|
Investigation Name |
Description |
Directly Meets Requirements |
Augment Requirements |
Data Source |
Intelligent Indexing |
Classifications |
Log Sources |
ID |
|---|---|---|---|---|---|---|---|---|
|
NERC-CIP: Access Failure Detail |
This investigation provides detail around access failure activity within the environment. |
007-5 R4, 007-5 R5 |
07-5 R4, 004-5 R4, 005-5 R1 |
Log Manager |
Yes |
Audit : Access Failure |
NERC-CIP: BES Cyber Systems NERC-CIP: Electronic Security Perimeter |
330 |
|
NERC-CIP: Account Management Activity |
This investigation provides detail of account management activity (account created, account deleted, and account modified) by account within the organization's BES Cyber Systems. |
007-5 R4, 007-5 R5, 004-5 R5 |
07-5 R4, 004-5 R4, 004-5 R5, 005-5 R1 |
Log Manager |
Yes |
Audit : Account Audit: Account Created Audit: Account Deleted Audit: Account Modified |
NERC-CIP: All Log Sources |
324 |
|
NERC-CIP: Attack Detected Detail |
This investigation provides detail on any attack detected against the environment. |
005-5 R1, 007-5 R4 |
007-5 R3, 008-5 R1, 0085 R2, 008-5 R3, 007-5 R4 |
Event Manager |
Yes |
Security : Attack |
NERC-CIP: All Log Sources |
357 |
|
NERC-CIP: Authentication Failure Detail |
This investigation provides detail around any authentication failure activity within the environment. |
007-5 R4, 007-5 R5 |
007-5 R4, 004-5 R4, 005-5 R1 |
Event Manager |
Yes |
Audit : Authentication Failure |
NERC-CIP: All Log Sources |
329 |
|
NERC-CIP: Backup Critical/Error Status Detail |
This investigation provides detail on any backup system status of “critical” or “error” within the environment. |
N/A |
011-1 R1, 009-5 R1 |
Log Manager |
Yes |
Operation : Critical |
NERC-CIP: All Log Sources |
361 |
|
NERC-CIP: Compromise Detected Detail |
This investigation provides detail on any compromise detected within the environment. |
005-5 R1, 007-5 R4 |
007-5 R3, 008-5 R1, 008-5 R2, 008-5 R3, 007-5 R4 |
Event Manager |
Yes |
Security : Compromise |
NERC-CIP: All Log Sources |
358 |
|
NERC-CIP: Concur VPN Auths Same User Detail |
This investigation provides detail on any concurrent VPN authentication activity that could be indicative of a compromised account |
005-5 R1, 007-5 R4 |
007-5 R3, 008-5 R1, 008-5 R2, 008-5 R3, 007-5 R4, 005-5 R1, 005-5 R2 |
Event Manager |
Yes |
Security : Suspicious |
NERC-CIP: Electronic Security Perimeter |
359 |
|
NERC-CIP: Config/Policy Change Detail |
This investigation provides detail on any configuration or policy change within the environment. |
N/A |
010-1 R1, 010-1 R2, 010-1 R3 |
Log Manager |
No |
Audit : Configuration |
NERC-CIP: All Log Sources |
362 |
|
NERC-CIP: Data Loss Defender Detail |
This investigation provides detail on any LogRhythm Data Loss Defender activity within the environment. |
005-5 R1, 007-5 R4 |
007-5 R3, 008-5 R1, 008-5 R2, 008-5 R3, 007-5 R4, 011-1 R1, 009-5 R1 |
Log Manager |
Yes |
Security : Compromise |
NERC-CIP: All Log Sources |
365 |
|
NERC-CIP: Default Act Auth/Accs Failure Detail |
This investigation provides detail around access or authentication failures for those defined default accounts within the environment. |
007-5 R4, 007-5 R5, 007 R5 |
007-5 R4, 004-5 R4 |
Event Manager |
Yes |
Audit : Authentication Failure |
NERC-CIP: All Log Sources |
343 |
|
NERC-CIP: Default Act Auth/Accs Success Detail |
