Logger Nerc Solutionsguide
Uploaded by
sentoubudo1647Logger Nerc Solutionsguide
Uploaded by
sentoubudo1647Micro Focus Security
ArcSight Logger CIP for NERC
Software Version: 1.01
Solutions Guide
Document Release Date: June, 2018
Software Release Date: June, 2018
Micro Focus Logger CIP for NERC (1.01) Page 1 of 60
Solutions Guide
Legal Notices
Warranty
The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set
forth in the express warranty statements accompanying such products and services. Nothing herein should be
construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or
omissions contained herein. The information contained herein is subject to change without notice.
Restricted Rights Legend
Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is
required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software,
Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government
under vendor's standard commercial license.
Copyright Notice
© Copyright 2018 Micro Focus or one of its affiliates.
Trademark Notices
Adobe™ is a trademark of Adobe Systems Incorporated.
Microsoft® and Windows® are U.S. registered trademarks of Microsoft Corporation.
UNIX® is a registered trademark of The Open Group.
Support
Contact Information
Phone A list of phone numbers is available on the Technical Support
Page: https://softwaresupport.softwaregrp.com/support-contact-information
Support Web Site https://softwaresupport.softwaregrp.com/
ArcSight Product Documentation https://community.softwaregrp.com/t5/ArcSight-Product-Documentation/ct-
p/productdocs
Micro Focus Logger CIP for NERC (1.01) Page 2 of 60
Solutions Guide
Contents
Chapter 1: Overview 4
NERC Architecture 5
Chapter 2: Processing Events 6
Configuring NERC 6
Classifying NERC-Related Devices in a Device Group 6
Limiting the Events Processed 7
Creating a Filter to Limit Events Processed 8
Limiting Events Processed by Alerts 9
Limiting Events Processed by Saved Searches 10
Limiting Events Processed by Reports 10
Chapter 3: Installation & Uninstallation 12
Chapter 4: Configuring Reports 15
NERC Reports 25
Chapter 5: Configuring Alerts 41
NERC Alerts 42
Chapter 6: NERC Resources 49
Alerts 49
Queries 49
Dashboards 49
Reports 49
Chapter 7: NERC Dashboards 51
Chapter 8: Additional Information 58
Queries 58
Filters 58
Fieldset 58
Send Documentation Feedback 60
Micro Focus Logger CIP for NERC (1.01) Page 3 of 60
Chapter 1: Overview
The 2005 US Energy Policy Act (EPAct) legislated that an Electric Reliability
Organization (ERO) be created to establish and enforce reliability standards for the bulk
power system, due to the following factors:
l Potential vulnerabilities to a cyber attack on North American electric utility systems.
l Potential for computer systems to play a role in power disturbances.
l Concern that a cyber attack or computer system failure could cause a widespread
power outage.
l Increased public awareness about the risks associated with the bulk power system.
In 2006, the Federal Energy Regulatory Commission approved the North American
Electric Reliability Corporation (NERC) as the Electric Reliability Organization (ERO).
The mission of NERC is to ensure the reliability of the bulk power system in North
America.NERC defines a set of Critical Infrastructure Protection (CIP) standards to help
ensure the protection of electric utility operations and cyber assets.
ArcSight Logger CIP for NERC
ArcSight Logger Compliance Insight Package (CIP) for NERC facilitates compliance with
the NERC V5 standard using Logger's reporting, alerting, and dashboarding capabilities.
Logger CIP for NERC addresses the NERC standard by providing:
l Detailed reports which cover the 10 NERC Critical Infrastructure Protection standards.
l Alerts that monitor incoming events in real time and notify NERC analysts when events
of interest are detected.
l Dashboards which show a detailed overview of the NERC requirements.
The Logger Compliance Insight Package for NERC helps demonstrate the following to
stakeholders and auditors:
l Implementation of NERC controls for your company.
l Due diligence in complying with NERC standards, as well as security policies and best
practices.
l Real-time monitoring and notification of potential hazardous events, harmful user
activity, network vulnerabilities, and configuration changes on critical BES cyber
assets.
l Reporting that shows compliance to NERC CIP Standards.
l Graphic tools to display security events, which enables analysts to quickly analyze
situations.
Micro Focus Logger CIP for NERC (1.01) Page 4 of 60
Solutions Guide
NERC CIP Standards Addressed
The Logger Compliance Insurance Package for NERC addresses the following
NERC Critical Infrastructure Protection standards:
CIP # Title CIP Version
002 Cyber Security : BES Cyber System Categorization 5.1
004 Cyber Security : Personnel & Training 6
005 Cyber Security : Electronic Security Perimeter(s) 5
006 Cyber Security : Physical Security of BES Cyber Systems 6
007 Cyber Security : System Security Management 6
008 Cyber Security : Incident Reporting and Response Planning 5
009 Cyber Security : Recovery Plans for BES Cyber Systems 6
010 Cyber Security : Configuration Change Management and Vulnerability 2
011 Cyber Security : Information Protection 2
Reports, alerts, and dashboards for each standard are discussed in detail in the following
sections.
NERC Architecture
NERC operates on events in Common Event Format (CEF), an industry standard for the
interoperability of event or log-generating devices. CEF events can come from a device
that is already configured to post events in CEF, or they can come from any network
device whose events are first run through an ArcSight SmartConnector. NERC operates
on events received from devices on the network in CEF. NERC devices that are not
already CEF-ready must be run through an ArcSight SmartConnector.
For more information about CEF events and how they are used, see the ArcSight Logger
Administrator's Guide.
Micro Focus Logger CIP for NERC (1.01) Page 5 of 60
Chapter 2: Processing Events
NERC reports and saved searches process all events received by the Logger and no
configuration is required.
NERC alerts are configured to process all events except events that are stored in the
Internal Event Storage Group. Some alerts require configuration with site-specific
information; for details, see "NERC Alerts" on page 42.
If only some of your devices are subject to NERC compliance, you can limit the events
processed by reports, alerts, and saved searches. For more information, see "Limiting
the Events Processed" on the next page.
Configuring NERC
These topics describe how to configure NERC to work in your environment.
Classifying NERC-Related Devices in a Device
Group
If you plan on using a Device Group to limit the events processed by reports, alerts, and
saved searches, create an NERC device group and classify the NERC-related devices
into it as described in following procedure. After the NERC-related devices are
categorized, you can use the device group to focus on alerts and reports. For example,
you can create a filter that only returns events from devices listed in the NERC Device
Group filter and then configure alerts and reports to use that filter to limit the events
processed.
To classify NERC-related devices into an NERC Device Group:
1. Select Configuration on the top-level menu bar, and then click Device Groups in the
Data section.
2. Click Add.
3. In the Name field, enter a name for the new device group, such as NERC.
4. In the Devices field, click to select devices from the list. To add additional devices to
the selection, press and hold the Ctrl key when selecting more devices.
5. Click Save to create the new Device Group.
6. Create a filter to limit the events processed, as described in "Creating a Filter to Limit
Events Processed" on page 8.
Micro Focus Logger CIP for NERC (1.01) Page 6 of 60
Solutions Guide
For more about device groups, see the ArcSight Logger Administrator's Guide.
Limiting the Events Processed
If only some of your devices are subject to NERC compliance, you can limit the events
processed by the reports, alerts, and saved searches to improve Logger system
performance and report more accurate and NERC-relevant information.
You can limit the events processed in one or more of the following ways, depending on
how your environment is set up and how you want to organize your VPN Monitoring
Content Package for Logger compliance program.
l Create an NERC-specific device group and only process events from devices in that
group.
l Use an NERC-related storage group to limit the events processed by the
VPN Monitoring Content Package for Logger reports, alerts, and saved searches. This
is only appropriate if an additional storage group (in addition to the Default Storage and
Internal Event storage groups) was created during the Logger initialization process.
