Skip to main content
Skip table of contents

NERC Deployment Guide – Meet the Compliance Requirements


The LogRhythm NERC-CIP Compliance Automation Suite provides bundled pre-created alarms, AIE rules, investigations, layouts, lists, reports, and reporting packages to help demonstrate regulation compliance. The Auditor checks for specific line-item regulations to be met by LogRhythm. This section details the post-implementation processes necessary to meet specific NERC-CIP compliance requirements and augment others.

Compliance Module Noise Mitigation

LogRhythm’s NERC-CIP Compliance Automation Suite bundled alarms, AIE rules, investigations, layouts, lists, reports, and reporting packages need adjustments to ensure the likelihood of false positive events is diminished. The process to decrease false positive events involves the following steps:

List Updating

Keeping Compliance Module lists updated is a vital part of decreasing false positives within the NERC-CIP Compliance Automation Suite. An organization’s applications, IP addresses, and users are dynamic. For this reason, the Compliance Module utilizes lists which can be dynamically updated as needed. There are many conditions which would require a list to be updated. The following section highlights a few instances where lists must be updated and direction on how to update the lists. Refer to the matrices on the home page of this module for specific AIE Rules, Investigations, and Reports where the lists are utilized. You may also leverage existing periodic reviews to incorporate updates to user lists as a result of various account access reviews performed by IT Management or HR.

Update User Lists

User lists should be updated when privileged access accounts and vendor accounts are created or deleted. Lists should also be updated when a user account is disabled or terminated. Changes to these types of accounts would be evident from details in the access granted/revoked reports and account management reports. Follow the instructions below after implementation and on a weekly basis to identify users that have not been added to the Users lists.

  1. On the main toolbar, click Report Center.
  2. Place a check mark in the Action box for the Saved NERC-CIP: Account Management Activity report, right-click the report name, and then click Run.
  3. Click Next to reach the Configuration screen, set the date range to Past Month, and then click OK.
  4. Click on the name of the report in the Report Viewer.
  5. To identify when an account may have been created, search for User Account Created common events.
  6. Follow instructions 1-7 in Populating Users Lists to add applicable, enabled accounts to the NERC-CIP: Default Accounts List, NERC-CIP: Guest Accounts List, NERC-CIP: Privileged Accounts List, NERC-CIP: Shared Accounts List, NERC-CIP: Authorized VPN Accounts or NERC-CIP: Vendor Accounts List, respectively.
  7. Repeat steps 1-6 above using the User Account Deleted or Account Disabled common events to add applicable deleted accounts to the NERC-CIP: Terminated Accounts List. You may also leverage any terminated account reports from an HR system to manually update this list.
  8. Repeat step 2-4 for the NERC-CIP: Account Management Detail investigation.
  9. Follow instructions 1-7 in Populate Users Lists to add applicable enabled accounts to the NERC-CIP: Default Accounts List, NERC-CIP: Guest Accounts List, NERC-CIP: Privileged Accounts List, NERC-CIP: Shared Accounts List, NERC-CIP: Authorized VPN Accounts, or NERC-CIP: Vendor Accounts List, or add applicable deleted or disabled accounts to the NERC-CIP: Terminated Accounts List. You may also leverage any terminated account reports from an HR system to manually update the NERC-CIP: Terminated Accounts list.

Filter Usage

Adjusting filter criteria is a vital part of decreasing the number of false positives within the NERC-CIP Compliance Automation Suite. Exclude filters can remove applications, common events, hosts, IP addresses, etc. from search criteria. There are many conditions in which an exclude filter can decrease the number of false positives in a search criteria. The following section highlights how to create exclude filters for AIE Rules, investigations, reports, and tails.

Configure AIE Rule Exclude Filter Criteria

All AIE Rules included in the NERC-CIP Compliance Automation Suite can be configured with exclude filters.

  1. Open the LogRhythm Console and click Deployment Manager on the main toolbar.
  2. Click the AI Engine tab.
  3. Right-click a NERC-CIP AIE Rule on which an exclude filter should be configured, and then click Properties.
  4. Right-click the Rule Block, and then click Properties.
  5. Click the Exclude Filters tab.
  6. On the top menu, click the New icon.
  7. Specify the details for the exclude filter criteria.
  8. On the Log Message Filter, click OK.
  9. On the AI Engine Rule Block Wizard, click OK.
  10. On the AI Engine Rule Wizard, click OK.
  11. On the top of the AI Engine Rule Manager, click Restart AIE Engine.

Configure Investigation Exclude Filter Criteria

All Investigations included in the NERC-CIP Compliance Automation Suite can be configured with exclude filters.

  1. Open the LogRhythm Console and click Investigate on the main toolbar.
  2. Select one of the saved NERC-CIP Investigations on which an Exclude Filter should be configured.
  3. Click Next until you reach the Specify Event Selection screen.
  4. In the Add New Field Filter list, select the criteria.
  5. Click Edit Values and configure the criteria as required.
  6. (Optional) To specify exclusions, select the Filter Out (Is Not) option under Filter Mode.
  7. Click OK.
  8. Click Next until you reach the Save Investigation Configuration screen, and then click Save.
  9. Click Cancel.

