NERC – Investigations
Investigation Name | Description | Directly Meets Requirements | Augment Requirements | Data Source | Intelligent Indexing | Classifications | Log Sources | ID |
|---|---|---|---|---|---|---|---|---|
NERC-CIP: Access Failure Detail | This investigation provides detail around access failure activity within the environment. | 007-5 R4, 007-5 R5 | 07-5 R4, 004-5 R4, 005-5 R1 | Log Manager | Yes | Audit : Access Failure | NERC-CIP: BES Cyber Systems NERC-CIP: Electronic Security Perimeter | 330 |
NERC-CIP: Account Management Activity | This investigation provides detail of account management activity (account created, account deleted, and account modified) by account within the organization's BES Cyber Systems. | 007-5 R4, 007-5 R5, 004-5 R5 | 07-5 R4, 004-5 R4, 004-5 R5, 005-5 R1 | Log Manager | Yes | Audit : Account Audit: Account Created Audit: Account Deleted Audit: Account Modified | NERC-CIP: All Log Sources | 324 |
NERC-CIP: Attack Detected Detail | This investigation provides detail on any attack detected against the environment. | 005-5 R1, 007-5 R4 | 007-5 R3, 008-5 R1, 0085 R2, 008-5 R3, 007-5 R4 | Event Manager | Yes | Security : Attack | NERC-CIP: All Log Sources | 357 |
NERC-CIP: Authentication Failure Detail | This investigation provides detail around any authentication failure activity within the environment. | 007-5 R4, 007-5 R5 | 007-5 R4, 004-5 R4, 005-5 R1 | Event Manager | Yes | Audit : Authentication Failure | NERC-CIP: All Log Sources | 329 |
NERC-CIP: Backup Critical/Error Status Detail | This investigation provides detail on any backup system status of “critical” or “error” within the environment. | N/A | 011-1 R1, 009-5 R1 | Log Manager | Yes | Operation : Critical | NERC-CIP: All Log Sources | 361 |
NERC-CIP: Compromise Detected Detail | This investigation provides detail on any compromise detected within the environment. | 005-5 R1, 007-5 R4 | 007-5 R3, 008-5 R1, 008-5 R2, 008-5 R3, 007-5 R4 | Event Manager | Yes | Security : Compromise | NERC-CIP: All Log Sources | 358 |
NERC-CIP: Concur VPN Auths Same User Detail | This investigation provides detail on any concurrent VPN authentication activity that could be indicative of a compromised account | 005-5 R1, 007-5 R4 | 007-5 R3, 008-5 R1, 008-5 R2, 008-5 R3, 007-5 R4, 005-5 R1, 005-5 R2 | Event Manager | Yes | Security : Suspicious | NERC-CIP: Electronic Security Perimeter | 359 |
NERC-CIP: Config/Policy Change Detail | This investigation provides detail on any configuration or policy change within the environment. | N/A | 010-1 R1, 010-1 R2, 010-1 R3 | Log Manager | No | Audit : Configuration | NERC-CIP: All Log Sources | 362 |
NERC-CIP: Data Loss Defender Detail | This investigation provides detail on any LogRhythm Data Loss Defender activity within the environment. | 005-5 R1, 007-5 R4 | 007-5 R3, 008-5 R1, 008-5 R2, 008-5 R3, 007-5 R4, 011-1 R1, 009-5 R1 | Log Manager | Yes | Security : Compromise | NERC-CIP: All Log Sources | 365 |
NERC-CIP: Default Act Auth/Accs Failure Detail | This investigation provides detail around access or authentication failures for those defined default accounts within the environment. | 007-5 R4, 007-5 R5, 007 R5 | 007-5 R4, 004-5 R4 | Event Manager | Yes | Audit : Authentication Failure | NERC-CIP: All Log Sources | 343 |
NERC-CIP: Default Act Auth/Accs Success Detail | This investigation provides detail around access or authentication success for those defined default accounts within the environment. | 007-5 R4, 007-5 R5 | 007-5 R4, 004-5 R4 | Log Mart | No | Audit : Authentication Success | NERC-CIP: All Log Sources | 344 |
NERC-CIP: Default Act Management Detail | This investigation provides detail around account modification activities for those defined default accounts within the environment. | 007-5 R4, 007-5 R5 | 007-5 R4, 004-5 R4 | Event Manager | Yes | Audit: Account Created Audit: Account Deleted Audit: Account Modified | NERC-CIP: All Log Sources | 345 |
NERC-CIP: ESP Ingress/Egress Net Detail | This investigation provides detail on protocol communication (network allow/deny) which is ingress or egress from the electronic security perimeter. | 005-5 R1, 007-5 R4 | 007-5 R3, 008-5 R1, 008-5 R2, 008-5 R3, 007-5 R4, 005-5 R1, 005-5 R2 | Event Manager | No | Operations : Network Allow Operations : Network Deny | NERC-CIP: Electronic Security Perimeter | 350 |
