Skip to main content
Skip table of contents

NERC – Lists

List Name

List Type

Description

AIE RulesReportsInvestigations

ID

NERC-CIP: All Log Sources

Log Sources

This list is automatically populated with all relevant NERC-CIP Log Sources (NERC-CIP: BES Cyber Systems, NERC-CIP: Electronic Security Perimeter, NERC- CIP: Physical Security Perimeter).

NERC-CIP: Backup Critical/Error Rule

NERC-CIP: Software Status Change After Attack

NERC-CIP: Suspicious Activity Rule

NERC-CIP: System Critical/Error Status Rule

NERC-CIP: System Time Change After Attack

NERC-CIP: Alarm and Response Summary

NERC-CIP: Attack Detected Summary

NERC-CIP: Backup Critical/Error Status Summary

NERC-CIP: Backup Ops Status Summary

NERC-CIP: Compromise Detected Summary

NERC-CIP: Concur VPN Auths Same User

NERC-CIP: Config/Policy Change Summary

NERC-CIP: Data Loss Defender Summary

NERC-CIP: Files Deleted by Admin

NERC-CIP: Group/Role Created Summary

NERC-CIP: Group/Role Deleted Summary

NERC-CIP: Group/Role Modified Summary

NERC-CIP: Int Acct Created, Used, Deleted

NERC-CIP: Malware Detected Summary

NERC-CIP: Password Modified Summary

NERC-CIP: Port Misuse Summary

NERC-CIP: Rogue WAP Detected Summary

NERC-CIP: Security Events Exec Summary

NERC-CIP: Security Failure Exec Summary

NERC-CIP: Software Installation Summary

NERC-CIP: Software Status Change After Attack

NERC-CIP: Status Change of Dvc Connected to Host

NERC-CIP: System Critical/Error Status Summary

NERC-CIP: System File Permission Change (Linux)

NERC-CIP: System File Permission Change (Windows)

NERC-CIP: System Time Change After Attack

NERC-CIP: Top Attacker Summary

NERC-CIP: Top Suspicious Login Summary

NERC-CIP: Top Targeted Application Summary

NERC-CIP: Top Targeted Assets Summary

NERC-CIP: Vulnerability Detected Summary

NERC-CIP: Attack Detected Detail

NERC-CIP: Authentication Failure Detail

NERC-CIP: Backup Critical/Error Status Detail

NERC-CIP: Compromise Detected Detail

NERC-CIP: Config/Policy Change Detail

NERC-CIP: Data Loss Defender Detail

NERC-CIP: Default Act Auth/Accs Failure Detail

NERC-CIP: Default Act Auth/Accs Success Detail

NERC-CIP: Default Act Management Detail

NERC-CIP: Int Acct Created, Used, Deleted

NERC-CIP: Malware Detected Detail

NERC-CIP: Non-encrypted protocol

NERC-CIP: Password Modified Detail

NERC-CIP: Patches or Signatures Updated Detail

NERC-CIP: Priv Act Auth/Accs Failure Detail

NERC-CIP: Priv Act Auth/Accs Success Detail

NERC-CIP: Priv Act Management Detail

NERC-CIP: Shared Act Auth/Accs Failure Detail

NERC-CIP: Shared Act Auth/Accs Success Detail

NERC-CIP: Shared Act Management Detail

NERC-CIP: Software Installation Detail

NERC-CIP: Suspicious Activity Detail

NERC-CIP: System Critical/Error Status Detail

NERC-CIP: Term Act Auth/Accs Failure Detail

NERC-CIP: Term Act Auth/Accs Success Detail

NERC-CIP: Term Act Management Detail

NERC-CIP: Vendor Act Auth/Accs Failure Detail

NERC-CIP: Vendor Act Auth/Accs Success Detail

NERC-CIP: Vendor Act Management Detail

NERC-CIP: Vulnerability Detected Detail

-2391

NERC-CIP: Authorized VPN Accounts

User

This list is to be defined and periodically updated by IT Operations to reflect those accounts authorized to connect to the organization's VPN tunnel(s). When established, this list will be used to alert and identify authentication activities for both authorized and unauthorized accounts attempting to connect to the organization's network through a VPN tunnel.

NERC-CIP: VPN Node Registration Fail (Auth)

NERC-CIP: VPN Node Registration Fail (unAuth)

NERC-CIP: VPN Node Registration Failure (Auth)

NERC-CIP: VPN Node Registration Failure (un-Auth)

NERC-CIP: VPN Node Registration Failure Detail (Auth)

NERC-CIP: VPN Node Registration Failure Detail (un- Auth)

-2387

NERC-CIP: BES Cyber Systems

Log Sources

This log source list represents various BES Cyber Assets related to IT operations that reflect groupings of the BES Cyber System(s)