Note that after the Logger initializes, you cannot allocate additional storage groups.
For details, see the ArcSight Logger Administrator's Guide.
l Process events from specified devices only.
Tip: Reducing the amount of data a resource has to process improves performance.
If only a small subset of the overall data feeding into Logger is subject to
VPN Monitoring Content Package for Logger compliance, using a different storage
group to store events from NERC-related devices yields the best performance
results.
To limit the events processed by the NERC reports, alerts, and saved searches,
implement one or more of these limiting strategies by following the configuration steps
provided in the following sections.
l Classify NERC-related devices in a NERC device group. See "Classifying NERC-
Related Devices in a Device Group" on the previous page.
l Create a NERC filter that constrains the events processed by the alerts and reports.
See "Creating a Filter to Limit Events Processed" on the next page.
l Limit the events that an alert processes by either applying the NERC filter to the alert
or adding the condition directly to the alert. See "Limiting Events Processed by Alerts"
on page 9.
l Apply the NERC filter to the entire NERC report category or specify at report run time.
See "Limiting Events Processed by Reports" on page 10.
l Focus a saved search on NERC-related events only. See "Limiting Events Processed
by Saved Searches" on page 10.
Micro Focus Logger CIP for NERC (1.01) Page 7 of 60
Solutions Guide
Creating a Filter to Limit Events Processed
You can create a filter that identifies the NERC -related events for your environment, and
use the filter to limit the events processed by NERC alerts and reports. A filter can limit
events as follows:
l Using an NERC-related device group: Only those events from devices listed in the
device group are processed.
l Using an NERC-related storage group: Only those events stored in the specified
storage group are processed.
l By specific devices: Only events from specific devices are processed.
For example, you can create any of the following filters:
l A filter called NERC Device Group Filter which returns events from devices
categorized as VPN Monitoring Content Package for Logger devices.
l A filter called NERC Storage Group Filter which returns events that are stored in a
designated storage group.
l A filter called NERC Devices Filter which returns events from specified devices.
l A filter called NERC Storage Group and Devices Filter that returns events stored in a
designated storage group (such as an NERC Storage Group) or from a set of specific
devices.
To create a filter:
1. Select Configuration on the top-level menu bar, and then click Filters in the Search
section.
2. Click Add.
3. In the Add Filter page, enter the following information:
Field Description
Name Enter a name for the filter that identifies it with NERC and identifies the purpose of the filter,
such as NERC Device Group Filter or NERC Storage Group Filter or NERC Devices Filter.
Type From the menu, select Search Group.
A filter of type Search Group can be used by reports to constrain events.
A filter of type Regex can be used by alerts to constrain events.
A filter of type Unified can be used by saved searched to constrain events.
4. In the Query field, construct a query, using one of the following options:
l In the Query field, directly enter a regular expression, for example: storageGroup
(Default Storage Group)|deviceGroup(NERC Device Group)
Micro Focus Logger CIP for NERC (1.01) Page 8 of 60
Solutions Guide
l Use the Constrain search by dialog: Select the icon. In the Constrain search by
dialog, select from one of the following options:
l Focus alerts to only process events from devices listed in the device group: Click
Device Groups. Select a device group from the list and click Submit.
l Focus alerts to only process events saved in a designated storage group: Click
Storage Groups. Select a storage group from the list and click Submit.
l Focus the alerts to only process events from individual devices subject to
VPN Monitoring Content Package for Logger compliance: Select devices from
the lists and click Submit. To select more than one device, press and hold the Ctrl
key while selecting more devices.
5. Click Save.
6. Use the filter you created to limit the events processed by reports. See "Limiting
Events Processed by Reports" on the next page
Limiting Events Processed by Alerts
To limit the events that an alert processes, either add a filter or add a Query Term to the
alert.
Note: You can enable a maximum of 25 alerts on Logger at one time. Configure only
the alerts that you plan to enable.
To add a filter to the alert:
1. Select Configuration on the top-level menu bar, and then click Realtime Alerts in the
Data section.
2. Click Add.
3. In the Filters field, select the filter you created in "Creating a Filter to Limit Events
Processed" on the previous page that limits the events processed by the alert.
4. Click Save.
To add a Query Term to the alert:
1. Select Configuration on the top-level menu bar, and then click Realtime Alerts in the
Data section.
2. To edit the alert, click the NERC alert in the Name column.
3. On the top-level Query Term field, click the Add () icon.
A new empty Query term displays.
4. In the new Query Terms field, add a condition to the alert, using one of the following
methods:
Micro Focus Logger CIP for NERC (1.01) Page 9 of 60
Solutions Guide
l In the Query Terms field, directly enter a regular expression, for example:
storageGroup(Default Storage Group)|deviceGroup(NERCDeviceGroup)
l Use the Constrain search by dialog. Select the icon and select from one of the
following options in the Constrain search by dialog:
l Focus alerts to only process events from devices listed in the device group: Click
Device Groups. Select a device group from the list and click Submit.
l Focus alerts to only process events saved in a designated storage group: Click
Storage Groups. Select a storage group from the list and click Submit.
l Focus the alerts to only process events from individual devices subject to NERC
compliance. Select devices from the list and click Submit. To select more than
one device, press and hold the Ctrl key while selecting more devices.
5. Click Save.
Limiting Events Processed by Saved Searches
To limit the events that a saved search processes, focus the saved search on NERC-
related events.
To limit events processed by a saved search:
1. Select Configuration from the top-level menu bar.
2. Click on the Saved Searches tab
3. To edit the saved search, click the NERC saved search in the Name column.
4. In the query section, click Advanced
5. Do one or more of the following:
l Focus Saved Searches to only process events from devices listed in the Device
Group: Click Device Groups. Select a Device Group from the list and click Submit.
l Focus Saved Searches to only process events saved in a designated Storage
Group: Click Storage Groups. Select a Storage Group from the list and click Submit.
l Focus the Saved Searches to only process events from individual devices subject to
NERC compliance: Select devices from the list and click Submit. To select more than
one device, press and hold the Ctrl key while selecting more devices.
When finished, click Save.
Limiting Events Processed by Reports
You can limit events processed by the NERC reports either with a filter, or at report
runtime.
Micro Focus Logger CIP for NERC (1.01) Page 10 of 60
Solutions Guide
To limit the events using a filter:
1. Select Report > Report Category filters from the top-level menu bar.
2. On the Report Category Enforced Filter page, apply a report category (search
group) filter to a whole report category.
To limit events at report runtime, run the report using the Run or Quick Run option. In
the Data section, under Devices, Device Groups, or Storage Groups, select the
appropriate constraint.
For more information about report category filters and scheduling reports, see the
ArcSight Logger Administrator's Guide.
Micro Focus Logger CIP for NERC (1.01) Page 11 of 60
Chapter 3: Installation & Uninstallation
You can install Logger CIP for NERC on a Logger Appliance or a Software Logger.
Installation
Follow the appropriate installation procedure below for your Logger type.
To install Logger CIP for NERC on the Logger Appliance L7700:
Download the Logger CIP for NERC .enc file (for example, ArcSight-
ComplianceInsightPackage-Logger-NERC.1.01.1538.0) to the computer where you
plan to log into the Logger user interface. Check the Release Notes for the exact version
of the file.
1. Log into the Logger user interface.
2. From the Logger top-level menu bar, click System Admin.
3. From the System section, select License & Update.
4. Click Browse to locate and open the .enc file you downloaded.
5. Click Upload Update. A dialog displays indicating that the update process might take
some time.
6. Click OK. A message displays indicating that the update is progressing. After the
contents of the .enc file are installed, another message displays indicating that the
update is a success. The .enc file installs Logger CIP for NERC reports, saved
searches, parameters, queries, dashboards, and alerts.
