implementing-ot-network-traffic-analysis-with-nozomi
Deploy Nozomi Networks Guardian sensors for passive OT network traffic analysis to achieve comprehensive asset visibility, real-time threat detection, and vulnerability assessment across industrial control systems without disrupting operations, leveraging behavioral anomaly detection and protocol-aware monitoring.
Works with
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Install Skill
Run in your terminal
0
installs
0
this week
8.6K
stars
Installation Guide
How to use implementing-ot-network-traffic-analysis-with-nozomi on Cursor
AI-first code editor with Composer
Prerequisites
Before installing skills in Cursor, ensure your development environment meets these requirements:
- ›Cursor installed and configured on your machine
- ›Node.js 16+ with npm — verify with
node --version - ›Active project directory where you want to add
implementing-ot-network-traffic-analysis-with-nozomi
Run the install command
Execute the skills CLI command in your project's root directory to begin installation:
Fetches implementing-ot-network-traffic-analysis-with-nozomi from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
Select Cursor when prompted
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Verify installation
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate implementing-ot-network-traffic-analysis-with-nozomi. Access via /implementing-ot-network-traffic-analysis-with-nozomi in your agent's command palette.
Security Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Documentation
| name | implementing-ot-network-traffic-analysis-with-nozomi |
| description | 'Deploy Nozomi Networks Guardian sensors for passive OT network traffic analysis to achieve comprehensive asset visibility, real-time threat detection, and vulnerability assessment across industrial control systems without disrupting operations, leveraging behavioral anomaly detection and protocol-aware monitoring. ' |
| domain | cybersecurity |
| subdomain | ot-ics-security |
| tags | - ot-security - ics - nozomi - guardian - network-monitoring - asset-visibility - anomaly-detection - ndr |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_ai_rmf | - MEASURE-2.7 - MAP-5.1 - MANAGE-2.4 |
| atlas_techniques | - AML.T0070 - AML.T0066 - AML.T0082 |
| nist_csf | - PR.IR-01 - DE.CM-01 - ID.AM-05 - GV.OC-02 |
Implementing OT Network Traffic Analysis with Nozomi
When to Use
- When deploying passive OT network monitoring using Nozomi Networks Guardian sensors
- When requiring asset visibility without active scanning in sensitive ICS environments
- When building a Nozomi-based OT SOC with centralized management via Vantage or CMC
- When integrating OT network monitoring with Fortinet, Splunk, or ServiceNow ecosystems
- When monitoring compliance with IEC 62443 network segmentation policies
Do not use for active vulnerability scanning of OT devices (see performing-ot-vulnerability-scanning-safely), for environments standardized on Dragos (see implementing-dragos-platform-for-ot-monitoring), or for IT-only network monitoring.
Prerequisites
- Nozomi Networks Guardian sensor (hardware, VM, or container)
- Network TAP or SPAN port configured on monitored OT network segments
- Nozomi Vantage (cloud) or Central Management Console for multi-sensor management
- Nozomi Threat Intelligence subscription for updated detection signatures
- Network architecture documentation for sensor placement planning
Workflow
Step 1: Deploy Guardian Sensors for Passive Monitoring
#!/usr/bin/env python3
"""Nozomi Guardian Deployment Manager and Alert Analyzer.
Manages Nozomi Guardian sensor deployment validation, asset inventory
extraction, and threat alert analysis for OT environments.
"""
import json
import sys
from collections import defaultdict
from datetime import datetime
from typing import Dict, List, Optional
try:
import requests
except ImportError:
print("Install requests: pip install requests")
sys.exit(1)
class NozomiGuardianManager:
"""Manages Nozomi Networks Guardian for OT monitoring."""
def __init__(self, guardian_url: str, api_token: str, verify_ssl: bool = False):
self.guardian_url = guardian_url.rstrip("/")
self.session = requests.Session()
self.session.headers.update({
"Authorization": f"Bearer {api_token}",
"Content-Type": "application/json",
})
self.session.verify = verify_ssl
def get_nodes(self, node_type: Optional[str] = None) -> List[Dict]:
"""Retrieve discovered network nodes (assets)."""
