NERC – Reports
Report Name | Description | ID | Directly Meet Requirements | Augmented Requirements | Data Source | Intelligent Indexing | Classifications | Log Sources |
|---|---|---|---|---|---|---|---|---|
NERC-CIP: Access Failure Summary | This report provides a summary of access failures by origin login within the organization infrastructure. | 1303 | 007-5 R4, 007-5 R5 | 007-5 R4, 004-5 R4, 005-5 R1 | Log Manager | Yes | Audit : Access Failure | NERC-CIP: BES Cyber Systems NERC-CIP: Electronic Security Perimeter |
NERC-CIP: Account Management Activity | This report summarizes account management activity (account created, account deleted, and account modified) by account within the organization's BES Cyber Systems. | 1296 | 007-5 R4, 007-5 R5, 004-5 R5 | 07-5 R4, 004-5 R4, 004-5 R5, 005-5 R1 | Log Mart | Yes | Audit: Account Created Audit: Account Deleted Audit: Account Modified | NERC-CIP: BES Cyber Systems |
NERC-CIP: Alarm and Response Summary | This report provides a summary of all LogRhythm alarm and response activity by Entity, by day. | 1342 | 005-5 R1, 007-5 R4 | 007-5 R3, 008-5 R1, 008-5 R2, 008-5 R3, 007-5 R4 | Event Manager | N/A | N/A | NERC-CIP: All Log Sources |
NERC-CIP: Attack Detected Summary | This report provides a summary of detected attacks by Entity and Impacted Host. | 1338 | 005-5 R1, 007-5 R4 | 007-5 R3, 008-5 R1, 0085 R2, 008-5 R3, 007-5 R4 | Event Manager | Yes | Event Management | All Available Log Sources |
NERC-CIP: Authentication Failure Summary | This report provides a summary of all authentication failures regardless of account type and across all log sources. | 1302 | 007-5 R4, 007-5 R5 | 007-5 R4, 004-5 R4, 005-5 R1 | Log Mart | Yes | Audit : Authentication Failure | NERC-CIP: BES Cyber Systems |
NERC-CIP: Backup Critical/Error Status Summary | This report provides a summary of critical failures and errors from backup software by Impacted Host. This is based on the configured AIE rule. | 1345 | N/A | 011-1 R1, 009-5 R1 | Event Manager | Yes | Operations : Critical | All Available Log Sources |
NERC-CIP: Backup Ops Status Summary | This report provides a summary of all backup software operations by impacted host across the environment. | 1346 | N/A | 011-1 R1, 009-5 R1 | Log Mart | No | Operations : Information | NERC-CIP: All Log Sources |
NERC-CIP: Change in Software Config (Linux) | This report provides summary information around any change in the software configuration status specific to a Linux environment. Customization is required to establish a modified audited base rule which parses a unique key value specified in an auditd.conf file. Auditd.conf must be configured to apply this unique value to certain types of audit logs (in this case execution attempts of standard package managers, yum, rpm etc.). | 1350 | N/A | 010-1 R1, 010-1 R2, 010-1 R3 | Log Manager | Yes | Operations : Configuration | NERC-CIP: BES Cyber Systems |
NERC-CIP: Change in Software Config (Windows) | This report provides summary information around any changes in software configuration status specific to a Windows environment. This report looks for logs of Windows software installed and uninstalled common events against Windows- only log source types. | 1349 | N/A | 010-1 R1, 010-1 R2, 010-1 R3 | Log Manager | Yes | Operations : Configuration | NERC-CIP: BES Cyber Systems |
NERC-CIP: Compromise Detected Summary | This report provides a summary of compromise activity by Impacted Host and is based on the configured AIE rule. | 1341 | 005-5 R1, 007-5 R4 | 007-5 R3, 008-5 R1, 008-5 R2, 008-5 R3, 007-5 R4 | Event Manager | Yes | Security : Compromise | All Available Log Sources |
NERC-CIP: Concur VPN Auths Same User | This report provides summary information around concurrent VPN authentications from the same user account based on the configured AIE rules. | 1328 | 005-5 R1, 007-5 R4 | 007-5 R3, 008-5 R1, 008-5 R2, 008-5 R3, 007-5 R4, 005-5 R1, 005-5 R2 | Event Manager | Yes | Security : Suspicious | All Available Log Sources |