Should an "Installing Error" message appear in the Update in Progress window,
please disregard it and proceed with the verification of content described next. In
case you cannot verify the installation, contact support for assistance.
Verify that the content is installed, as follows:
l To view the installed alerts, click Configuration on the top-level menu bar, and then
click Alerts in the Data section.
l To view the installed reports, click Reports on the top-level menu bar, and then click
Report Explorer in the Navigation section. Click the arrow to the left of NERC to see
the NERC report categories, and then click a category to see the list of reports.
l To view the installed dashboards, click Dashboards on the top-level menu and you
should see NERC Dashboards.
Micro Focus Logger CIP for NERC (1.01) Page 12 of 60
Solutions Guide
To install Logger CIP for NERC on the Software Logger or Logger Appliance
L8000:
1. Log into the system running the Software Logger or Logger Appliance L8000 with the
same ID that you used to install the software version of Logger.
2. Download the Logger CIP for NERC .bin file (for example, ArcSight-
ComplianceInsightPackage-Logger-NERC.x.x.nnnn.0.bin). Check the Release
Notes for the exact version of the file.
3. Go to the directory that contains the .bin file.
4. Change the permissions of the .bin file to be executable:
chmod +x ArcSight-ComplianceInsightPackage-Logger-NERC.x.x.nnnn.0.bin
5. Run the installer:
./ArcSight-ComplianceInsightPackage-Logger-NERC.x.x.nnnn.0.bin
6. Follow the instructions provided by the installer. When prompted to choose an
installation folder, enter the same directory you specified when you installed the software
Logger. For example, if when installing the Software Logger you specified the
/opt/logger directory, specify /opt/logger as the installation folder. The .bin file installs
the Logger CIP for NERC reports, parameters, queries, dashboards, and alerts.
Verify that the content is installed, as follows:
l To view the installed alerts, click Configuration on the top-level menu bar, and then
click Realtime Alerts in the Data section.
l To view the installed reports, click Reports on the top-level menu bar, and then click
Report Explorer in the Navigation section. Click the arrow to the left of NERC to see
the NERC report categories, and then click a category to see the list of reports.
l To view the installed dashboards, click Dashboards on the top-level menu.
Uninstallation
To uninstall Logger CIP for NERC, you must delete each resource individually.
To delete the reports, queries, and parameters:
1. Delete each report, query, and parameter in the NERC report category:
a. From the Reports top-level menu bar, click Category Explorer from the
Navigation section.
b. Right click on NERC.
c. Click Delete.
Micro Focus Logger CIP for NERC (1.01) Page 13 of 60
Solutions Guide
To delete the alerts:
1. Delete each NERC alert individually:
a. From the Configuration top-level menu bar, click Alerts from the Data section.
b. For each NERC alert, click the Remove () icon.
c. In the confirmation dialog, click OK to complete the deletion.
To delete the dashboards:
1. Delete each NERC dashboard individually:
a. From the Configuration top-level menu bar, click Dashboards.
b. For each NERC dashboard, click Tools > Delete Dashboard.
c. In the confirmation dialog, click OK to complete the deletion.
To delete saved searches:
1. Delete each NERC saved search individually:
a. From the Configuration top-level menu bar, click Saved Searches from the
Search section.
b. For each NERC saved search, click the Remove icon.
c. In the confirmation dialog, click OK to complete the deletion.
Micro Focus Logger CIP for NERC (1.01) Page 14 of 60
Chapter 4: Configuring Reports
Some reports require that you provide site-specific data, such as admin account names
and default ports.
The following table lists the ISO 27002 reports that require configuration.
Configuring ISO 27002 Reports
Report Name Required Configuration
ISO 12 - Account Activity by User This report prompts you to supply values for the
destinationUserName parameter.
ISO 12 - Administrative Actions - All This report prompts you to supply values for the deviceProduct,
Events eventName, adminUsers, variable, DeviceEventClassId, and
sourceDestUserName parameters.
ISO 12 - Administrative Actions by This report prompts you to supply values for the deviceProduct,
Event Name adminUsers, and sourceDestUserName parameters.
ISO 12 - Administrative Actions by This report prompts you to supply values for the adminUsers and
Product sourceDestUserName parameters.
ISO 12 - Changes to Development This report prompts you to supply a value for the
Network Machines developmentNetwork parameter.
ISO 12 - Failed Administrative Logins These reports prompt you to supply values for the
per System - Detail destinationAddress, destinationHostName, adminUsers,
deviceProduct, and sourceDestUserName parameters.
ISO 12 - Failed Administrative Logins
per User - Detail
Micro Focus Logger CIP for NERC (1.01) Page 15 of 60
Solutions Guide
Configuring ISO 27002 Reports, continued
Report Name Required Configuration
ISO 12 - Administrative Actions by User These reports prompt you to supply values for the adminUsers
parameter.
ISO 12 - Administrative Logins and
Logouts
ISO 12 - Failed Administrative Logins by
System
ISO 12 - Failed Administrative Logins by
User
ISO 12 - Failed User Logins by System
ISO 12 - Successful Administrative
Logins by System
ISO 12 - Successful Administrative
Logins by User
ISO 12 - Successful User Logins by
User Name
ISO 12 - Successful User Logins by
System
ISO 9 - Privileged Account Changes
ISO 13 - Insecure Services Customize the list of insecure services listed in the associated
query to reflect the devices used in your environment.
ISO 12 - Failed Administrative Logins These reports prompt you to supply values for the
per System - Summary destinationAddress and adminUsers parameters.
ISO 12 - Failed User Logins per System
- Summary
ISO 12 - Successful Administrative
Logins per System - Summary
ISO 12 - Successful User Logins per
System - Summary
ISO 12 - Failed Administrative Logins This report prompts you to supply values for the
per User - Summary destinationAddress, adminUsers, and sourceDestUserName
parameters.
Micro Focus Logger CIP for NERC (1.01) Page 16 of 60
Solutions Guide
Configuring ISO 27002 Reports, continued
Report Name Required Configuration
ISO 12 - Failed User Logins per System These reports prompt you to supply values for the
- Detail deviceProduct, destinationAddress, destinationHostName,
adminUsers, and sourceDestUserName parameters.
ISO 12 - Failed User Logins per User
Name - Detail
ISO 12 - Successful Administrative
Logins per System - Detail
ISO 12 - Successful Administrative
Logins per User - Detail
ISO 12 - Successful User Logins per
User Name - Detail
ISO 12 - Failed User Logins per User These reports prompt you to supply values for the
Name - Summary destinationAddress, adminUsers, and sourceDestUserName
parameters.
ISO 12 - Successful Administrative
Logins per User - Summary
ISO 12 - Successful User Logins per
User Name - Summary
ISO 12 - File Changes in Production This report prompts you to supply a value for the
productionNetwork parameter.
ISO 12 - Internet Activity per Device per Customize the list of ports in the associated query to reflect the
Machine internet ports accessed by users at your site.
ISO 12 - Internet Activity per Device per
User
ISO 12 - Successful User Logins per This report prompts you to supply values for the deviceProduct,
System - Detail destinationAddress, destinationHostName, adminUsers, and
sourceDestUserName parameters.
ISO 12 - Systems Accessed as Root or Customize the list of account names in the associated query to
Administrator reflect any additional default administrator account names use
by devices at your site.
ISO 13 - Traffic - Inbound on Disallowed This report prompts you to supply a value for the
Ports allowedPortsand internalNetwork parameters.
ISO 12 - User Actions - All Events These reports prompt you to supply values for the
deviceProduct, eventName, adminUsers, variable,
ISO 12 - User Actions by Event Name
DeviceEventClassId, and sourceUserUserName parameters.