params = {}
if node_type:
params["type"] = node_type
resp = self.session.get(f"{self.guardian_url}/api/v1/nodes", params=params)
resp.raise_for_status()
return resp.json().get("result", [])
def get_alerts(self, severity: str = "high", limit: int = 100) -> List[Dict]:
"""Retrieve security alerts."""
params = {"severity": severity, "limit": limit, "status": "open"}
resp = self.session.get(f"{self.guardian_url}/api/v1/alerts", params=params)
resp.raise_for_status()
return resp.json().get("result", [])
def get_links(self) -> List[Dict]:
"""Retrieve communication links between nodes."""
resp = self.session.get(f"{self.guardian_url}/api/v1/links")
resp.raise_for_status()
return resp.json().get("result", [])
def get_vulnerabilities(self) -> List[Dict]:
"""Retrieve detected vulnerabilities."""
resp = self.session.get(f"{self.guardian_url}/api/v1/vulnerabilities")
resp.raise_for_status()
return resp.json().get("result", [])
def validate_deployment(self):
"""Validate Guardian sensor deployment and coverage."""
print(f"\n{'='*65}")
print("NOZOMI GUARDIAN DEPLOYMENT VALIDATION")
print(f"{'='*65}")
print(f"Guardian URL: {self.guardian_url}")
print(f"Validation Time: {datetime.now().isoformat()}")
# Check system status
try:
resp = self.session.get(f"{self.guardian_url}/api/v1/system/status")
if resp.status_code == 200:
status = resp.json()
print(f"\n--- SYSTEM STATUS ---")
print(f" Version: {status.get('version', 'N/A')}")
print(f" Uptime: {status.get('uptime', 'N/A')}")
print(f" Packets Processed: {status.get('packets_processed', 'N/A')}")
print(f" Threat Intelligence: {status.get('threat_intelligence_version', 'N/A')}")
except requests.RequestException as e:
print(f" [!] System status unavailable: {e}")
# Asset discovery summary
nodes = self.get_nodes()
print(f"\n--- ASSET DISCOVERY ---")
print(f" Total Nodes Discovered: {len(nodes)}")
type_counts = defaultdict(int)
vendor_counts = defaultdict(int)
protocol_set = set()
for node in nodes:
type_counts[node.get("type", "unknown")] += 1
vendor_counts[node.get("vendor", "Unknown")] += 1
for proto in node.get("protocols", []):
protocol_set.add(proto)
print(f"\n By Type:")
for ntype, count in sorted(type_counts.items(), key=lambda x: -x[1]):
print(f" {ntype}: {count}")
print(f"\n By Vendor:")
for vendor, count in sorted(vendor_counts.items(), key=lambda x: -x[1])[:10]:
print(f" {vendor}: {count}")
print(f"\n Protocols Observed: {', '.join(sorted(protocol_set))}")
# Alert summary
alerts = self.get_alerts(severity="high")
print(f"\n--- ALERT SUMMARY ---")
print(f" High/Critical Alerts: {len(alerts)}")
alert_types = defaultdict(int)
for alert in alerts:
alert_types[alert.get("type_id", "unknown")] += 1
for atype, count in sorted(alert_types.items(), key=lambda x: -x[1])[:10]:
print(f" {atype}: {count}")
# Vulnerability summary
vulns = self.get_vulnerabilities()
print(f"\n--- VULNERABILITY SUMMARY ---")
print(f" Total Vulnerabilities: {len(vulns)}")
sev_counts = defaultdict(int)
for vuln in vulns:
sev_counts[vuln.get("severity", "unknown")] += 1
for sev in ["critical", "high", "medium", "low"]:
if sev in sev_counts:
print(f" {sev.capitalize()}: {sev_counts[sev]}")
def analyze_communication_patterns(self):
"""Analyze OT communication patterns for anomalies."""