NERC-CIP: Config/Policy Change Summary | This report provides summary information around any configuration or policy change that occurs throughout the environment. This is based on the configured AIE rule. | 1347 | N/A | 010-1 R1, 010-1 R2, 010-1 R3 | Event Manager | Yes | Audit : Configuration Audit : Policy | All Available Log Sources |
NERC-CIP: Data Loss Defender Summary | This report provides summary information on data generated by the LogRhythm Data Loss Defender. Data is grouped by Entity, Impacted Host, Common Event, and Object with a count of how many times that condition has been experienced within the reporting period. This is based on the configured AIE rules. | 1340 | 005-5 R1, 007-5 R4 | 007-5 R3, 008-5 R1, 008-5 R2, 008-5 R3, 007-5 R4, 011-1 R1, 009-5 R1 | Event Manager | Yes | Audit : Configuration Security : Compromise | All Available Log Sources |
NERC-CIP: Default Act Auth/Accs Failure Summary | This report provides a summary of authentication or access failure activity within the environment for defined default accounts (list) and according to established AIE rules. | 1318 | 007-5 R4, 007-5 R5, 007 R5 | 007-5 R4, 004-5 R4 | Event Manager | Yes | Audit : Authentication Failure Audit : Access Failure | All Available Log Sources |
NERC-CIP: Default Act Auth/Accs Success Summary | This report provides a summary of authentication or access success activity within the environment for defined default accounts (list). | 1319 | 007-5 R4, 007-5 R5 | 007-5 R4, 004-5 R4 | Log Mart | No | Audit : Authentication Success Audit : Access Success | NERC-CIP: BES Cyber Systems NERC-CIP: Electronic Security Perimeter |
NERC-CIP: Default Act Management Summary | This report provides a summary of user access management activity within the environment for defined default accounts (list). | 1320 | 007-5 R4, 007-5 R5 | 007-5 R4, 004-5 R4 | Event Manager | Yes | Audit: Account Created Audit: Account Deleted Audit: Account Modified | NERC-CIP: BES Cyber Systems NERC-CIP: Electronic Security Perimeter |
NERC-CIP: ESP Network Allowed Egress Summary | This report provides a summary of allowed protocol communication by impacted host which is outbound to the electronic security perimeter. | 1325 | 005-5 R1, 007-5 R4 | 007-5 R3, 008-5 R1, 008-5 R2, 008-5 R3, 007-5 R4, 005-5 R1, 005-5 R2 | Event Manager | No | Operations : Network Allow | All Available Log Sources |
NERC-CIP: ESP Network Allowed Ingress Summary | This report provides a summary of allowed protocol communication by impacted host which is outbound to the electronic security perimeter. | 1326 | 005-5 R1, 007-5 R4 | 007-5 R3, 008-5 R1, 008-5 R2, 008-5 R3, 007-5 R4, 005-5 R1, 005-5 R2 | Event Manager | No | Operations : Network Allow | All Available Log Sources |
NERC-CIP: ESP Network Denied Egress Summary | This report provides a summary of denied protocol communication by impacted host which is outbound to the electronic security perimeter. | 1323 | 005-5 R1, 007-5 R4 | 007-5 R3, 008-5 R1, 008-5 R2, 008-5 R3, 007-5 R4, 005-5 R1, 005-5 R2 | Event Manager | No | Operations : Network Deny | All Available Log Sources |
NERC-CIP: ESP Network Denied Ingress Summary | This report provides a summary of denied protocol communication by impacted host which is inbound to the electronic security perimeter. | 1324 | 005-5 R1, 007-5 R4 | 007-5 R3, 008-5 R1, 008-5 R2, 008-5 R3, 007-5 R4, 005-5 R1, 005-5 R2 | Event Manager | No | Operations : Network Deny | All Available Log Sources |
NERC-CIP: Failed File Access (Linux) | This report provides summary information for any access attempt failure within a Linux-based file system. Customized auditing within Linux should be established to log these events. | 1298 | 007-5 R4, 007-5 R5 | 007-5 R4, 004-5 R4, 005-5 R1 | Event Manager | N/A | Audit : Access Failure | NERC-CIP: BES Cyber Systems |
NERC-CIP: Failed File Access (Windows) | This report provides summary information for any access attempt failure within a Windows-based file system. Customized auditing within Windows should be established to log these events. | 1299 | 007-5 R4, 007-5 R5 | 007-5 R4, 004-5 R4, 005-5 R1 | Event Manager | N/A | Audit : Access Failure | NERC-CIP: BES Cyber Systems |