ISO 12 - User Actions by Product This report prompts you to supply values for the deviceProduct
and adminUsers parameters.
ISO 12 - User Actions by User Name This report prompts you to supply values for the deviceProduct,
and Product adminUsers, variable, and sourceUserUserName parameters.
ISO 12 - Viruses per Host This report prompts you to supply values for the
destinationAddress, destinationHostName, virusName, and
ISO 12 - Virus Report - Detail
eventPriority parameters.
Micro Focus Logger CIP for NERC (1.01) Page 17 of 60
Solutions Guide
Configuring ISO 27002 Reports, continued
Report Name Required Configuration
ISO 9 - Database Privilege Violation This report prompts you to supply values for the
databaseAdminUsers and databaseAdminAccounts parameters.
ISO 9 - Default Vendor Account Used Customize the list of default vendor accounts listed in the
associated query to reflect the devices used in your
environment.
ISO 13 - Development Network Not These reports prompt you to supply values for the
Segregated productionNetwork, testing Network, and developmentNetwork
parameters.
ISO 13 - Production Network Not
Segregated
ISO 13 - Test Network Not Segregated
ISO 13 - Peer to Peer Ports Count Customize the associated query with any additional peer-to-
peer destination ports.
ISO 13 - Peer to Peer Sources by
Machine - Detail
ISO 13 - Peer to Peer Sources by
Machine - Overview
ISO 13 - Services by Asset These reports prompt you to supply values for the
internalNetwork parameter.
ISO 9 - Traffic from External to Internal
Protected Domain
ISO 8 - Network Active Assets
ISO 9 - Traffic from Internal to External
Protected Domain
ISO 9 - Traffic - Inbound Count
ISO 16 - Attacks - Hourly Count
ISO 16 - Internal Reconnaissance - Top
20 Sources
ISO 16 - Attacks Targeting Internal
Assets
ISO 16 - Internal Reconnaissance - Top
20 Events
ISO 16 - Internal Reconnaissance - Top
20 Targets
ISO 6- Suspicious Activity in Wireless This report prompts you to supply values for the
Network wirelessNetwork parameter.
ISO 12 - Software Changes in This report prompts you to supply values for the
Production productionNetwork parameter.
Micro Focus Logger CIP for NERC (1.01) Page 18 of 60
Solutions Guide
Configuring ISO 27002 Reports, continued
Report Name Required Configuration
ISO 16 - Attacks - Development to These reports prompt you to supply values for the
Production productionNetwork and developmentNetwork parameters.
ISO 16 - Attacks - Production to
Development
ISO 6 - Administrative Logins and These reports prompt you to supply values for the adminUsers
Logouts from Third-Party Hosts and thirdPartyNetworkparameters.
ISO 6 - Administrative Logins and
Logouts to Third-Party Hosts
ISO 6 - Failed Admin Logins from Third-
Party Systems
ISO 6 - Failed Admin Logins to Third-
Party Systems
ISO 6 - Attacks from Third-Party These reports prompt you to supply values for the
Systems thirdPartyNetwork parameters.
ISO 6 - Attacks onThird-Party Systems
ISO 6 - Compromised Third-Party
Systems
ISO 6 - Failed User Logins from Third-
Party Systems
ISO 6 - Failed User Logins to Third-
Party Systems
ISO 6 - File Activity on Third-Party
Systems
ISO 6 - File Creations on Third-Party
Systems
ISO 6 - File Deletions on Third-Party
Systems
ISO 6 - File Modifications on Third-Party
Systems
ISO 6 - Policy Violations on Third-Party
Systems
ISO 6 - Services Accessed by Third-
Party Systems
ISO 6 - User Logins and Logouts from
Third-Party Systems
ISO 6 - User Logins and Logouts to
Third-Party Systems
The following table lists the NIST 800-53 reports that require configuration.
Micro Focus Logger CIP for NERC (1.01) Page 19 of 60
Solutions Guide
Configuring NIST 800-53 Reports
Report Name Required Configuration
NIST AC - Account Activity by This report prompts you to supply values for the destinationUserName
User parameter.
NIST AC - Administrative This report prompts you to supply values for the deviceProduct,
Actions - All Events eventName, adminUsers, deviceEventClassID, and sourceDestUserName
parameters.
NIST AC - Administrative This report prompts you to supply values for the deviceProduct,
Actions by Event Name adminUsers, and sourceDestUserName parameters.
NIST AC - Administrative This report prompts you to supply values for the adminUsers and
Actions by Product sourceDestUserName parameters.
NIST AC - Administrative These reports prompt you to supply values for the adminUsers parameter.
Actions by User
NIST AC - Administrative
Logins and Logouts
NIST AC - Failed
Administrative Logins by
System
NIST AC - Failed
Administrative Logins by User
NIST AC - Failed User Logins
by System
NIST AC - Failed User Logins
by User Name
NIST AC - Privileged Account
Changes
NIST AC - Successful
Administrative Logins by
System
NIST AC - Successful
Administrative Logins by User
NIST AC - Successful User
Logins by System
NIST AC - Successful User
Logins by User Name
NIST AC - Database Privilege This report prompts you to supply values for the databaseAdminUsers and
Violation databaseAdminAccounts parameters.
NIST AC - Development This report prompts you to supply values for the productionNetwork and
Network Not Segregated testingNetwork and developmentNetwork parameters.
Micro Focus Logger CIP for NERC (1.01) Page 20 of 60
Solutions Guide
Configuring NIST 800-53 Reports, continued
Report Name Required Configuration
NIST AC - Failed These reports prompt you to supply values for the deviceProduct,
Administrative Logins per destinationAddress, destinationHostName, adminUsers, and
System - Detail sourceDestUserNameparameters.
NIST AC - Failed
Administrative Logins per
User - Detail
NIST AC - Successful
Administrative Logins per
System - Detail
NIST AC - Successful
Administrative Logins per
User - Detail
NIST AC - Failed This report prompts you to supply values for the destinationAddress,
Administrative Logins per adminUsers and sourceDestUserName parameters.
User - Summary
NIST AC - Successful
Administrative Logins per
User - Summary
NIST PS - Failed User Logins This report prompts you to supply values for the thirdPartyNetwork
from Third-Party Systems parameter.
NIST AC - Failed These reports prompt you to supply values for the destinationAddress
Administrative Logins per and adminUsers parameters.
System - Summary
NIST AC - Failed User Logins
per System - Summary
NIST AC - Failed User Logins
per User Name - Summary
NIST AC - Successful
Administrative Logins per
System - Summary
NIST AC - Successful User
Logins per System -
Summary
NIST AC - Successful User
Logins per User Name -
Summary
Micro Focus Logger CIP for NERC (1.01) Page 21 of 60
Solutions Guide
Configuring NIST 800-53 Reports, continued
Report Name Required Configuration
NIST PS - Failed User Logins These reports prompt you to supply values for the thirdPartyNetwork
to Third-Party Systems parameter.
NIST AC - File Activity on
Third-Party Systems
NIST AC - File Creations on
Third-Party Systems
NIST AC - File Deletions on
Third-Party Systems
NIST AC - File Modifications
on Third-Party Systems
NIST AC - User Logins and
Logouts from Third-Party
Systems
NIST AC - User Logins and
Logouts to Third-Party
Systems
NIST CM - Changes to Third-
Party Resources
NIST IR - Compromised
Third-Party Systems
NIST IR - Policy Violations
from Third-Party Systems
NIST PS - Attacks from Third-
Party Systems
NIST PS - Attacks on Third-
Party Systems
NIST PS - Services Accessed
by Third-Party Systems
NIST AC - Third-Party
Systems Accessed
Micro Focus Logger CIP for NERC (1.01) Page 22 of 60
Solutions Guide
Configuring NIST 800-53 Reports, continued
Report Name Required Configuration
NIST AC - Internal These reports prompt you to supply values for the internalNetwork
Reconnaissance - Top 20 parameter.