links = self.get_links()
nodes = {n.get("id"): n for n in self.get_nodes()}
print(f"\n--- COMMUNICATION ANALYSIS ---")
print(f" Total Communication Links: {len(links)}")
# Identify cross-zone communications
cross_zone = []
for link in links:
src_node = nodes.get(link.get("source_id"), {})
dst_node = nodes.get(link.get("destination_id"), {})
src_zone = src_node.get("zone", "unknown")
dst_zone = dst_node.get("zone", "unknown")
if src_zone != dst_zone and src_zone != "unknown" and dst_zone != "unknown":
cross_zone.append({
"source": src_node.get("label", "Unknown"),
"source_zone": src_zone,
"destination": dst_node.get("label", "Unknown"),
"dest_zone": dst_zone,
"protocols": link.get("protocols", []),
})
if cross_zone:
print(f"\n Cross-Zone Communications: {len(cross_zone)}")
for comm in cross_zone[:10]:
print(f" {comm['source']} ({comm['source_zone']}) -> "
f"{comm['destination']} ({comm['dest_zone']}) "
f"via {', '.join(comm['protocols'])}")
if __name__ == "__main__":
manager = NozomiGuardianManager(
guardian_url="https://nozomi-guardian.plant.local",
api_token="your-api-token",
)
manager.validate_deployment()
manager.analyze_communication_patterns()
Key Concepts
| Term | Definition |
|---|---|
| Guardian | Nozomi Networks passive sensor that monitors OT network traffic via SPAN/TAP without generating additional traffic |
| Vantage | Nozomi cloud-based central management platform for aggregating data across multiple Guardian sensors |
| Behavioral Anomaly Detection (BAD) | Nozomi's AI-driven approach to detecting deviations from learned normal OT network behavior |
| Smart Polling | Nozomi's active query feature using native protocols to safely extract additional device details |
| Asset Intelligence | Nozomi's automatic identification and classification of OT/IoT assets from network traffic |
| Threat Intelligence Feed | Nozomi Labs-maintained feed of OT-specific threat indicators, updated based on global honeypot data |
Output Format
NOZOMI GUARDIAN OT MONITORING REPORT
=======================================
Site: [site name]
Date: YYYY-MM-DD
ASSET VISIBILITY:
Total Assets: [count]
PLCs: [count] | HMIs: [count] | Switches: [count]
Protocols: [list]
Vendors: [top 5]
THREAT DETECTION:
Critical Alerts: [count]
High Alerts: [count]
Top Alert Categories: [list]
VULNERABILITIES:
Critical: [count]
High: [count]
NETWORK ANALYSIS:
Communication Links: [count]
Cross-Zone Flows: [count]
List & Monetize Your Skill
Submit your Claude Code skill and start earning
Use Cases
Exploratory Data Analysis
Quickly understand datasets, identify patterns, and generate insights
Example
Analyze CSV with 100K rows, identify outliers, visualize correlations, suggest hypotheses
Reduce EDA time from hours to minutes, uncover insights faster
Data Cleaning & Transformation
Write scripts to clean messy data, handle missing values, normalize formats
Example
Generate Python/SQL to fix date formats, impute missing values, remove duplicates
Automate 80% of data preprocessing work
Statistical Analysis
Perform hypothesis testing, regression, and statistical modeling
Example
Run A/B test analysis, calculate confidence intervals, interpret p-values
Get statistically sound analysis without PhD in statistics
Data Visualization
Create charts, dashboards, and visual reports
Example
Generate matplotlib/seaborn code for time series plots, distribution charts, heatmaps
Build presentation-ready visualizations 3x faster
Implementation Guide
Prerequisites
- ›Claude Desktop or compatible AI client
- ›Python environment (pandas, numpy, matplotlib) or SQL database access
- ›Basic understanding of data analysis concepts
- ›Sample datasets for testing skill capabilities
Time Estimate
20-40 minutes to set up and run first analysis
Steps
- 1Install data analysis skill using provided command
- 2Prepare a sample dataset (CSV, JSON, or database connection)
- 3Start with descriptive statistics: 'Summarize this dataset'
- 4Progress to visualization: 'Create a scatter plot of X vs Y'
- 5Advanced analysis: 'Run linear regression and interpret results'
- 6Validate outputs: check calculations, verify visualizations make sense
- 7Document analysis workflow for reproducibility
Common Pitfalls
- ⚠Not validating statistical assumptions before applying tests
- ⚠Accepting visualizations without checking data accuracy
- ⚠Overlooking data quality issues (missing values, outliers)
- ⚠Misinterpreting correlation as causation
- ⚠Using wrong statistical test for data distribution
- ⚠Not considering sample size and statistical power
Best Practices
✓ Do
- +Always validate data quality before analysis
- +Check statistical assumptions (normality, independence, etc.)