NERC-CIP: Host Authentication Success Detail | This investigation provides detail for account authentication success activity within the environment. | 007-5 R4, 007-5 R5 | 007-5 R4, 004-5 R4, 005-5 R1 | Log Manager | No | Audit : Authentication Success | NERC-CIP: BES Cyber Systems NERC-CIP: Electronic Security Perimeter | 327 |
NERC-CIP: Int Acct Created, Used, Deleted | This investigation provides detail relating to the AIE rule configured to identify when an account is created, used and then deleted within the environment. | 005-5 R1, 007-5 R4, 007-5 R5 | 007-5 R3, 008-5 R1, 008-5 R3, 008-5 R3, 007-5 R4, 04-5 R4 | Event Manager | Yes | Security : Suspicious | NERC-CIP: All Log Sources | 325 |
NERC-CIP: Malware Detected Detail | This investigation provides detail on any malware detected within the environment. | 005-5 R1, 007-5 R4 | 007-5 R3, 008-5 R1, 0085 R2, 008-5 R3, 007-5 R4 | Event Manager | Yes | Security : Malware | NERC-CIP: All Log Sources | 356 |
NERC-CIP: Non-encrypted protocol | This investigation provides detail when any unencrypted network traffic is detected. | N/A | 05-5 R1, 005-5 R2, 011-1 R1 | Log Manager | No | Audit | NERC-CIP: All Log Sources | 348 |
NERC-CIP: Password Modified Detail | This investigation provides detail when any account password is modified within the environment. | N/A | 004-5 R5, 007 R5 | Event Manager | No | Audit : Account Modified | NERC-CIP: All Log Sources | 347 |
NERC-CIP: Patches or Signatures Updated Detail | This investigation provides detail on any patch or signature update that occurs within the environment. | 007-5 R4 | 007-5 R3, 007-5 R4, 007-5 R2, 010-1 R1, 010-1 R2, 010-1 R3 | Log Manager | No | Operations | NERC-CIP: All Log Sources | 360 |
NERC-CIP: Physical Access Detail | This investigation provides detail around any access success or suspicious door activity associated with the physical security perimeter. | 007-5 R4, 007-5 R5, 004-5 R5, 006-5 R1 | 007-5 R4, 004-5 R4, 004-5 R5, 006-5 R2 | Event Manager | No | Audit : Authentication Success Audit: Access Success Audit Authentication Failure Audit: Access Failure | NERC-CIP: Physical Security Perimeter | 346 |
NERC-CIP: Priv Act Auth/Accs Failure Detail | This investigation provides detail around access or authentication failures for those defined privileged accounts within the environment. | 007-5 R4, 007-5 R5, 007 R5 | 007-5 R4, 004-5 R4 | Event Manager | Yes | Audit : Authentication Failure Audit : Access Failure | NERC-CIP: All Log Sources | 334 |
NERC-CIP: Priv Act Auth/Accs Success Detail | This investigation provides detail around access or authentication success for those defined privileged accounts within the environment. | 007-5 R4, 007-5 R5 | 007-5 R4, 004-5 R4 | Log Mart | Yes | Audit : Authentication Success | NERC-CIP: All Log Sources | 335 |
NERC-CIP: Priv Act Management Detail | This investigation provides detail around account modification activities for those defined privileged accounts within the environment. | 007-5 R4, 007-5 R5 | 007-5 R4, 004-5 R4 | Event Manager | Yes | Audit: Account Created Audit: Account Deleted Audit: Account Modified | NERC-CIP: All Log Sources | 336 |
NERC-CIP: Priv Group Access Granted Detail | This investigation provides detail when an account is added to a privileged account group based on those defined within the NERC-CIP: Default Privileged Group List. | 007-5 R4, 007-5 R5 | 007- R4, 004-5 R4, 011-1 R1 | Log Manager | Yes | Audit : Access Granted | NERC-CIP: BES Cyber Systems NERC-CIP: Electronic Security Perimeter | 326 |
NERC-CIP: Rogue WAP Detected Detail | This investigation provides detail on any detected rogue access point. | 005-5 R1 | 005-5 R1, 005-5 R2 | Log Manager | Yes | Security : Suspicious | NERC-CIP: Electronic Security Perimeter | 351 |
NERC-CIP: Shared Act Auth/Accs Failure Detail | This investigation provides detail around access or authentication failures for those defined shared accounts within the environment. | 007-5 R4, 007-5 R5, 007 R5 | 007-5 R4, 004-5 R4 | Event Manager | Yes | Audit : Authentication Failure Audit : Access Failure | NERC-CIP: All Log Sources | 337 |
NERC-CIP: Shared Act Auth/Accs Success Detail | This investigation provides detail around access or authentication success for those defined shared accounts within the environment. | 007-5 R4, 007-5 R5 | 007-5 R4, 004-5 R4 | Log Mart | No | Audit : Access Success | NERC-CIP: All Log Sources | 338 |