NERC-CIP: Account Locked or Disabled Rule

NERC-CIP: Attack Detected Rule

NERC-CIP: Compromise Detected Rule

NERC-CIP: Config/Policy Change

NERC-CIP: Data Destruction Rule

NERC-CIP: Data Exfiltration Rule

NERC-CIP: Data Loss Prevention Rule

NERC-CIP: Default Act Auth/Accs Failure Rule

NERC-CIP: Files Deleted by Admin

NERC-CIP: Int Acct Created, Used, Deleted

NERC-CIP: Malware Detected Rule

NERC-CIP: Priv Act Auth/Accs Failure Rule

NERC-CIP: Priv Act Auth/Accs Success Rule

NERC-CIP: Priv Group Access Granted Rule

NERC-CIP: Shared Act Auth/Accs Failure Rule

NERC-CIP: Software Installation Rule

NERC-CIP: Term Act Auth/Accs Failure Rule

NERC-CIP: Term Act Auth/Accs Success Rule

NERC-CIP: Vendor Act Auth/Accs Failure Rule

NERC-CIP: Vulnerability Detected Rule

NERC-CIP: Access Failure Summary

NERC-CIP: Account Management Activity

NERC-CIP: Authentication Failure Summary

NERC-CIP: Change in Software Config (Linux)

NERC-CIP: Change in Software Config (Windows)

NERC-CIP: Default Act Auth/Accs Failure Summary

NERC-CIP: Default Act Auth/Accs Failure Summary

NERC-CIP: Default Act Auth/Accs Success Summary

NERC-CIP: Default Act Management Summary

NERC-CIP: Failed File Access (Linux)

NERC-CIP: Failed File Access (Windows)

NERC-CIP: Host Authentication Success Summary

NERC-CIP: Object Creation/Disposal Summary

NERC-CIP: Priv Act Auth/Accs Failure Summary

NERC-CIP: Priv Act Auth/Accs Success Summary

NERC-CIP: Priv Act Management Summary

NERC-CIP: Priv Group Access Granted Summary

NERC-CIP: Shared Act Auth/Accs Failure Summary

NERC-CIP: Shared Act Auth/Accs Success Summary

NERC-CIP: Shared Act Management Summary

NERC-CIP: Suspicious Activity Summary

NERC-CIP: Term Act Auth/Accs Failure Summary

NERC-CIP: Term Act Auth/Accs Success Summary

NERC-CIP: Term Act Management Summary

NERC-CIP: Vendor Act Auth/Accs Failure Summary

NERC-CIP: Vendor Act Auth/Accs Success Summary

NERC-CIP: Vendor Act Management Summary

NERC-CIP: Access Failure Detail

NERC-CIP: Account Management Activity

NERC-CIP: Host Authentication Success Detail

NERC-CIP: Priv Group Access Granted Detail

NERC-CIP: Suspicious Activity Detail

-2379

NERC-CIP: Default Account List

User

This list is to be defined and periodically updated by IT Operations to reflect those default accounts within the environment. The list should be updated periodically according to established reviews of said accounts.

NERC-CIP: Default Act Auth/Accs Failure Rule

NERC-CIP: Default Act Auth/Accs Failure Summary

NERC-CIP: Default Act Auth/Accs Success Summary

NERC-CIP: Default Act Management Summary

NERC-CIP: Default Act Auth/Accs Failure Detail

NERC-CIP: Default Act Auth/Accs Success Detail

NERC-CIP: Default Act Management Detail

-2381

NERC-CIP: Default Privileged Groups List

General Value

This list includes default privileged groups across standard operating systems, but can also be customized by the organizations to include additional groups considered privileged in nature.

NERC-CIP: Priv Group Access Granted Rule

NERC-CIP: Priv Group Access Granted Summary

NERC-CIP: Priv Group Access Granted Detail

-2388

NERC-CIP: Electronic Security Perimeter

Log Sources

This log source list represents various network related systems such as security perimeter enforcing devices (i.e. IPS, firewalls), security perimeter monitoring devices (i.e. IDS), VPNs, wireless access points, remote access devices, anti- malware, etc.

NERC-CIP: Account Locked or Disabled Rule

NERC-CIP: Attack Detected Rule

NERC-CIP: Compromise Detected Rule

NERC-CIP: Concur VPN From Multiple Country

NERC-CIP: Concur VPN Same User

NERC-CIP: Concur VPN From Multiple Cities

NERC-CIP: Concur VPN From Multiple Region

NERC-CIP: Config/Policy Change

NERC-CIP: Data Destruction Rule

NERC-CIP: Data Exfiltration Rule

NERC-CIP: Data Loss Prevention Rule

NERC-CIP: ESP Network Allowed Egress Rule

NERC-CIP: ESP Network Allowed Ingress Rule

NERC-CIP: ESP Network Denied Egress Rule

NERC-CIP: ESP Network Denied Ingress Rule

NERC-CIP: Malware Detected Rule

NERC-CIP: Port Misuse: FTP

NERC-CIP: Port Misuse: HTTP

NERC-CIP: Port Misuse: SSH In

NERC-CIP: Port Misuse: SSH Out

NERC-CIP: Rogue WAP Detected Rule

NERC-CIP: Software Installation Rule

NERC-CIP: VPN Node Registration Fail (Auth)

NERC-CIP: VPN Node Registration Fail (un-Auth)