- +Visualize data before running statistical tests
- +Document analysis steps for reproducibility
- +Cross-validate findings with domain experts
- +Use skill for initial exploration, then dive deeper manually
- +Save generated code for reuse on similar datasets
✗ Don't
- −Don't trust analysis without verifying data quality
- −Don't apply statistical tests without checking assumptions
- −Don't make business decisions solely on AI-generated analysis
- −Don't ignore outliers without investigating cause
- −Don't skip data validation and sanity checks
- −Don't use for mission-critical financial or medical analysis without expert review
💡 Pro Tips
- ★Describe data context: 'This is user behavior data from e-commerce site'
- ★Ask for interpretation: 'What does this correlation mean for business?'
- ★Request multiple approaches: 'Show 3 ways to handle missing data'
- ★Combine AI analysis with domain expertise for best insights
- ★Use for rapid prototyping, then refine analysis manually
When to Use This
✓ Use when
Use for exploratory data analysis, data cleaning, statistical testing, visualization prototyping, and learning new analysis techniques. Best for initial exploration and rapid insights.
✗ Avoid when
Avoid for mission-critical financial analysis, medical research requiring regulatory compliance, production ML models, or when deep statistical expertise is required for nuanced interpretation.
Learning Path
- 1Basic: descriptive statistics, data cleaning, simple visualizations
- 2Intermediate: hypothesis testing, regression, correlation analysis
- 3Advanced: time series analysis, clustering, predictive modeling
- 4Expert: causal inference, experimental design, advanced statistical methods
Related Skills
performing-cryptographic-audit-of-application
5mukul975/Anthropic-Cybersecurity-Skills
exploiting-deeplink-vulnerabilities
3mukul975/Anthropic-Cybersecurity-Skills
implementing-soar-playbook-with-palo-alto-xsoar
3mukul975/Anthropic-Cybersecurity-Skills
generating-threat-intelligence-reports
2mukul975/Anthropic-Cybersecurity-Skills
analyzing-network-traffic-with-wireshark
2mukul975/Anthropic-Cybersecurity-Skills
scanning-docker-images-with-trivy
2mukul975/Anthropic-Cybersecurity-Skills
Reviews
- ZZaid Bansal★★★★★Dec 24, 2024
We added implementing-ot-network-traffic-analysis-with-nozomi from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
- JJames Yang★★★★★Dec 24, 2024
implementing-ot-network-traffic-analysis-with-nozomi fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
- IIsabella Lopez★★★★★Dec 20, 2024
Useful defaults in implementing-ot-network-traffic-analysis-with-nozomi — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
- OOlivia Ghosh★★★★★Dec 20, 2024
Solid pick for teams standardizing on skills: implementing-ot-network-traffic-analysis-with-nozomi is focused, and the summary matches what you get after install.
- AAmelia Huang★★★★★Dec 20, 2024
We added implementing-ot-network-traffic-analysis-with-nozomi from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
- DDaniel Chen★★★★★Dec 16, 2024
Keeps context tight: implementing-ot-network-traffic-analysis-with-nozomi is the kind of skill you can hand to a new teammate without a long onboarding doc.
- DDaniel Gill★★★★★Dec 12, 2024
implementing-ot-network-traffic-analysis-with-nozomi is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
- AAisha Khanna★★★★★Nov 23, 2024
Keeps context tight: implementing-ot-network-traffic-analysis-with-nozomi is the kind of skill you can hand to a new teammate without a long onboarding doc.
- ZZaid Desai★★★★★Nov 15, 2024
I recommend implementing-ot-network-traffic-analysis-with-nozomi for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
- DDaniel Wang★★★★★Nov 11, 2024
implementing-ot-network-traffic-analysis-with-nozomi is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
showing 1-10 of 73
Discussion
Comments — not star reviews- No comments yet — start the thread.