Events
NIST AC - Internal
Reconnaissance - Top 20
Sources
NIST AC - Internal
Reconnaissance - Top 20
Targets
NIST AC - Services by Asset
NIST CM - Network Active
Assets
NIST AC - Traffic - Inbound
Count
NIST AC - Traffic from
External to Internal Protected
Domain
NIST AC - Traffic from
Internal to External Protected
Domain
NIST IR - Attacks - Hourly
Count
NIST IR - Attacks Targeting
Internal Assets
NIST AC - Internet Activity Customize the list of ports in the associated query to reflect the internet
per Device per Machine ports accessed by users at your site.
NIST AC - Internet Activity
per Device per User
NIST AC - Failed User Logins This report prompts you to supply values for the deviceProduct,
per System - Detail destinationAddress, destinationHostName, and adminUsers parameters.
NIST AC - Successful User
Logins per System - Detail
NIST AC - Successful User
Logins per User Name -
Detail
NIST AC - Failed User Logins
per User Name - Detail
NIST AC - Suspicious Activity This report prompts you to supply values for the wirelessNetwork
in Wireless Network parameter.
NIST AC - Test Network Not This report prompts you to supply values for the productionNetwork and
Segregated testingNetwork and developmentNetwork parameters.
Micro Focus Logger CIP for NERC (1.01) Page 23 of 60
Solutions Guide
Configuring NIST 800-53 Reports, continued
Report Name Required Configuration
NIST AC - User Actions - All This report prompts you to supply values for the deviceProduct,
Events eventName, adminUsers, variable, deviceEventClassID, and
sourceDestUserName parameters.
NIST AC - User Actions by
Event Name
NIST AC - User Actions by This report prompts you to supply values for the deviceProduct and
Product adminUsers parameters.
NIST AC - User Actions by This report prompts you to supply values for the deviceProduct,
User Name and Product adminUsers, variable, and sourceUserName parameters.
NIST CM - Changes to This report prompts you to supply values for the developmentNetwork
Development Network parameter.
Machines
NIST CM - File Changes in This report prompts you to supply values for the productionNetwork
Production parameter.
NIST IA - Default Vendor Customize the list of default vendor accounts listed in the associated
Account Used query to reflect the devices used in your environment.
NIST IA - Systems Accessed Customize the list of account names in the associated query to reflect any
as Root or Administrator additional default administrator account names use by devices at your
site.
NIST IR - Attacks - These reports prompt you to supply values for the productionNetwork and
Development to Production developmentNetwork parameters.
NIST IR - Attacks -
Production to Development
NIST IR - Traffic - Inbound on This report prompts you to supply values for the allowedPorts and
Disallowed Ports internalNetwork parameters.
NIST PS - Administrative These reports prompt you to supply values for the adminUsers and
Logins and Logouts from thirdPartyNetwork parameters.
Third-Party Hosts
NIST PS - Administrative
Logins and Logouts to Third-
Party Hosts
NIST PS - Failed Admin
Logins from Third-Party
Systems
NIST PS - Failed Admin
Logins to Third-Party
Systems
Micro Focus Logger CIP for NERC (1.01) Page 24 of 60
Solutions Guide
Configuring NIST 800-53 Reports, continued
Report Name Required Configuration
NIST SA - Peer to Peer Ports Customize the associated query with any additional peer-to-peer
Count destination ports.
NIST SA - Peer to Peer
Sources by Machine - Detail
NIST SA - Peer to Peer
Sources by Machine -
Overview
NIST SC - Insecure Services Customize the ports and processes listed in the associated query to reflect
the ports and processes that are considered insecure in your
environment.
NIST SI - Software Changes This report prompts you to supply values for the productNetwork
in Production parameter.
NIST SI - Viruses per Host This report prompts you to supply values for the destinationAddress,
destinationHostName, virusName and eventPriority parameters.
NIST SI - Virus Report -
Detail
NERC Reports
NERC-002 Reports
CIP-002
Requirement
Report Name Report Description ID
NERC - Host Displays all modifications on a host detected by traffic analysis R2 2.1
Modification Events systems.
by Host
NERC - Modified Displays all modified hosts on the network detected by traffic R2 2.1
Hosts analysis systems.
NERC - New Hosts Displays all new hosts on the network detected by traffic analysis R2 2.1
systems.
NERC - New Hosts Displays all new hosts on the high-impact BES system networks R2 2.1
on High-Impact detected by traffic analysis systems, where high-impact
BES System BES systems are defined by the parameter HIGH_IMPACT_BES_
Networks CYBER_SYSTEMS.
Micro Focus Logger CIP for NERC (1.01) Page 25 of 60
Solutions Guide
NERC-002 Reports, continued
CIP-002
Requirement
Report Name Report Description ID
NERC - New Hosts Displays all new hosts on the low-impact BES system networks R2 2.1
on Low-Impact detected by traffic analysis systems, where low-impact BES systems
BES System are defined by the parameter LOW_IMPACT_BES_CYBER_
Networks SYSTEMS.
NERC - New Hosts Displays all new hosts on the medium-impact BES system networks R2 2.1
on Medium-Impact detected by traffic analysis systems, where medium-impact
BES System BES systems are defined by the parameter MEDIUM_IMPACT_
Networks BES_CYBER_SYSTEMS.
NERC - New Displays all new services detected on the network by traffic analysis R2 2.1
Services systems.
NERC - New Displays all new services detected on a host by traffic analysis R2 2.1
Services by Host systems.
NERC-004 Reports
CIP-003
Requirement
Report Name Report Description ID
NERC - Displays all anonymous user activity, where anonymous users are R3.1
Anonymous User defined by the NERC_ANONYMOUS_ACCOUNTS parameter.
Activity
NERC - Displays anonymous user activity on high-impact BES systems, R3.1
Anonymous User where anonymous users are defined by the NERC_ANONYMOUS_
Activity on High- ACCOUNTS parameter, and high-impact BES systems are defined by
Impact BES the HIGH_IMPACT_BES_CYBER_SYSTEMS parameter.
Systems
NERC - Displays anonymous user activity on medium-impact BES systems, R3.1
Anonymous User where anonymous users are defined by the NERC_ANONYMOUS_
Activity on ACCOUNTS parameter, and high-impact BES systems are defined by
Medium-Impact MEDIUM_IMPACT_BES_CYBER_SYSTEMS parameter.
BES Systems
NERC - Displays authorization changes made on systems and the number of R4.1
Authorization events per host name.
Changes
NERC - Privileged Displays all changes made to privileged accounts, such as password R4.1|R4.3
Account Changes changes, by user and number of changes. Privileged accounts are
defined by the NERC_ADMIN_USERS parameter, and can be
modified at runtime.
NERC - Removal Displays the number of events on each host indicating the removal of R4.1|R4.3
of Access Rights access rights, user account, and group deletion.
Micro Focus Logger CIP for NERC (1.01) Page 26 of 60
Solutions Guide
NERC-004 Reports, continued
CIP-003
Requirement
Report Name Report Description ID
NERC - Displays all terminated user activity. R5
Terminated User
Activity
NERC - Displays all terminated users. R5
Terminated Users
NERC - User Displays the user, host, and zone information from user account R4.1|R4.3
Account Creation creation events, sorted by events per zone.
NERC - User Displays events indicating that user accounts have been removed R4.1|R4.3
Account Deletion from a system.
NERC - Windows Displays Windows users added to privileged groups including Time, R4.3|R4.1
Users Added to Subject, Object, Domain info, and Group.