NERC-CIP: Shared Act Management Detail | This investigation provides detail around account modification activities for those defined shared accounts within the environment. | 007-5 R4, 007-5 R5 | 007-5 R4, 004-5 R4 | Event Manager | No | Audit: Account Created Audit: Account Deleted Audit: Account Modified | NERC-CIP: All Log Sources | 339 |
NERC-CIP: Software Installation Detail | This investigation provides detail on any instance where software is installed within the environment. | N/A | 010-1 R1, 010-1 R2, 010-1 R3 | Log Manager | Yes | Audit : Configuration | NERC-CIP: All Log Sources | 363 |
NERC-CIP: Suspicious Activity Detail | This investigation provides detail around any suspicious activity within the environment and includes raw logs associated with the suspicious activity. | 005-5 R1, 007-5 R4, 007-5 R5 | 007-5 R3, 008-5 R1, 008-5 R2, 008-5 R3, 007-5 R4, 004-5 R4 | Log Manager | Yes | Security : Suspicious | NERC-CIP: BES Cyber Systems NERC-CIP: Electronic Security Perimeter | 328 |
NERC-CIP: System Critical/Error Status Detail | This investigation provides detail around any system experiencing a “critical” or “error” status. | 005-5 R1, 007-5 R4 | 007-5 R3, 008-5 R1, 008-5 R2, 008-5 R3, 007-4 R4, 005-5 R1, 005-5 R2 | Log Manager | Yes | Operations : Critical | NERC-CIP: All Log Sources | 349 |
NERC-CIP: Term Act Auth/Accs Failure Detail | This investigation provides detail around access or authentication failures for those defined terminated accounts within the environment. | 007-5 R4, 007-5 R5, 007 R5 | 007-5 R4, 004-5 R4 | Event Manager | Yes | Audit : Authentication Failure Audit : Access Failure | NERC-CIP: All Log Sources | 340 |
NERC-CIP: Term Act Auth/Accs Success Detail | This investigation provides detail around access or authentication success for those defined terminated accounts within the environment. | 007-5 R4, 007-5 R5 | 007-5 R4, 004-5 R4 | Log Mart | No | Audit : Authentication Success Audit : Access Success | NERC-CIP: All Log Sources | 341 |
NERC-CIP: Term Act Management Detail | This investigation provides detail around account modification activities for those defined terminated accounts within the environment. | 007-5 R4, 007-5 R5 | 007-5 R4, 004-5 R4 | Event Manager | Yes | Audit: Account Created Audit: Account Deleted Audit: Account Modified | NERC-CIP: All Log Sources | 342 |
NERC-CIP: Vendor Act Auth/Accs Failure Detail | This investigation provides detail around access or authentication failures for those defined vendor accounts within the environment. | 007-5 R4, 007-5 R5, 007-5 | 007-5 R4, 004-5 R4 | Event Manager | Yes | Audit : Authentication Failure Audit : Access Failure | NERC-CIP: All Log Sources | 331 |
NERC-CIP: Vendor Act Auth/Accs Success Detail | This investigation provides detail around access or authentication success for those defined vendor accounts within the environment. | 007-5 R4, 007-5 R5 | 007-5 R4, 004-5 R4 | Log Manager | No | Audit : Authentication Success Audit : Access Success | NERC-CIP: All Log Sources | 332 |
NERC-CIP: Vendor Act Management Detail | This investigation provides detail around account modification activities for those defined vendor accounts within the environment. | 007-5 R4, 007-5 R5 | 007-5 R4, 004-5 R4 | Log Mart | Yes | Audit: Account Created Audit: Account Deleted Audit: Account Modified | NERC-CIP: All Log Sources | 333 |
NERC-CIP: VPN Node Registration Failure Detail (Auth) | This investigation provides detail on any VPN node registration (authentication) failure for those defined authorized VPN accounts. | N/A | 007-5 R4, 004-5 R4 | Event Manager | Yes | Audit : Authentication Failure | NERC-CIP: Electronic Security Perimeter | 352 |
NERC-CIP: VPN Node Registration Failure Detail (un- Auth) | This investigation provides detail on any VPN node registration (authentication) failure for those accounts not defined as authorized VPN accounts. | N/A | 007-5 R4, 004-5 R4 | Event Manager | Yes | Audit : Authentication Failure | NERC-CIP: Electronic Security Perimeter | 353 |
NERC-CIP: Vulnerability Detected Detail | This investigation provides detail on any vulnerabilities detected within the environment. | 005-5 R1, 007-5 R4 | 007-5 R3, 008-5 R1, 008-5 R2, 008-5 R3, 007-5 R4, 010-1 R3 | Log Manager | Yes | Security : Vulnerability | NERC-CIP: All Log Sources | 354 |
NERC-CIP: Windows Firewall Change Detail | This investigation provides detail on any windows firewall change that may take place at the electronic security perimeter. | N/A | 010-1 R1, 010-1 R2, 010-1 R3 | Log Manager | No | Audit : Configuration | NERC-CIP: Electronic Security Perimeter | 364 |