prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields.
All 754 skills now carry structured mappings for all 5 security frameworks:
- MITRE ATT&CK (in tags)
- MITRE ATLAS v5.5 (atlas_techniques)
- MITRE D3FEND v1.3 (d3fend_techniques)
- NIST AI RMF 1.0 (nist_ai_rmf)
- NIST CSF 2.0 (nist_csf)
Deploy Nozomi Networks Guardian sensors for passive OT network traffic analysis to achieve comprehensive asset visibility, real-time threat detection, and vulnerability assessment across industrial control systems without disrupting operations, leveraging behavioral anomaly detection and protocol-aware monitoring.
cybersecurity
ot-ics-security
ot-security
ics
nozomi
guardian
network-monitoring
asset-visibility
anomaly-detection
ndr
1.0
mahipal
Apache-2.0
MEASURE-2.7
MAP-5.1
MANAGE-2.4
AML.T0070
AML.T0066
AML.T0082
PR.IR-01
DE.CM-01
ID.AM-05
GV.OC-02
Implementing OT Network Traffic Analysis with Nozomi
When to Use
When deploying passive OT network monitoring using Nozomi Networks Guardian sensors
When requiring asset visibility without active scanning in sensitive ICS environments
When building a Nozomi-based OT SOC with centralized management via Vantage or CMC
When integrating OT network monitoring with Fortinet, Splunk, or ServiceNow ecosystems
When monitoring compliance with IEC 62443 network segmentation policies
Do not use for active vulnerability scanning of OT devices (see performing-ot-vulnerability-scanning-safely), for environments standardized on Dragos (see implementing-dragos-platform-for-ot-monitoring), or for IT-only network monitoring.
Prerequisites
Nozomi Networks Guardian sensor (hardware, VM, or container)
Network TAP or SPAN port configured on monitored OT network segments
Nozomi Vantage (cloud) or Central Management Console for multi-sensor management
Nozomi Threat Intelligence subscription for updated detection signatures
Network architecture documentation for sensor placement planning
Workflow
Step 1: Deploy Guardian Sensors for Passive Monitoring
#!/usr/bin/env python3"""Nozomi Guardian Deployment Manager and Alert Analyzer.
Manages Nozomi Guardian sensor deployment validation, asset inventory
extraction, and threat alert analysis for OT environments.
"""importjsonimportsysfromcollectionsimportdefaultdictfromdatetimeimportdatetimefromtypingimportDict,List,Optionaltry:importrequestsexceptImportError:print("Install requests: pip install requests")sys.exit(1)classNozomiGuardianManager:"""Manages Nozomi Networks Guardian for OT monitoring."""def__init__(self,guardian_url:str,api_token:str,verify_ssl:bool=False):self.guardian_url=guardian_url.rstrip("/")self.session=requests.Session()self.session.headers.update({"Authorization":f"Bearer {api_token}","Content-Type":"application/json",})self.session.verify=verify_ssldefget_nodes(self,node_type:Optional[str]=None)->List[Dict]:"""Retrieve discovered network nodes (assets)."""params={}ifnode_type:params["type"]=node_typeresp=self.session.get(f"{self.guardian_url}/api/v1/nodes",params=params)resp.raise_for_status()returnresp.json().get("result",[])defget_alerts(self,severity:str="high",limit:int=100)->List[Dict]:"""Retrieve security alerts."""params={"severity":severity,"limit":limit,"status":"open"}resp=self.session.get(f"{self.guardian_url}/api/v1/alerts",params=params)resp.raise_for_status()returnresp.json().get("result",[])defget_links(self)->List[Dict]:"""Retrieve communication links between nodes."""resp=self.session.get(f"{self.guardian_url}/api/v1/links")resp.raise_for_status()returnresp.json().get("result",[])defget_vulnerabilities(self)->List[Dict]:"""Retrieve detected vulnerabilities."""resp=self.session.get(f"{self.guardian_url}/api/v1/vulnerabilities")resp.raise_for_status()returnresp.json().get("result",[])defvalidate_deployment(self):"""Validate Guardian sensor deployment and coverage."""print(f"\n{'='*65}")print("NOZOMI