Skip to main content
Skip table of contents

NERC Deployment Guide – Configure the Compliance Module


LogRhythm requires that you configure some objects included in the NERC-CIP Compliance Automation Suite. This section describes the steps you must perform.

Intelligent Indexing

Intelligent Indexing allows Reports, Investigations, and Tails to keep the appropriate log data online in the Log Manager/Data Processor. Care must be taken when choosing which object to allow Intelligent Indexing as broad criteria can cause an exceptional amount of online data and overwhelm the Log Manager/Data Processor. For a list of Intelligent Indexing-capable objects and their recommended settings, see the matrices available from the home page of this module.

Establish Entity Structure

NERC-CIP requires the organization to categorize their environment into High, Medium and Low Impact Bulk Electric System (“BES”) Cyber Systems. According to this classification, LogRhythm can apply the categorization within the Entity Structure. Organizations should leverage any IT asset listing, system inventory or risk assessment to assign categorization accordingly. Below is a description on adding a new entity according to the impact classifications:

  1. Log into the Client Console using administrator credentials.
  2. On the main toolbar, click Deployment Manager.
  3. Click the Entities tab.
  4. Right-click the Global Entity node, and then click New Root Entity or New Child Entity
    The Entity Properties dialog box appears.
  5. Specify the properties for the new Entity, and then click OK.

Population of the NERC-CIP Lists and User Profiles

The NERC-CIP Compliance List must be populated with data collected using the Pre-Implementation Checklist. Complete the following sections to populate all required lists.

Populate Log Source Lists

  1. Open the LogRhythm Console and click List Manager.
  2. Right-click the name of a NERC-CIP Log Source List, and then click Properties.
  3. To view the log sources selector, click Add Item.
  4. Search for and select all log sources that you want, and then click OK.
  5. To save the list, click OK.
  6. Repeat this process (steps 1-5) for all NERC-CIP Log Source Lists from your checklist.

Populate Default Privileged Group List

  1. Open the LogRhythm Console and click List Manager.
  2. Right-click the list name for the NERC-CIP: Default Privileged Groups List, and then click Properties.

  3. Click the List Items tab and type any privilege group designation within your environment within the Add Itemtext field, and then click Add Item.

    This list comes pre-populated with fourteen (14) default privileged groups, but can be customized according to the organization’s environment.

  4. To save the list, click OK.

Populate Users Lists

  1. Open the LogRhythm Console and click List Manager.
  2. Right-click the name for a NERC-CIP Users List, and then click Properties.
  3. Select the Username for the Item Type.
  4. Type in the username in the Add Item field.
  5. Click Add Item to add the username.
  6. Repeat steps 4-5 to for all usernames.
  7. To save the list, click OK.
  8. Repeat this process (steps 1-7) for all NERC-CIP Users Lists from your checklist.

Activate and Configure AIE Rules

All AIE Rules included in the NERC-CIP Compliance Automation Suite are disabled by default.

  1. Open the LogRhythm Console and click Deployment Manager.
  2. Click the AI Engine tab.
  3. Select all the NERC-CIP AIE Rules.
  4. Right-click the AI Engine Rule Manager, click Actions, and then click Enable.

All alarming AIE Rules included in the NERC-CIP Compliance Automation Suite have alarming disabled by default.

  1. Open the LogRhythm Console and click Deployment Manager.
  2. Click the AI Engine tab.
  3. Select all the NERC-CIP AIE Rules that are configured to alarm.
  4. Right-click the AI Engine Rule Manager, click Actions, click Batch Enable Alarms, and then click Enable Alarms.

All alarming AIE Rules included in the NERC-CIP Compliance Automation Suite must be configured for notifications.

  1. Open the LogRhythm Console and click Deployment Manager.
  2. Click the AI Engine tab.
  3. Select each of the NERC-CIP AIE Rules that are configured to alarm and notify.
  4. Right-click the AI Engine Rule Manager, click Actions, and then click Batch Notification Editor.
  5. Select all the roles, individuals, or groups to be notified, and then click OK to save the notifications.
  6. Repeat Steps 2-5 for all alarming NERC-CIP AIE Rules that share notification personnel.
  7. On the top of the AI Engine Rule Manager, click Restart AIE Engine Servers.


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close