NERC-CIP: Files Deleted by Admin | This report provides a summary of mass file deletions executed by an Admin account. This is based on the configured AIE rule. | 1360 | N/A | 011-1 R1 | Event Manager | Yes | Security : Suspicious | All Available Log Sources |
NERC-CIP: Group/Role Created Summary | This report provides a summary of group/role created by group within the organization infrastructure. | 1357 | N/A | 011-1 R1 | Log Mart | Yes | Audit : Account Created | NERC-CIP: All Log Sources |
NERC-CIP: Group/Role Deleted Summary | This report provides a summary of group/role deleted by group within the organization infrastructure. | 1358 | N/A | 011-1 R1 | Log Mart | Yes | Audit : Account Deleted | NERC-CIP: All Log Sources |
NERC-CIP: Group/Role Modified Summary | This report provides a summary of group/role name/attribute modified by group within the organization infrastructure. | 1359 | N/A | 011-1 R1 | Log Mart | Yes | Audit : Account Modified | NERC-CIP: All Log Sources |
NERC-CIP: Host Authentication Success Summary | This report provides summary information for any authentication success across the environment. | 1300 | 007-5 R4, 007-5 R5 | 007-5 R4, 004-5 R4, 005-5 R1 | Log Mart | No | Audit : Authentication Success | NERC-CIP: BES Cyber Systems NERC-CIP: Electronic Security Perimeter |
NERC-CIP: Int Acct Created, Used, Deleted | This report provides summary information for any instance where an internal account is created, used and then deleted. This is driven by configured AIE rule(s). | 1339 | 005-5 R1, 007-5 R4, 007-5 R5 | 007-5 R3, 008-5 R1, 008-5 R3, 008-5 R3, 007-5 R4, 04-5 R4 | Event Manager | Yes | Security : Suspicious | All Available Log Sources |
NERC-CIP: Malware Detected Summary | This report provides summary information when malware is detected in the environment and is based on the configured AIE rule. | 1337 | 005-5 R1, 007-5 R4 | 007-5 R3, 008-5 R1, 0085 R2, 008-5 R3, 007-5 R4 | Event Manager | Yes | Security : Malware | All Available Log Sources |
NERC-CIP: Non-encrypted protocol | This report provides a summary of non-encrypted protocols seen on the network grouped by Impacted Application. | 1321 | N/A | 005-5 R1, 005-5 R2, 011-1 R1 | Log Manager | Yes | Audit | NERC-CIP: Electronic Security Perimeter |
NERC-CIP: Object Creation/Disposal Summary | This report provides a summary of object creations, deletions, and removals within the BES Cyber Systems. | 1354 | N/A | 011-1 R1 | Log Manager | No | Audit : Access Success | NERC-CIP: BES Cyber Systems |
NERC-CIP: Password Modified Summary | This report provides a summary of passwords modified by account within the organization infrastructure. | 1344 | N/A | 004-5 R5, 007 R5 | Event Manager | No | Audit : Account Modified | NERC-CIP: All Log Sources |
NERC-CIP: Patches or Signatures Updated Summary | This report provides a summary of applied patches grouped by Origin Host. It can demonstrate that all system components have the latest security patches installed. | 1329 | 007-5 R4 | 007-5 R3, 007-5 R4, 007-5 R2, 010-1 R1, 010-1 R2, 010-1 R3 | Log Manager | No | Audit : Configuration | NERC-CIP: All Log Sources |
NERC-CIP: Physical Access Summary | This report summarizes physical door access success, failures and suspicious door activity within the organization's physical security perimeter. | 1295 | 007-5 R4, 007-5 R5, 004-5 R5, 006-5 R1 | 007-5 R4, 004-5 R4, 004-5 R5, 006-5 R2 | Event Manager | No | Audit : Access Success Audit : Authentication Success Audit : Access Failure Audit : Authentication Failure | NERC-CIP: Physical Security Perimeter |
NERC-CIP: Port Misuse Summary | This report provides a summary of network traffic that connects over non- standard ports. This is based on configured AIE rules. | 1361 | 005-5 R1, 007-5 R4 | 007-5 R3, 008-5 R1, 008-5 R2, 008-5 R3, 007-5 R4, 005-5 R1, 005-5 R2 | Event Manager | Yes | Security : Suspicious | All Available Log Sources |