Configure Report Exclude Filter Criteria

All Reports included in the NERC-CIP Compliance Automation Suite can be configured with exclude filters.

  1. Open the LogRhythm Console and click Report Center on the main toolbar.
  2. Click the Reports tab.
  3. Select the Action check box of the report that needs exclude filters, right-click the selection, and then click Properties.
  4. Click Next until you reach the Specify Additional Report Criteria Screen.
  5. In the Add New Field Filter list, select the criteria.
  6. Click Edit Values and configure the criteria as required.
  7. (Optional) To specify exclusions, select the Filter Out (Is Not) option under Filter Mode.
  8. Click OK.
  9. Click Next to reach the Report Details screen, click Apply, and then click OK.

Suppression Usage

Adjusting suppression values is a vital part of adjusting the alarming configuration within the NERC-CIP Compliance Automation Suite. Suppression values are used to suppress the number of alarms generated from the same type of event occurring numerous times within a specified time window. The following section highlights how to adjust suppression values for AIE Rules.

Configure AIE Rule Suppression

All AIE Rules included in the NERC-CIP Compliance Automation Suite can be configured with alarm suppression. Follow the instructions below to configure suppression for AIE Rules.

  1. Open the LogRhythm Console and click Deployment Manager on the main toolbar.
  2. Click the AI Engine tab.
  3. Right-click a NERC-CIP AIE Rule on which suppression should be configured, and then click Properties.
  4. Click the Settings tab.
  5. Type a value for the Suppression Multiple.

    You must select the Enable Suppression check box in order for suppression to function. The Suppression Period is the amount of time in which an alarm will be suppressed after the first occurrence. When the Suppression Period has elapsed, another alarm occurs if identical events occur.

  6. On the AI Engine Rule Wizard, click OK.
  7. On the top of the AI Engine Rule Manager, click Restart AIE Engine.

Thresholds

Adjusting threshold values is a vital part of adjusting the alarming configuration within the NERC-CIP Compliance Automation Suite. Threshold values are used to specify the number of times an event must occur before a specific alarm will be executed. The following section highlights how to adjust threshold values for alarms.

Configuring AIE Rule Thresholds

Specific AIE Rules included in the NERC-CIP Compliance Automation Suite can be configured with alarming thresholds. Follow the instructions below to configure thresholds.

  1. Open the LogRhythm Console and click Deployment Manager.
  2. On the Tools menu, click Administration, then click Advanced Intelligence (AI) Engine Rule Manager.
  3. Right-click a NERC-CIP AIE Rule on which a threshold should be configured (see Table 2), then click
  4. Right-click the Threshold rule block, then click Properties.
  5. Click the Thresholds tab.
  6. Adjust the threshold count and time as needed.

    AIE Rule Name

    Default Threshold Count

    Default Threshold Time

    NERC-CIP: Data Exfiltration Rule

    BytesIn >= 1048576

    30 Minutes

    NERC-CIP: Default Act Auth/Accs Failure Rule

    Count >=3

    30 Minutes

    NERC-CIP: Files Deleted by Admin

    Count >=100

    1 Hour

    NERC-CIP: Priv Act Auth/Accs Failure Rule

    Count >=3

    30 Minutes

    NERC-CIP: Shared Act Auth/Accs Failure Rule

    Count >=3

    30 Minutes

    NERC-CIP: Term Act Auth/Accs Failure Rule

    Count >=3

    30 Minutes

    NERC-CIP: Vendor Act Auth/Accs Failure Rule

    Count >=3

    30 Minutes

    The Threshold is the number of events which must occur prior to an alarm occurrence. When the Threshold has been exceeded, an alarm will occur.
  7. On the Properties, click OK.
  8. On the Alarm Rule, click OK.

Enhanced Report and Alert Configuration

The following reports and log sources may require enhanced configuration and assistance from LogRhythm Professional Services (ProServ). The organization should use ProServ to assist in establishing necessary log sources and other parameters to be defined according to the customer’s environment.

NERC-CIP: Failed File Access (Linux), NERC-CIP: System File Permission Change (Linux), NERC- CIP: Change in Software Config (Linux)

Several components in the NERC-CIP Compliance Automation Suite require the use of the Linux Audit Daemon and a custom auditing rule set. The components that require the Linux Audit Daemon are as follows:

  • NERC-CIP: Failed File Access (Linux) – Failed file system access activity.
  • NERC-CIP: System File Permission Change (Linux) – Permission changes on system files / folders.
  • NERC-CIP: Change in Software Config (Linux) – Linux package manager usage.

Setup Steps

Ensure that the Linux Audit Daemon (auditd) has been installed.

The Linux Audit Daemon must be installed on the end Linux platform to be audited. This is usually installed by default in most distributions. The configuration directory should be accessible at the path “/etc/audit/”.