Privileged Group
NERC - Windows Displays Windows users removed from privileged groups including R4.3|R4.1
Users Removed Time, Subject, Object, Domain info, and Group.
from Privileged
Group
NERC - User Displays all events for creation of user groups. R4.3|R4.1
Group Creation
NERC - User Displays all events for deletion of user groups. R4.3|R4.1
Group Deletion
NERC - User Displays all events for modification of user groups. R4.3|R4.1
Group
Modification
NERC – Users Displays all events for additions to user groups. R4.3|R4.1
Added to Groups
NERC – Users Displays all events for removal of users from user groups. R4.3|R4.1
Removed from
Groups
NERC-005 Reports
CIP-005
Requirement
Report Name Report Description ID
NERC - BES Systems Displays BES systems that are communicating directly with R1.1
to External - All external systems. This traffic should be justified.
NERC - Blocked Displays the number of blocking events generated by devices R1.3
Firewall Traffic - All that have blocked traffic.
Micro Focus Logger CIP for NERC (1.01) Page 27 of 60
Solutions Guide
NERC-005 Reports, continued
CIP-005
Requirement
Report Name Report Description ID
NERC - Blocked Displays the number of blocking events generated by devices R1.3
Firewall Traffic from that have blocked traffic from high-impact BES systems, where
High-Impact BES high-impact BES systems are defined by the HIGH_IMPACT_
Systems BES_CYBER_SYSTEMS parameter.
NERC - Blocked Displays the number of blocking events generated by devices R1.3
Firewall Traffic from that have blocked traffic from medium-impact BES systems,
Medium-Impact BES where medium-impact BES systems are defined by the
Systems MEDIUM_IMPACT_BES_CYBER_SYSTEMS parameter.
NERC - Blocked Displays the number of blocking events generated by devices R1.3
Firewall Traffic to that have blocked traffic to high-impact BES systems, where
High-Impact BES high-impact BES systems are defined by the HIGH_IMPACT_
Systems BES_CYBER_SYSTEMS parameter.
NERC - Blocked Displays the number of blocking events generated by devices R1.3
Firewall Traffic to that have blocked traffic to medium-impact BES systems, where
Medium-Impact BES medium-impact BES systems defined are by the MEDIUM_
Systems IMPACT_BES_CYBER_SYSTEMS parameter.
NERC - Clear Text Displays clear text password transmission events. R1.5
Password
Transmission
NERC - Covert Displays a count of events identified as covert channel activity, R1.5
Channel Activity sorted by target zone. These events are generated by IDS
devices and may indicate the use of a 'loki' or other tool designed
to establish an undetected channel either to or from an
organization.
NERC - Email Attacks Displays information about email attacks. R1.5
Events
NERC - External to Displays all external systems that are communicating directly R1.1
BES Systems - All with BES systems. This traffic should be justified.
NERC - Firewall Event Displays the number of different events that were triggered on R1.5
Review by Device NIDS systems, sorted by device.
NERC - Firewall Open Displays the destination ports accepted through firewalls. R1.3
Port Review Includes a pie chart showing the most commonly-used
destination ports.
NERC - Inbound Displays inbound traffic from public IP addresses to high-impact R1.1
Traffic from Public IP BES systems, where high-impact BES systems are defined by
Addresses to the High- the HIGH_IMPACT_BES_CYBER_SYSTEMS parameter.
Impact BES systems
Micro Focus Logger CIP for NERC (1.01) Page 28 of 60
Solutions Guide
NERC-005 Reports, continued
CIP-005
Requirement
Report Name Report Description ID
NERC - Inbound Displays inbound traffic from public IP addresses to medium- R1.1
Traffic from Public IP impact BES systems, where medium-impact BES systems are
Addresses to the defined by the MEDIUM_IMPACT_BES_CYBER_SYSTEMS
Medium-Impact BES parameter.
systems
NERC - Information Displays the date, source, and destination information from R1.5
Interception Events information interception events.
NERC - Insecure Displays systems providing insecure services such as FTP or R1.5/ CIP-007-
Services Telnet. The chart displays the number of times each system 6 R1.1
provided an insecure service.
NERC - NIDS Event Displays the number of different events that were triggered on R1.5
Review by Device NIDS systems, sorted by device.
NERC - Outbound Displays outbound traffic from high-impact BES systems to public R1.1
Traffic from the High- IP addresses, where high-impact BES systems are defined by
Impact BES Systems the HIGH_IMPACT_BES_CYBER_SYSTEMS parameter.
to Public IP Addresses
NERC - Outbound Displays outbound traffic from medium-impact BES systems to R1.1
Traffic from the public IP addresses, where medium-impact BES systems are
Medium Impact BES defined by the MEDIUM_IMPACT_BES_CYBER_SYSTEMS
Systems to Public IP parameter.
Addresses
NERC - Redirection Displays information about redirection attacks. R1.5
Attacks Events
NERC - Traffic Displays the date, source, and destination information from R1.5
Anomaly on application layer anomaly events.
Application Layer
Events
NERC - Traffic Displays the date, source, and destination information from R1.5
Anomaly on Network network layer anomaly events.
Layer Events
NERC - Traffic Displays the date, source, and destination information from R1.5
Anomaly on Transport transport layer anomaly events.
Layer Events
Micro Focus Logger CIP for NERC (1.01) Page 29 of 60
Solutions Guide
NERC-005 Reports, continued
CIP-005
Requirement
Report Name Report Description ID
NERC - Traffic Displays communication protocols which are passed between R1.1
Between Zones - different zones.
Protocol
NERC - Traffic - Displays the number of attempted connections (successful and R1.5
Inbound on Disallowed failed) for inbound traffic on disallowed ports on BES systems.
Ports
Allowed ports are specified at runtime using the NERC_
ALLOWED_PORTS parameter. By default, the ports 80 and 443
are specified.
BES Systems are specified at runtime using the BES_CYBER_
NETWORKS parameter.
NERC - VPN Access Displays a summary of VPN access by users. R2.2
Summary
NERC-006 Reports
CIP-006
Requirement
Report Name Report Description ID
NERC - Failed Building Displays all failed building access attempts including user R1.1 /R1.6
Access Attempts name, ID, and badge reader number.
NERC - Failed Building Displays all failed building access attempts after Work Hours R1.1/R1.6
Access Attempts after including user name, ID, and badge reader number.
Work Hours
NERC - Failed Building Displays all failed building access attempts including user R1.1/R1.6
Access Attempts during name, ID, and badge reader number.
the Weekends
NERC - Physical Access List of physical access events reporting devices. R1.6
Event Reporting Devices
NERC - Physical Access Shows all new accounts added to physical access systems R1.1
System Account Creation sorted by user name for the time period you specify when you
run the report.
NERC - Physical Access Shows all deletions of accounts from physical access R1.1
System Account Deletion systems.
NERC - Physical Access Shows all modifications made to accounts on physical R1.1
System Account access systems.
Modification
NERC - Physical Facility Displays all authentication verification events (badge-ins) R1.8
Access Attempts – All involving physical access systems.
NERC - Physical Facility Displays specific user authentication verification events R1.8
Access Attempts by User (badge-ins) involving physical access systems.
Micro Focus Logger CIP for NERC (1.01) Page 30 of 60
Solutions Guide
NERC-006 Reports, continued
CIP-006
Requirement
Report Name Report Description ID
NERC - Physical Displays the date, time, event name, and host information R1.1
Reporting Devices from all events indicating a configuration change has been
Configuring changes made on physical device equipment.
NERC - Successful Displays all successful authentication verification events R1.8
Building Access Attempts (badge-ins) involving physical access systems.
NERC - Successful Displays all successful building access attempts after work R1.8
Building Access Attempts hours including user name, ID, and badge reader number.
after Work Hours
NERC - Successful Displays all successful building access attempts during the R1.8
Building Access Attempts weekends including user name, ID, and badge reader
during the Weekends number.