This investigation provides detail around access or authentication success for those defined default accounts within the environment. |
007-5 R4, 007-5 R5 |
007-5 R4, 004-5 R4 |
Log Mart |
No |
Audit : Authentication Success |
NERC-CIP: All Log Sources |
344 |
|
NERC-CIP: Default Act Management Detail |
This investigation provides detail around account modification activities for those defined default accounts within the environment. |
007-5 R4, 007-5 R5 |
007-5 R4, 004-5 R4 |
Event Manager |
Yes |
Audit: Account Created Audit: Account Deleted Audit: Account Modified |
NERC-CIP: All Log Sources |
345 |
|
NERC-CIP: ESP Ingress/Egress Net Detail |
This investigation provides detail on protocol communication (network allow/deny) which is ingress or egress from the electronic security perimeter. |
005-5 R1, 007-5 R4 |
007-5 R3, 008-5 R1, 008-5 R2, 008-5 R3, 007-5 R4, 005-5 R1, 005-5 R2 |
Event Manager |
No |
Operations : Network Allow Operations : Network Deny |
NERC-CIP: Electronic Security Perimeter |
350 |
|
NERC-CIP: Host Authentication Success Detail |
This investigation provides detail for account authentication success activity within the environment. |
007-5 R4, 007-5 R5 |
007-5 R4, 004-5 R4, 005-5 R1 |
Log Manager |
No |
Audit : Authentication Success |
NERC-CIP: BES Cyber Systems NERC-CIP: Electronic Security Perimeter |
327 |
|
NERC-CIP: Int Acct Created, Used, Deleted |
This investigation provides detail relating to the AIE rule configured to identify when an account is created, used and then deleted within the environment. |
005-5 R1, 007-5 R4, 007-5 R5 |
007-5 R3, 008-5 R1, 008-5 R3, 008-5 R3, 007-5 R4, 04-5 R4 |
Event Manager |
Yes |
Security : Suspicious |
NERC-CIP: All Log Sources |
325 |
|
NERC-CIP: Malware Detected Detail |
This investigation provides detail on any malware detected within the environment. |
005-5 R1, 007-5 R4 |
007-5 R3, 008-5 R1, 0085 R2, 008-5 R3, 007-5 R4 |
Event Manager |
Yes |
Security : Malware |
NERC-CIP: All Log Sources |
356 |
|
NERC-CIP: Non-encrypted protocol |
This investigation provides detail when any unencrypted network traffic is detected. |
N/A |
05-5 R1, 005-5 R2, 011-1 R1 |
Log Manager |
No |
Audit |
NERC-CIP: All Log Sources |
348 |
|
NERC-CIP: Password Modified Detail |
This investigation provides detail when any account password is modified within the environment. |
N/A |
004-5 R5, 007 R5 |
Event Manager |
No |
Audit : Account Modified |
NERC-CIP: All Log Sources |
347 |
|
NERC-CIP: Patches or Signatures Updated Detail |
This investigation provides detail on any patch or signature update that occurs within the environment. |
007-5 R4 |
007-5 R3, 007-5 R4, 007-5 R2, 010-1 R1, 010-1 R2, 010-1 R3 |
Log Manager |
No |
Operations |
NERC-CIP: All Log Sources |
360 |
|
NERC-CIP: Physical Access Detail |
This investigation provides detail around any access success or suspicious door activity associated with the physical security perimeter. |
007-5 R4, 007-5 R5, 004-5 R5, 006-5 R1 |
007-5 R4, 004-5 R4, 004-5 R5, 006-5 R2 |
Event Manager |
No |
Audit : Authentication Success Audit: Access Success Audit Authentication Failure Audit: Access Failure |
NERC-CIP: Physical Security Perimeter |
346 |
|
NERC-CIP: Priv Act Auth/Accs Failure Detail |
This investigation provides detail around access or authentication failures for those defined privileged accounts within the environment. |
