This guide is intended for the designated LogRhythm administrators within your organization.
This guide assumes the following:
- The NERC-CIP Compliance Automation Suite has been imported, the desired AI Engine (AIE) rules are enabled, and network entity structure has been configured. Contact LogRhythm support for any additional questions about establishing entity structure in the console.
- Appropriate log sources (such as Electronic Security Perimeters, BES Cyber Assets, Physical Security Perimeters, and so forth) have been configured for collection by LogRhythm.
- The network entity structure has been configured to identify High, Medium, and Low-Impact BES Cyber Assets. Contact LogRhythm support for any additional questions or guidance around establishing entity structure within your deployment. NERC also offers guidance on criteria to determine appropriate categorization.
- To use the rules and reports that monitor various users or groups, the seven (7) NERC-CIP lists have been modified to include the default privileged groups, authorized VPN accounts, vendor accounts, terminated accounts, privileged accounts, default accounts and shared accounts that your organization wishes to monitor. The task of updating these lists can be easily integrated into existing periodic account reviews of the various systems within the environment.