NERC-CIP: Priv Act Auth/Accs Failure Summary | This report provides a summary of authentication or access failure activity within the environment for defined privileged accounts (list) and according to established AIE rules. | 1309 | 007-5 R4, 007-5 R5, 007 R5 | 007-5 R4, 004-5 R4 | Event Manager | Yes | Audit : Authentication Failure Audit : Access Failure | All Available Log Sources |
NERC-CIP: Priv Act Auth/Accs Success Summary | This report provides a summary of authentication or access success activity within the environment for defined privileged accounts (list). | 1310 | 007-5 R4, 007-5 R5 | 007-5 R4, 004-5 R4 | Log Mart | Yes | Audit : Authentication Success Audit : Access Success | NERC-CIP: BES Cyber Systems NERC-CIP: Electronic Security Perimeter |
NERC-CIP: Priv Act Management Summary | This report provides a summary of user access management activity within the environment for defined privileged accounts (list). | 1311 | 007-5 R4, 007-5 R5 | 007-5 R4, 004-5 R4 | Event Manager | Yes | Audit: Account Created Audit: Account Deleted Audit: Account Modified | NERC-CIP: BES Cyber Systems NERC-CIP: Electronic Security Perimeter |
NERC-CIP: Priv Group Access Granted Summary | This report summarizes access granted to privileged groups (administrators, dnsadmins, domain admins, enterprise admins, schema admins) by Group. This is based on a configured AIE Rule. | 1297 | 007-5 R4, 007-5 R5 | 007- R4, 004-5 R4, 011-1 R1 | Event Manager | Yes | Audit : Access Granted | All Available Log Sources |
NERC-CIP: Rogue WAP Detected Summary | This report provides a summary of detected rogue access points across the environment. | 1327 | 005-5 R1 | 005-5 R1, 005-5 R2 | Event Manager | Yes | Security : Suspicious | All Available Log Sources |
NERC-CIP: Security Events Exec Summary | This report summarizes detected security relevant events by Entity and Impacted Host. | 1336 | 005-5 R1, 007-5 R4 | 007-5 R3, 008-5 R1, 0085 R2, 008-5 R3, 007-5 R4 | Log Mart | N/A | Security | NERC-CIP: All Log Sources |
NERC-CIP: Security Failure Exec Summary | This report provides a summary of security failure events (failed activity, failed attack, failed compromise, failed denial of service, failed malware, failed misuse, and failed suspicious) by Entity. | 1335 | 005-5 R1, 007-5 R4 | 007-5 R3, 008-5 R1, 0085 R2, 008-5 R3, 007-5 R4 | Log Manager | N/A | Security | NERC-CIP: All Log Sources |
NERC-CIP: Shared Act Auth/Accs Failure Summary | This report provides a summary of authentication or access failure activity within the environment for defined shared accounts (list) and according to established AIE rules. | 1312 | 007-5 R4, 007-5 R5, 007 R5 | 007-5 R4, 004-5 R4 | Event Manager | Yes | Audit : Authentication Failure Audit : Access Failure | All Available Log Sources |
NERC-CIP: Shared Act Auth/Accs Success Summary | This report provides a summary of authentication or access success activity within the environment for defined shared accounts (list). | 1313 | 007-5 R4, 007-5 R5 | 004-5 R4, 007-5 R4 | Log Mart | No | Audit : Authentication Success Audit : Access Success | NERC-CIP: BES Cyber Systems NERC-CIP: Electronic Security Perimeter |
NERC-CIP: Shared Act Management Summary | This report provides a summary of user access management activity within the environment for defined shared accounts (list). | 1314 | 007-5 R4, 007-5 R5 | 007-5 R4, 004-5 R4 | Log Mart | Yes | Audit: Account Created Audit: Account Deleted Audit: Account Modified | NERC-CIP: BES Cyber Systems NERC-CIP: Electronic Security Perimeter |
NERC-CIP: Software Installation Summary | This report provides summary information around any software installation activity across the environment and is based on the configured AIE rule. | 1348 | N/A | 010-1 R1, 010-1 R2, 010-1 R3 | Event Manager | Yes | Audit : Configuration | All Available Log Sources |