007-5 R4, 007-5 R5, 007 R5 |
007-5 R4, 004-5 R4 |
Event Manager |
Yes |
Audit : Authentication Failure Audit : Access Failure |
NERC-CIP: All Log Sources |
334 |
|
NERC-CIP: Priv Act Auth/Accs Success Detail |
This investigation provides detail around access or authentication success for those defined privileged accounts within the environment. |
007-5 R4, 007-5 R5 |
007-5 R4, 004-5 R4 |
Log Mart |
Yes |
Audit : Authentication Success |
NERC-CIP: All Log Sources |
335 |
|
NERC-CIP: Priv Act Management Detail |
This investigation provides detail around account modification activities for those defined privileged accounts within the environment. |
007-5 R4, 007-5 R5 |
007-5 R4, 004-5 R4 |
Event Manager |
Yes |
Audit: Account Created Audit: Account Deleted Audit: Account Modified |
NERC-CIP: All Log Sources |
336 |
|
NERC-CIP: Priv Group Access Granted Detail |
This investigation provides detail when an account is added to a privileged account group based on those defined within the NERC-CIP: Default Privileged Group List. |
007-5 R4, 007-5 R5 |
007- R4, 004-5 R4, 011-1 R1 |
Log Manager |
Yes |
Audit : Access Granted |
NERC-CIP: BES Cyber Systems NERC-CIP: Electronic Security Perimeter |
326 |
|
NERC-CIP: Rogue WAP Detected Detail |
This investigation provides detail on any detected rogue access point. |
005-5 R1 |
005-5 R1, 005-5 R2 |
Log Manager |
Yes |
Security : Suspicious |
NERC-CIP: Electronic Security Perimeter |
351 |
|
NERC-CIP: Shared Act Auth/Accs Failure Detail |
This investigation provides detail around access or authentication failures for those defined shared accounts within the environment. |
007-5 R4, 007-5 R5, 007 R5 |
007-5 R4, 004-5 R4 |
Event Manager |
Yes |
Audit : Authentication Failure Audit : Access Failure |
NERC-CIP: All Log Sources |
337 |
|
NERC-CIP: Shared Act Auth/Accs Success Detail |
This investigation provides detail around access or authentication success for those defined shared accounts within the environment. |
007-5 R4, 007-5 R5 |
007-5 R4, 004-5 R4 |
Log Mart |
No |
Audit : Access Success |
NERC-CIP: All Log Sources |
338 |
|
NERC-CIP: Shared Act Management Detail |
This investigation provides detail around account modification activities for those defined shared accounts within the environment. |
007-5 R4, 007-5 R5 |
007-5 R4, 004-5 R4 |
Event Manager |
No |
Audit: Account Created Audit: Account Deleted Audit: Account Modified |
NERC-CIP: All Log Sources |
339 |
|
NERC-CIP: Software Installation Detail |
This investigation provides detail on any instance where software is installed within the environment. |
N/A |
010-1 R1, 010-1 R2, 010-1 R3 |
Log Manager |
Yes |
Audit : Configuration |
NERC-CIP: All Log Sources |
363 |
|
NERC-CIP: Suspicious Activity Detail |
This investigation provides detail around any suspicious activity within the environment and includes raw logs associated with the suspicious activity. |
005-5 R1, 007-5 R4, 007-5 R5 |
007-5 R3, 008-5 R1, 008-5 R2, 008-5 R3, 007-5 R4, 004-5 R4 |
Log Manager |
Yes |
Security : Suspicious |
NERC-CIP: BES Cyber Systems NERC-CIP: Electronic Security Perimeter |
328 |
|
NERC-CIP: System Critical/Error Status Detail |
This investigation provides detail around any system experiencing a “critical” or “error” status. |
005-5 R1, 007-5 R4 |
007-5 R3, 008-5 R1, 008-5 R2, 008-5 R3, 007-4 R4, 005-5 R1, 005-5 R2 |
Log Manager |
Yes |