NERC - Events by Device Designed as a drill-down report ,shows different events fields N/A
by device Address.
NERC-007 Reports
CIP-007
Requirement
Report Name Report Description ID
NERC - Account Displays all the events with the specified destination user name, R4.1
Activity by User defined at runtime.
NERC - Account Displays incidents of user accounts locked out by the system, sorted R5.7
Lockouts by by system name. The chart displays a trend of the number of such
System incidents per day.
NERC - Account Displays incidents of user accounts locked out by the system, sorted R5.7
Lockouts by User by user name. The chart displays a trend of the number of such
incidents per day.
NERC - Anti Displays all anti-virus software updates. R3.3
Virus Update
Summary
NERC - Anti This report designed as drill down of "Anti Virus Update Summary" R3.3
Virus Update report to show Anti Virus updates by result.
Summary by
Update Result
NERC - Displays the sources for confidential and integrity attacks and the R3.1
Confidentiality number of attacks associated with each source. The chart displays the
and Integrity number of such events identified initiated in each zone.
Breach Sources –
Count
Micro Focus Logger CIP for NERC (1.01) Page 31 of 60
Solutions Guide
NERC-007 Reports, continued
CIP-007
Requirement
Report Name Report Description ID
NERC - Displays all login attempts to all database systems. R4.1
Database
Access - All
NERC - Displays all failed login attempts made to database systems. R4.1.2
Database
Access – Failed
NERC - Detailed Displays a detailed listing of anti-virus events (routine maintenance R3.1
Anti-Virus Report and remediation events) ordered according to zone, IP address, and
virus name.
NERC - Detailed This report was designed as a drill-down report. Displays a detailed R3.1
Anti-Virus Report listing of anti-virus events (routine maintenance and remediation
per Host events) for a specific host, ordered according to time.
NERC - Dynamic Displays all the dynamic ports by address. R1.1
Ports by Address
NERC - Event in This report was designed as a drill-down report. Displays the hosts that N/A
Network were targeted by a specific event and the number of times they were
targeted.
NERC - Failed Displays all failed administrative logins, by system. R4.1.2
Administrative
Logins by
System
NERC - Failed Displays all administrative users that failed to log into systems, the R4.1.2
Administrative number of failed logins and the number of distinct systems that were
Logins by User attempted to log into.
NERC - Failed Displays all the failed administrative logins into a particular system. R4.1.2
Administrative The chart shows the number of failed administrative logins for each
Logins per product.
System - Detail
NERC - Failed Displays all the administrative users that failed to login into each R4.1.2
Administrative system and the number of such failed logins.
Logins per
System -
Summary
NERC - Failed Displays all failed logins for the selected administrative user. The chart R4.1.2
Administrative shows the number of failed logins per product.
Logins per User -
Detail
NERC - Failed Displays all the systems that the selected administrative users failed to R4.1.2
Administrative login into, and the number of such failed logins.
Logins per User -
Summary
Micro Focus Logger CIP for NERC (1.01) Page 32 of 60
Solutions Guide
NERC-007 Reports, continued
CIP-007
Requirement
Report Name Report Description ID
NERC - Failed Displays all failed non-administrative logins by system. R4.1.2
User Logins by
System
NERC - Failed Displays all non-administrative users that failed to log into systems, the R4.1.2
User Logins by number of failed logins and the number of distinct systems that were
User Name attempted to log into.
NERC - Failed Displays all the failed non-administrative logins into a particular R4.1.2
User Logins per system.
System - Detail
NERC - Failed Displays all the non-administrative users that failed to login into each R4.1.2
User Logins per system and the number of such failed logins.
System -
Summary
NERC - Failed Displays all failed logins for the selected non-administrative user. R4.1.2
User Logins per
User Name -
Detail
NERC- Failed Displays all the systems that the selected non-administrative user R4.1.2
User Logins per failed to login to, and the number of such failed logins.
User Name -
Summary
NERC - HIDS Displays all events that were triggered on HIDS systems and the R3.1
Event Review by number of times each event occurred.
Device
NERC - Host This report was designed as a drill-down report. Displays the number N/A
Event Count of events different events that targeted a specific host.
NERC - Displays the count of malicious code events from particular hosts. R3.1
Malicious Code
Sources
NERC - Not Displays all the not allowed open ports by IP address, the allowed R1.1
Allowed ports are configured using this parameter <NERC_ALLOWED_
Registered Ports PORTS>.
by Address
NERC - Open Displays all open ports in the organization. R1.1
Ports - All
NERC - Open Displays all the open ports by address. R1.1
Ports by Address
NERC - Stopped Displays all anti-virus disabled events as reported by Microsoft R3.3
or Paused Anti- systems.
Virus Events
Micro Focus Logger CIP for NERC (1.01) Page 33 of 60
Solutions Guide
NERC-007 Reports, continued
CIP-007
Requirement
Report Name Report Description ID
NERC - Displays all successful administrative logins, by system. The chart R4.1.1
Successful displays a summary of the number of all administrative logins by
Administrative product.
Logins by
System
NERC - Displays all administrative users that successfully logged into systems, R4.1.1
Successful the number of successful logins and the number of distinct systems
Administrative that were logged into.
Logins by User
NERC - Displays all the events where administrators successfully logged into a R4.1.1
Successful particular system.
Administrative
Logins per
System - Detail
NERC - Displays all the administrative users that successfully logged into each R4.1.1
Successful system and the number of such logins.
Administrative
Logins per
System -
Summary
NERC - Displays all successful logins for the selected administrative user. R4.1.1
Successful
Administrative
Logins per User –
Detail
NERC - Displays all the systems that the selected administrative users R4.1.1
Successful successfully logged into, and the number of such successful logins.
Administrative
Logins per User -
Summary
NERC - Displays the time, user, and host information from successful brute- R3.1
Successful Brute force logins.
Force Logins
NERC - Displays which users have changed their passwords and when. R5.6
Successful
Password
Changes
NERC - Displays a count of all successful non-administrative logins for each R4.1.1
Successful User system.
Logins by
System
Micro Focus Logger CIP for NERC (1.01) Page 34 of 60
Solutions Guide
NERC-007 Reports, continued
CIP-007
Requirement
Report Name Report Description ID
NERC - Displays all non-administrative users that successfully logged into R4.1.1
Successful User systems, the number of successful logins and the number of distinct
Logins by User systems that were logged into.
Name
NERC - Displays all the events where non-administrators successfully logged R4.1.1
Successful User in into a particular system.
Logins per
System - Detail
NERC - Displays all the non-administrative users that successfully logged in R4.1.1
Successful User into each system and the number of such successful logins.
Logins per
System -
Summary
NERC - Displays all successful logins for the selected non-administrative user. R4.1.1
Successful User
Logins per User
Name - Detail
NERC - Displays all the systems that the selected non-administrative users R4.1.1
Successful User successfully logged into, and the number of such successful logins.
Logins per User
Name -
Summary
NERC - Displays events defined as suspicious activity, such as port scanning R3.1
Suspicious in the wireless network. The wireless network is defined by the
Activity in 'wirelessNetwork' parameter and can be changed at runtime. The chart
Wireless displays a count of the different events that were defined as
Network suspicious.
NERC - Trojan Displays all trojan activity. R3.1
Code Activity
NERC - Displays all unsecured ports by address. R1.1
Unsecured Ports
by Address
NERC - User Displays the time, name, destination, and user information from user R4.1| R5.2
Logins and login and logout events.
Logouts
NERC - Virus Displays systems infected with viruses and the number of infections for R3.1
Summary By each system.
Host
NERC - Virus Displays detected viruses on systems and the number of such R3.1
Summary By detections, ordered by the viruses that were detected most times.