GUARDIAN DEPLOYMENT VALIDATION")print(f"{'='*65}")print(f"Guardian URL: {self.guardian_url}")print(f"Validation Time: {datetime.now().isoformat()}")# Check system statustry:resp=self.session.get(f"{self.guardian_url}/api/v1/system/status")ifresp.status_code==200:status=resp.json()print(f"\n--- SYSTEM STATUS ---")print(f" Version: {status.get('version','N/A')}")print(f" Uptime: {status.get('uptime','N/A')}")print(f" Packets Processed: {status.get('packets_processed','N/A')}")print(f" Threat Intelligence: {status.get('threat_intelligence_version','N/A')}")exceptrequests.RequestExceptionase:print(f" [!] System status unavailable: {e}")# Asset discovery summarynodes=self.get_nodes()print(f"\n--- ASSET DISCOVERY ---")print(f" Total Nodes Discovered: {len(nodes)}")type_counts=defaultdict(int)vendor_counts=defaultdict(int)protocol_set=set()fornodeinnodes:type_counts[node.get("type","unknown")]+=1vendor_counts[node.get("vendor","Unknown")]+=1forprotoinnode.get("protocols",[]):protocol_set.add(proto)print(f"\n By Type:")forntype,countinsorted(type_counts.items(),key=lambdax:-x[1]):print(f" {ntype}: {count}")print(f"\n By Vendor:")forvendor,countinsorted(vendor_counts.items(),key=lambdax:-x[1])[:10]:print(f" {vendor}: {count}")print(f"\n Protocols Observed: {', '.join(sorted(protocol_set))}")# Alert summaryalerts=self.get_alerts(severity="high")print(f"\n--- ALERT SUMMARY ---")print(f" High/Critical Alerts: {len(alerts)}")alert_types=defaultdict(int)foralertinalerts:alert_types[alert.get("type_id","unknown")]+=1foratype,countinsorted(alert_types.items(),key=lambdax:-x[1])[:10]:print(f" {atype}: {count}")# Vulnerability summaryvulns=self.get_vulnerabilities()print(f"\n--- VULNERABILITY SUMMARY ---")print(f" Total Vulnerabilities: {len(vulns)}")sev_counts=defaultdict(int)forvulninvulns:sev_counts[vuln.get("severity","unknown")]+=1forsevin["critical","high","medium","low"]:ifsevinsev_counts:print(f" {sev.capitalize()}: {sev_counts[sev]}")defanalyze_communication_patterns(self):"""Analyze OT communication patterns for anomalies."""links=self.get_links()nodes={n.get("id"):nforninself.get_nodes()}print(f"\n--- COMMUNICATION ANALYSIS ---")print(f" Total Communication Links: {len(links)}")# Identify cross-zone communicationscross_zone=[]forlinkinlinks:src_node=nodes.get(link.get("source_id"),{})dst_node=nodes.get(link.get("destination_id"),{})src_zone=src_node.get("zone","unknown")dst_zone=dst_node.get("zone","unknown")ifsrc_zone!=dst_zoneandsrc_zone!="unknown"anddst_zone!="unknown":cross_zone.append({"source":src_node.get("label","Unknown"),"source_zone":src_zone,"destination":dst_node.get("label","Unknown"),"dest_zone":dst_zone,"protocols":link.get("protocols",[]),})ifcross_zone:print(f"\n Cross-Zone Communications: {len(cross_zone)}")forcommincross_zone[:10]:print(f" {comm['source']} ({comm['source_zone']}) -> "f"{comm['destination']} ({comm['dest_zone']}) "f"via {', '.join(comm['protocols'])}")if__name__=="__main__":manager=NozomiGuardianManager(guardian_url="https://nozomi-guardian.plant.local",api_token="your-api-token",)manager.validate_deployment()manager.analyze_communication_patterns()
Key Concepts
Term
Definition
Guardian
Nozomi Networks passive sensor that monitors OT network traffic via SPAN/TAP without generating additional traffic
Vantage
Nozomi cloud-based central management platform for aggregating data across multiple Guardian sensors
Behavioral Anomaly Detection (BAD)
Nozomi's AI-driven approach to detecting deviations from learned normal OT network behavior
Smart Polling
Nozomi's active query feature using native protocols to safely extract additional device details
Asset Intelligence
Nozomi's automatic identification and classification of OT/IoT assets from network traffic
Threat Intelligence Feed
Nozomi Labs-maintained feed of OT-specific threat indicators, updated based on global honeypot data