Operations : Critical |
NERC-CIP: All Log Sources |
349 |
|
NERC-CIP: Term Act Auth/Accs Failure Detail |
This investigation provides detail around access or authentication failures for those defined terminated accounts within the environment. |
007-5 R4, 007-5 R5, 007 R5 |
007-5 R4, 004-5 R4 |
Event Manager |
Yes |
Audit : Authentication Failure Audit : Access Failure |
NERC-CIP: All Log Sources |
340 |
|
NERC-CIP: Term Act Auth/Accs Success Detail |
This investigation provides detail around access or authentication success for those defined terminated accounts within the environment. |
007-5 R4, 007-5 R5 |
007-5 R4, 004-5 R4 |
Log Mart |
No |
Audit : Authentication Success Audit : Access Success |
NERC-CIP: All Log Sources |
341 |
|
NERC-CIP: Term Act Management Detail |
This investigation provides detail around account modification activities for those defined terminated accounts within the environment. |
007-5 R4, 007-5 R5 |
007-5 R4, 004-5 R4 |
Event Manager |
Yes |
Audit: Account Created Audit: Account Deleted Audit: Account Modified |
NERC-CIP: All Log Sources |
342 |
|
NERC-CIP: Vendor Act Auth/Accs Failure Detail |
This investigation provides detail around access or authentication failures for those defined vendor accounts within the environment. |
007-5 R4, 007-5 R5, 007-5 |
007-5 R4, 004-5 R4 |
Event Manager |
Yes |
Audit : Authentication Failure Audit : Access Failure |
NERC-CIP: All Log Sources |
331 |
|
NERC-CIP: Vendor Act Auth/Accs Success Detail |
This investigation provides detail around access or authentication success for those defined vendor accounts within the environment. |
007-5 R4, 007-5 R5 |
007-5 R4, 004-5 R4 |
Log Manager |
No |
Audit : Authentication Success Audit : Access Success |
NERC-CIP: All Log Sources |
332 |
|
NERC-CIP: Vendor Act Management Detail |
This investigation provides detail around account modification activities for those defined vendor accounts within the environment. |
007-5 R4, 007-5 R5 |
007-5 R4, 004-5 R4 |
Log Mart |
Yes |
Audit: Account Created Audit: Account Deleted Audit: Account Modified |
NERC-CIP: All Log Sources |
333 |
|
NERC-CIP: VPN Node Registration Failure Detail (Auth) |
This investigation provides detail on any VPN node registration (authentication) failure for those defined authorized VPN accounts. |
N/A |
007-5 R4, 004-5 R4 |
Event Manager |
Yes |
Audit : Authentication Failure |
NERC-CIP: Electronic Security Perimeter |
352 |
|
NERC-CIP: VPN Node Registration Failure Detail (un- Auth) |
This investigation provides detail on any VPN node registration (authentication) failure for those accounts not defined as authorized VPN accounts. |
N/A |
007-5 R4, 004-5 R4 |
Event Manager |
Yes |
Audit : Authentication Failure |
NERC-CIP: Electronic Security Perimeter |
353 |
|
NERC-CIP: Vulnerability Detected Detail |
This investigation provides detail on any vulnerabilities detected within the environment. |
005-5 R1, 007-5 R4 |
007-5 R3, 008-5 R1, 008-5 R2, 008-5 R3, 007-5 R4, 010-1 R3 |
Log Manager |
Yes |
Security : Vulnerability |
NERC-CIP: All Log Sources |
354 |
|
NERC-CIP: Windows Firewall Change Detail |
This investigation provides detail on any windows firewall change that may take place at the electronic security perimeter. |
N/A |
010-1 R1, 010-1 R2, 010-1 R3 |
Log Manager |
No |
Audit : Configuration |
NERC-CIP: Electronic Security Perimeter |
364 |