NERC-CIP: Vulnerability Detected Rule

NERC-CIP: Windows Firewall Change

NERC-CIP: Access Failure Summary

NERC-CIP: Default Act Auth/Accs Failure Summary

NERC-CIP: Default Act Auth/Accs Success Summary

NERC-CIP: Default Act Management Summary

NERC-CIP: ESP Network Allowed Egress Summary

NERC-CIP: ESP Network Allowed Ingress Summary

NERC-CIP: ESP Network Denied Egress Summary

NERC-CIP: ESP Network Denied Ingress Summary

NERC-CIP: Host Authentication Success Summary

NERC-CIP: Non-encrypted protocol

NERC-CIP: Priv Act Auth/Accs Failure Summary

NERC-CIP: Priv Act Auth/Accs Success Summary

NERC-CIP: Priv Act Management Summary

NERC-CIP: Priv Group Access Granted Summary

NERC-CIP: Shared Act Auth/Accs Failure Summary

NERC-CIP: Shared Act Auth/Accs Success Summary

NERC-CIP: Shared Act Management Summary

NERC-CIP: Suspicious Activity Summary

NERC-CIP: Term Act Auth/Accs Failure Summary

NERC-CIP: Term Act Auth/Accs Success Summary

NERC-CIP: Term Act Management Summary

NERC-CIP: Vendor Act Auth/Accs Failure Summary

NERC-CIP: Vendor Act Auth/Accs Success Summary

NERC-CIP: Vendor Act Management Summary

NERC-CIP: VPN Node Registration Failure (Auth)

NERC-CIP: VPN Node Registration Failure (un-Auth)

NERC-CIP: Windows Firewall Change Summary

NERC-CIP: Access Failure Detail

NERC-CIP: Account Management Activity

NERC-CIP: Concur VPN Auths Same User Detail

NERC-CIP: ESP Ingress/Egress Net Detail

NERC-CIP: Host Authentication Success Detail

NERC-CIP: Priv Group Access Granted Detail

NERC-CIP: Rogue WAP Detected Detail

NERC-CIP: Suspicious Activity Detail

NERC-CIP: VPN Node Registration Failure Detail (Auth)

NERC-CIP: VPN Node Registration Failure Detail (un- Auth)

NERC-CIP: Windows Firewall Change Detail

-2389

NERC-CIP: Physical Security Perimeter

Log Sources

This log source list represents physical security access systems across various layers of the physical environment.

NERC-CIP: Physical Access Failure Rule

NERC-CIP: Physical Access Success Rule

NERC-CIP: Physical Access Summary

NERC-CIP: Physical Access Detail

-2390

NERC-CIP: Privileged Account List

User

This list is to be defined and periodically updated by IT Operations to reflect those accounts within the environment that have privileged and/or administrative access.

NERC-CIP: Priv Act Auth/Accs Failure Rule

NERC-CIP: Priv Act Auth/Accs Success Rule

NERC-CIP: Files Deleted by Admin

NERC-CIP: Priv Act Auth/Accs Success Summary Priv Act Auth/Accs Failure Summary

NERC-CIP: Priv Act Management Summary

NERC-CIP: Files Deleted by Admin

NERC-CIP: Priv Act Auth/Accs Success Detail

NERC-CIP: Priv Act Auth/Accs Failure Detail

NERC-CIP: Priv Act Management Detail

-2382

NERC-CIP: Shared Account List

User

This list is to be defined and periodically updated by IT Operations to reflect those shared accounts within the environment.

NERC-CIP: Shared Act Auth/Accs Failure Rule

NERC-CIP: Shared Act Auth/Accs Failure Summary

NERC-CIP: Shared Act Auth/Accs Success Summary

NERC-CIP: Shared Act Management Summary

NERC-CIP: Shared Act Auth/Accs Failure Detail

NERC-CIP: Shared Act Auth/Accs Success Detail

NERC-CIP: Shared Act Management Detail

-2380

NERC-CIP: Terminated Account List

User

This list is to be defined and periodically updated by IT Operations to reflect those accounts within the environment that represent terminated users. This list should be updated periodically according to established reviews of said accounts.

NERC-CIP: Term Act Auth/Accs Failure Rule

NERC-CIP: Term Act Auth/Accs Success Rule

NERC-CIP: Term Act Auth/Accs Failure Summary

NERC-CIP: Term Act Auth/Accs Success Summary

NERC-CIP: Term Act Management Summary

NERC-CIP: Term Act Auth/Accs Failure Detail

NERC-CIP: Term Act Auth/Accs Success Detail

NERC-CIP: Term Act Management Detail

-2383

NERC-CIP: Vendor Account List

User

This list is to be defined and periodically updated by IT Operations to reflect those accounts within the environment that represent vendor or third-party accounts.

AIE: NERC-CIP: Vendor Act Auth/Accs Failure Rule

NERC-CIP: Vendor Act Auth/Accs Failure Summary

NERC-CIP: Vendor Act Auth/Accs Success Summary

NERC-CIP: Vendor Act Management Summary

NERC-CIP: Vendor Act Auth/Accs Failure Detail

NERC-CIP: Vendor Act Auth/Accs Success Detail

NERC-CIP: Vendor Act Management Detail

-2384

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close