NERC-CIP: Software Status Change After Attack | This report provides summary information relating to any software installs or uninstalls, after an attack or vulnerability is identified by a vulnerability scanning system. | 1351 | N/A | 010-1 R1, 010-1 R2, 010-1 R3 | Event Manager | Yes | Security : Attack | All Available Log Sources |
NERC-CIP: Status Change of Dvc Connected to Host | This report provides summary information around any device attached to a host, and uses a custom base rule to look for kernel syslog messages that indicate a USB device attachment. | 1343 | 007-5 R4, 005-5 R1 | 007-5 R3, 008-5 R1, 008-5 R2, 008-5 R3, 007-5 R4, 010-1 R1, 010-1 R2, 010-1 R3, 011-1 R1 | Event Manager | Yes | Operations : Other Operations | NERC-CIP: All Log Sources |
NERC-CIP: Suspicious Activity Summary | This report provides a summary of suspicious activity by entity and impacted host within the organization infrastructure. | 1301 | 005-5 R1, 007-5 R4, 007-5 R5 | 007-5 R3, 008-5 R1, 008-5 R2, 008-5 R3, 007-5 R4, 004-5 R4 | Log Mart | Yes | Security : Suspicious | NERC-CIP: BES Cyber Systems NERC-CIP: Electronic Security Perimeter |
NERC-CIP: System Critical/Error Status Summary | This report summarizes critical and error conditions for production servers and network infrastructure devices (all log sources). | 1322 | 005-5 R1, 007-5 R4 | 007-5 R3, 008-5 R1, 008-5 R2, 008-5 R3, 007-4 R4, 005-5 R1, 005-5 R2 | Log Mart | Yes | Operations : Critical Operations : Error | NERC-CIP: All Log Sources |
NERC-CIP: System File Permission Change (Linux) | This report provides summary information for any permission changes within a Linux-based file system. Customized auditing within Linux should be established to log these events. | 1355 | N/A | 011-1 R1 | Log Manager | No | Audit : Access Granted | NERC-CIP: All Log Sources |
NERC-CIP: System File Permission Change (Windows) | This report provides summary information for any permission changes within a Windows-based file system. Customized auditing within Windows should be established to log these events. | 1356 | N/A | 011-1 R1 | Log Manager | No | Audit : Access Granted | NERC-CIP: All Log Sources |
NERC-CIP: System Time Change After Attack | This report provides summary information for any instance where a system time change takes place on a host after a compromise on that same host. | 1352 | N/A | 010-1 R1, 010-1 R2, 010-1 R3 | Event Manager | Yes | Security : Attack | All Available Log Sources |
NERC-CIP: Term Act Auth/Accs Failure Summary | This report provides a summary of authentication or access failure activity within the environment for defined terminated accounts (list) and according to established AIE rules. | 1315 | 007-5 R4, 007-5 R5, 007 R5 | 007-5 R4, 004-5 R4 | Event Manager | Yes | Audit : Authentication Failure Audit : Access Failure | All Available Log Sources |
NERC-CIP: Term Act Auth/Accs Success Summary | This report provides a summary of authentication or access success activity within the environment for defined terminated accounts (list). | 1316 | 007-5 R4, 007-5 R5 | 007-5 R4, 004-5 R4 | Log Mart | Yes | Audit : Authentication Success Audit : Access Success | NERC-CIP: BES Cyber Systems NERC-CIP: Electronic Security Perimeter |
NERC-CIP: Term Act Management Summary | This report provides a summary of user access management activity within the environment for defined terminated accounts (list). | 1317 | 007-5 R4, 007-5 R5 | 007-5 R4, 004-5 R4 | Event Manager | Yes | Audit: Account Created Audit: Account Deleted Audit: Account Modified | NERC-CIP: BES Cyber Systems NERC-CIP: Electronic Security Perimeter |
NERC-CIP: Top Attacker Summary | This report lists all attackers ordered by the number of events detected highest to lowest. | 1334 | 005-5 R1, 007-5 R4 | 007-5 R3, 008-5 R1, 0085 R2, 008-5 R3, 007-5 R4 | Log Mart | N/A | Security : Attack | NERC-CIP: All Log Sources |
NERC-CIP: Top Suspicious Login Summary | This report summarizes security activity (activity, attack, compromise, denial of service, failed activity, failed attack, failed denial of service, failed malware, failed misuse, failed suspicious, malware, misuse, reconnaissance, suspicious, vulnerability) by Origin Login. | 1333 | 005-5 R1, 007-5 R4 | 007-5 R3, 008-5 R1, 0085 R2, 008-5 R3, 007-5 R4 | Log Manager | N/A | Security : Suspicious | NERC-CIP: All Log Sources |
