Nozomi Vantage Integration Guide🔗
Nozomi Vantage is a SaaS-based security platform that provides operational technology (OT), Internet of Things (IoT), and Industrial Control System (ICS) asset visibility and threat detection. It aggregates alerts from Nozomi sensors and the Central Management Console (CMC) into a single cloud console.
The following instructions configure a Nozomi Vantage Webhook exporter to facilitate log ingestion into Secureworks® Taegis™ XDR over HTTP Ingest.
Note
Unlike the Nozomi Guardian integration, which forwards CEF over syslog through an XDR Collector, Nozomi Vantage pushes alerts as JSON directly to an XDR HTTP Ingest endpoint over HTTPS. Both integrations normalize to the same data, so events from either source appear under sensor_type = 'Nozomi' and cannot be distinguished by sensor_type alone.
Important
Adding this integration to your XDR tenant requires Taegis™ XDR for OT. Contact your account manager or CSM to acquire the required license.
Connectivity Requirements🔗
| Source | Destination | Port/Protocol |
|---|---|---|
| Nozomi Vantage (Webhook exporter) | XDR HTTP Ingest endpoint (regional ingest host) | TCP/443 (HTTPS) |
Data Provided from Integration🔗
The following Nozomi Vantage event types are supported by XDR.
- Alert events
Note
Event types not listed above are normalized to the generic schema.
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| Nozomi Guardian | Thirdparty |
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Detection Rules to generate detections based on normalized data from a data source.
Configure XDR HTTP Ingest🔗
Provision an HTTP Ingest integration first so that the URL and Integration Key are available to enter into Nozomi Vantage.
- Follow the Configure HTTP Ingest guide to add an HTTP Ingest integration in XDR.
-
Copy the Integration Key and URL shown at creation time.
Important
Save the Integration Key and URL when they are displayed. They cannot be retrieved after the dialog is closed. Provision one HTTP Ingest integration per data source so that throughput, error rates, and health are reported independently for Nozomi Vantage.
Configure the Nozomi Vantage Webhook Exporter🔗
- From the Nozomi Vantage navigation menu, select Integrations.
- On the Data integrations page, select Add exporter and choose the Webhook (Cloud) exporter.
-
Enter the following information:
Field Value Description A descriptive name for the exporter (for example, Taegis Alerts).To URI The URL copied from XDR (for example, https://<regional-ingest-host>/http-endpoint/v1/<integration-id>).Authentication Select Bearer token. Bearer token The Integration Key copied from XDR. Format Select NDJSON. Entity type Select Alerts. Query filter (optional) Restrict which alerts are sent, such as where risk > 6. Leave blank to send all alerts. -
(Optional) Enable Send updates to forward later changes to an alert. Note that new changes will be processed as distinct events, and not deduplicated into an existing event in the data lake.
- (Optional) Enable Send historical data to backfill existing alerts when the exporter first connects.
- Save the exporter. It appears on the Data integrations list with a Connectivity status of Connected once it successfully reaches the endpoint.
Note
Select NDJSON as the format and Alerts as the entity type. XDR normalizes Nozomi alert data to the scwx.thirdpartyalert schema. Other formats and other entity types (Assets, Nodes, Vulnerabilities) are normalized to the generic schema.
Note
The Webhook exporter sends the bearer token in the standard Authorization HTTP header, which is the scheme the HTTP Ingest endpoint expects.
Alerts are delivered to XDR as newline-delimited JSON (one alert object per line) as they are generated.
Example Query Language Searches🔗
To search for thirdparty events from the last 24 hours:
FROM thirdparty WHERE sensor_type = 'Nozomi' and EARLIEST=-24h
To search for events that Nozomi assigned the highest risk score:
FROM thirdparty WHERE sensor_type = 'Nozomi' AND vendor_severity = '10'
To search for thirdparty events from a specific Nozomi sensor:
FROM thirdparty WHERE sensor_type = 'Nozomi' AND sensor_id = 'Demo_Sensor_standard_838a8040'