Install the LogRhythm NERC-CIP audit.rules template file.

LogRhythm has created a sample audit.rules file which can be used as a template. This file is normally installed under “/etc/audit/audit.rules”, however the path may vary depending on configuration and platform.

Customize the audit rule set.

Customize the audit.rules file to fit the environment. The sample configuration that has been provided should be treated as a template. Additional customization may be required depending on environment. Specifically customization of system file permission & change in software configuration audit rules may be required to ensure that all of the relevant system file locations, and package manager binaries are audited.

Configure syslog forwarding to LogRhythm.

Configure syslog forwarding into LogRhythm of the Audit Daemon output file -/var/log/audit/audit.log”. The syslog daemon on the host should be configured to forward the audit log file into LogRhythm.

LogRhythm Audit.Rules – Sample Configuration for NERC-CIP

###### LOGRHYTHM AUDIT.RULES SAMPLE CONFIGURATION FOR NERC-CIP ######

# This file contains the auditctl rules that are loaded

# whenever the audit daemon is started via the initscripts.

# The rules are simply the parameters that would be passed

# to auditctl.

# First rule - delete all

-D

# Increase the buffers to survive stress events.

# Make this bigger for busy systems

-b 320

# Feel free to add below this line. See auditctl man page

# NERC-CIP: Failed file system access activity - Audit file access permission denied events

-a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -k fileaccesspermdenied

-a always,exit -F arch=b64 -S open -S openat -F exit=-EPERM -k fileaccesspermdenied

-a always,exit -F arch=b32 -S open -S openat -F exit=-EACCES -k fileaccesspermdenied

-a always,exit -F arch=b32 -S open -S openat -F exit=-EPERM -k fileaccesspermdenied

#NERC-CIP: Permission changes on system files / folder - Audit permissions changed to system files/folders

###

-a exit,always -F arch=b64 -S chmod -S fchmod -S fchmodat -S chown -S lchown -S fchown -S fchownat -F success=1 -F dir=/bin -k permchangesysdir

-a exit,always -F arch=b64 -S chmod -S fchmod -S fchmodat -S chown -S lchown -S fchown -S fchownat -F success=1 -F dir=/sbin -k permchangesysdir

-a exit,always -F arch=b64 -S chmod -S fchmod -S fchmodat -S chown -S lchown -S fchown -S fchownat -F success=1 -F dir=/boot -k permchangesysdir

-a exit,always -F arch=b64 -S chmod -S fchmod -S fchmodat -S chown -S lchown -S fchown -S fchownat -F success=1 -F dir=/lib -k permchangesysdir

-a exit,always -F arch=b64 -S chmod -S fchmod -S fchmodat -S chown -S lchown -S fchown -S fchownat -F success=1 -F dir=/etc/init.d -k permchangesysdir

-a exit,always -F arch=b64 -S chmod -S fchmod -S fchmodat -S chown -S lchown -S fchown -S fchownat -F success=1 -F dir=/etc/passwd -k permchangesysdir

-a exit,always -F arch=b32 -S chmod -S fchmod -S fchmodat -S chown -S lchown -S fchown -S fchownat -F success=1 -F dir=/bin -k permchangesysdir

-a exit,always -F arch=b32 -S chmod -S fchmod -S fchmodat -S chown -S lchown -S fchown -S fchownat -F success=1 -F dir=/sbin -k permchangesysdir

-a exit,always -F arch=b32 -S chmod -S fchmod -S fchmodat -S chown -S lchown -S fchown -S fchownat -F success=1 -F dir=/boot -k permchangesysdir

-a exit,always -F arch=b32 -S chmod -S fchmod -S fchmodat -S chown -S lchown -S fchown -S fchownat -F success=1 -F dir=/lib -k permchangesysdir

-a exit,always -F arch=b32 -S chmod -S fchmod -S fchmodat -S chown -S lchown -S fchown -S fchownat -F success=1 -F dir=/etc/init.d -k permchangesysdir

-a exit,always -F arch=b32 -S chmod -S fchmod -S fchmodat -S chown -S lchown -S fchown -S fchownat -F success=1 -F dir=/etc/passwd -k permchangesysdir

# NERC-CIP: Change in Software Config (Linux) - Audit package manager usage

### Add the path to the unix package manager for your platform ###

-a exit,always -F arch=b64 -S execve -F path=/bin/rpm -F success=1 -k packagemanagerusage

-a exit,always -F arch=b64 -S execve -F path=/usr/bin/yum -F success=1 -k packagemanagerusage

-a exit,always -F arch=b64 -S execve -F path=/usr/bin/apt-get -F success=1 -k packagemanagerusage

-a exit,always -F arch=b32 -S execve -F path=/bin/rpm -F success=1 -k packagemanagerusage

-a exit,always -F arch=b32 -S execve -F path=/usr/bin/yum -F success=1 -k packagemanagerusage

-a exit,always -F arch=b32 -S execve -F path=/usr/bin/apt-get -F success=1 -k packagemanagerusage

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.