NERC-CIP: Top Targeted Application Summary | This report summarizes security activity (activity, attack, compromise, denial of service, failed activity, failed attack, failed denial of service, failed malware, failed misuse, failed suspicious, malware, misuse, reconnaissance, suspicious, vulnerability) by impacted application within the organization infrastructure. | 1332 | 005-5 R1, 007-5 R4 | 007-5 R3, 008-5 R1, 0085 R2, 008-5 R3, 007-5 R4 | Log Manager | N/A | Security | NERC-CIP: All Log Sources |
NERC-CIP: Top Targeted Assets Summary | This report summarizes security activity (activity, attack, compromise, denial of service, failed activity, failed attack, failed denial of service, failed malware, failed misuse, failed suspicious, malware, misuse, reconnaissance, suspicious, vulnerability) by impacted host within the organization infrastructure. | 1331 | 005-5 R1, 007-5 R4 | 007-5 R3, 008-5 R1, 0085 R2, 008-5 R3, 007-5 R4 | Log Manager | N/A | Security | NERC-CIP: All Log Sources |
NERC-CIP: Vendor Act Auth/Accs Failure Summary | This report provides a summary of vendor account authentication/access failure activity (failed/object/access/add/close/create/delete/download/execute/initialize/modify /move/read/rename/remove and login failure) by Origin Login. This is based on configuration of an AIE rule. | 1306 | 007-5 R4, 007-5 R5, 007 R5 | 007-5 R4, 004-5 R4 | Event Manager | Yes | Audit : Authentication Failure Audit : Access Failure | All Available Log Sources |
NERC-CIP: Vendor Act Auth/Accs Success Summary | This report provides a summary of authentication or access success activity within the environment for defined Vendor accounts (list). | 1307 | 007-5 R4, 007-5 R5 | 007-5 R4, 004-5 R4 | Log Mart | No | Audit : Authentication Success Audit : Access Success | NERC-CIP: BES Cyber Systems NERC-CIP: Electronic Security Perimeter |
NERC-CIP: Vendor Act Management Summary | This report provides summary information of vendor account management activity (account deleted and account modified) by account. | 1308 | 007-5 R4, 007-5 R5 | 007-5 R4, 004-5 R4 | Event Manager | Yes | Audit: Account Created Audit: Account Deleted Audit: Account Modified | NERC-CIP: BES Cyber Systems NERC-CIP: Electronic Security Perimeter |
NERC-CIP: VPN Node Registration Failure (Auth) | This report provides summary information on unsuccessful node registration resulting in a failed VPN connection attempt into the boundary. This is analyzed against an authorized VPN user list to distinguish un-authorized vs. authorized VPN authentication failures. | 1304 | N/A | 007-5 R4, 004-5 R4 | Event Manager | Yes | Audit : Authentication Failure | NERC-CIP: Electronic Security Perimeter |
NERC-CIP: VPN Node Registration Failure (un- Auth) | This report provides summary information on unsuccessful node registration resulting in a failed VPN connection attempt into the boundary. This is analyzed against an authorized VPN user list to distinguish un-authorized vs. authorized VPN authentication failures. | 1305 | N/A | 007-5 R4, 004-5 R4 | Event Manager | Yes | Audit : Authentication Failure | NERC-CIP: Electronic Security Perimeter |
NERC-CIP: Vulnerability Detected Summary | This report provides a summary of potential vulnerabilities detected across the environment and is based on the configured AIE rule. | 1330 | 005-5 R1, 007-5 R4 | 007-5 R3, 008-5 R1, 008-5 R2, 008-5 R3, 007-5 R4, 010-1 R3 | Event Manager | Yes | Security : Vulnerability | All Available Log Sources |
NERC-CIP: Windows Firewall Change Summary | This report provides summary information around Windows firewall changes that occur after an attack has happened. This is configured to report on enabled AIE rules. | 1353 | N/A | 010-1 R1, 010-1 R2, 010-1 R3 | Event Manager | No | Audit : Configuration | All Available Log Sources |