Skip to main content
Skip table of contents

NERC User Guide – Reports and Reporting Packages


Attack Detected Summary

The Attack Detected Summary report (#1338) returns a summary of attacks against an organization’s environment as determined by the enabled AIE rules. This report contains details about the attacks that help reduce detection time and facilitate a faster response by security and operations personnel. This is a key factor for success in protecting the organization’s environment.

Internal Account Created, Used and Deleted

The Int Acct Created, Used, Deleted report (#1339) is based on a configured AIE rule that looks to capture summary information when an internal account is created, used and deleted on the same hosts. These activities could be indicative of malicious activity that may require further investigation.

Patches or Signatures Updated Summary

The Patches or Signatures Updated Summary report (#1329) provides summary information around successful and failed installation of patches or signature updates. This report aims to support the effort of ensuring the latest security components are applied to all log sources in the environment.

Top Targeted Assets, Top Targeted Applications, Top Suspicious Logins, Top Attacker Summaries

The “Top” reports (#1331/1332/1333/1334) are designed to assist organizations in identifying areas at risk for malware intrusion, thereby enabling a more proactive approach to protecting your cyber security assets and supplementing NERC-CIP control objectives. These reports cover various layers of your infrastructure, including critical applications and hosts, security operations, audits, and executive personnel within your organization.

Knowledge Base Content

ID

Name

1338

NERC-CIP: Attack Detected Summary

1339

NERC-CIP: Int Acct Created, Used, Deleted

1329

NERC-CIP: Patches or Signatures Updated Summary

1331

NERC-CIP: Top Targeted Assets Summary

1332

NERC-CIP: Top Targeted Application Summary

1333

NERC-CIP: Top Suspicious Login Summary

1334

NERC-CIP: Top Attacker Summary

Components

Components reports can cover all log sources in your environment but are primarily intended for logs from anti-malware systems, servers, workstations, security enforcing devices, file integrity monitors, VPN devices, backup monitoring, access control systems, remote authentication devices, and vulnerability detection systems. When configured properly, detected attacks are processed and included in the various reports contained within the compliance module. This provides a sound platform to continuously monitor and improve both compliance and cyber security programs. Further, as systems and other IT assets are grouped by impact (entity structure), this grouping is captured in each report to indicate where top-priority events occur.

How to Use Reports

Reports provide additional data to supplement AIE alerts and notifications about potential and known malicious activity. You can supplement these reports with details gathered from deep-dive investigations for a better understanding of the threats against your organization’s environment.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close