Virus
Micro Focus Logger CIP for NERC (1.01) Page 35 of 60
Solutions Guide
NERC-007 Reports, continued
CIP-007
Requirement
Report Name Report Description ID
NERC - Worm Displays all worm activity. R3.1
Activity
NERC - Data Displays data written to removable storage using Windows 2012/2008 R1.2
Written to events.
Removable
Storage
NERC - Displays removable storage devices activity using Windows R1.2
Removable 2008/2012 events.
Storage Devices
Activity
NERC - New Displays new external devices which recognized by Windows 2016 R1.2
External Device and Windows 10 events.
was Recognized
by the System
NERC - Windows Displays a successful Windows Remote (Terminal Services, Remote R4.1|R5.1
Remote Access Desktop Remote Assistance or connections to shared folder) logins by
User Logins by system, where system host name is provided at run-time. Default is all
System the systems.
NERC-008 Reports
CIP-008
Requirement
Report Name Report Description ID
NERC - Attacked Displays the 20 hosts that were the target for the largest number of R1.1
Hosts - Top 20 events identified as attacks. The chart displays the number of events
identified as 'attacks that targeted each destination IP address.
NERC - Attackers Displays the 20 hosts that were the source for the largest number of R1.1
- Top 20 events identified as attacks. The chart summarizes the number of
events identified as attacks per source IP address.
NERC - Attack Displays the 20 most common attack event names in the report's time R1.1
Events - Top 20 frame.
NERC - Attacks - Displays the number of events per day categorized as attacks, R1.1
High Impact to originating from the high-impact BES network and targeting the
Medium Impact medium-impact BES network. The high and medium and target
BES Cyber networks are defined by parameters and can be set in runtime.
Systems
NERC - Attacks - Displays the number of attacks that targeted BES Cyber IP addresses R1.1
Hourly Count each hour.
Micro Focus Logger CIP for NERC (1.01) Page 36 of 60
Solutions Guide
NERC-008 Reports, continued
CIP-008
Requirement
Report Name Report Description ID
NERC - Attacks - Displays the number of events per day categorized as attacks, R1.1
Medium Impact to originating from the medium network and targeting the high network.
High Impact BES High and medium impact networks are defined by parameters and
Cyber Systems can be set in runtime. The chart displays the number of such
incidents per day.
NERC - Attacks Displays all events with category significance of 'Recon', R1.1
Targeting BES 'Compromise', 'Hostile', or 'Suspicious' that target a BES Cyber IP
Cyber Assets address.
NERC - BES Displays the top events identified as BES cyber systems R1.1
Cyber Systems reconnaissance events, such as port scanning activity.
Reconnaissance -
BES Cyber System are defined by parameters and can be set in
Top 20 Events
runtime.
NERC - BES Displays the 20 hosts that were the source of most BES cyber R1.1
Cyber Systems systems reconnaissance events, such as port scanning activity.
Reconnaissance -
BES Cyber Systems are defined by parameters and can be set in
Top 20 Sources
runtime.
NERC - BES Displays the 20 hosts that were the target of most BES cyber systems R1.1
Cyber Systems reconnaissance events, such as port scanning activity.
Reconnaissance -
BES Cyber Systems are defined by parameters and can be set in
Top 20 Targets
runtime.
NERC - Denial of Displays all the sources involved in Denial of Service activity. R1.1
Service Sources
NERC - High Risk Displays source and destination information from all events with an R1.1
Events agent severity of High or Very High.
NERC - High Risk Displays the number of High or Very High severity events, sorted by R1.1
Events by Zone zone.
NERC-009 Reports
CIP-009
Requirement
Report Name Report Description ID
NERC - Displays a count of Denial of Service and other availability attacks on the R1.1|CIP-007
Availability network. The chart displays the number of availability attacks in each R3.1
Attacks zone.
NERC - Displays a count of failures that occur on machines in the network, such R1.1
Information as the failure to start a service or denial of an operation. The chart
System summarizes the number of failures on each host.
Failures
NERC - Displays a count of events indicating resource exhaustion on particular R1.1
Resource hosts.
Exhaustion
Micro Focus Logger CIP for NERC (1.01) Page 37 of 60
Solutions Guide
NERC-010 Reports
CIP-010
Requirement
Report Name Report Description ID
NERC - All CVE Displays all the CVEs and their CVSS Score by specific host. Default is R3.1
Vulnerabilities all hosts.
per Host
NERC - This report displays events that are categorized as application R2.1/R1.1
Application configuration modifications such as an update of a license file or a
Configuration program setting change. The chart displays the number of such
Modifications incidents per day.
NERC - Audit This report displays the date, time, system, and user information from all R2.1
Log Cleared events indicating an audit log has been cleared.
NERC - This report displays modifications to operating systems such as account R2.1/R1.1
Changes to changes or change to the security options, and the number of the times
Operating these events happened. The chart displays the number of such events
Systems per host.
NERC - CVSS Displays all the CVSS Score vulnerabilities per specific host equal or R3.1
Score greater than 8, default all hosts.
Vulnerabilities
equal or greater
than 8
NERC - Displays all firewall configuration changes. R2.1/R1.1
Firewall
Configuration
Changes
NERC - This Report shows all the misconfigured systems events. R2.1/R1.1
Misconfigured
Systems
NERC - Displays all network equipment configuration changes, including R2.1/R1.1
Network changes to routers and switches.
Equipment
Configuration
Changes
NERC - Displays all the missing security patch events. R2.1/R1.1
Security Patch
Missing
NERC -Top 20 Displays the 20 most common vulnerabilities on systems, the number of R3.1
Vulnerabilities systems on which they are found, and additional information regarding
the vulnerability.
NERC -Top 20 Displays the 20 systems with the most vulnerabilities as reported by R3.1
Vulnerable vulnerability scanners.
Assets
Micro Focus Logger CIP for NERC (1.01) Page 38 of 60
Solutions Guide
NERC-010 Reports, continued
CIP-010
Requirement
Report Name Report Description ID
NERC - VPN Displays all configuration changes made to NERC related VPN devices. R2.1/R1.1
Configuration
Changes
NERC - This report was designed as a drill-down report.Displays all the R3.1
Vulnerabilities vulnerabilities on a host for a specific scanner.
on Host per
Scanner
NERC - This report was designed as a drill-down report. Displays all the R3.1
Vulnerabilities vulnerabilities for a certain host name.
per Host - All -
Drill Down-
NERC - This report was designed as a drill-down report. Displays the number of R3.1
Vulnerability vulnerabilities found by each scanner that scanned the host.
Count per
Scanner
NERC - This report was designed as a drill-down report. Displays all the hosts R3.1
Vulnerability in with the selected vulnerability.
Network
NERC - Displays all the vulnerable hosts per specific CVE, default all CVEs. R3.1
Vulnerable
Hosts per CVE
NERC - Cross- Displays cross-site request forgery vulnerabilities where IP Address and R3.1
Site Request Host Name input parameters can be modified at runtime default all the
Forgery systems. The query uses a full text search on different fields (both
Vulnerabilities indexed and un-indexed fields) and this could lead to some slowness
when running this report.
NERC - Displays overflow vulnerabilities (like buffer and head overflows) where R3.1
Overflow IP Address and Host Name input parameters can be modified at runtime
Vulnerabilities default all the systems . the query is using a full text search on different
fields (both indexed and un-indexed fields) and this could lead to some
slowness when running this report.
NERC - Scada Displays potential SCADA vulnerabilities where IP Address and Host R3.1
Vulnerabilities Name input parameters can be modified at runtime default all the
systems. The query is using a full text search on different fields (both
indexed and un-indexed fields) and this could lead to some slowness
when running this report.
NERC - SSL Displays SSL vulnerabilities where IP Address and Host Name input R3.1
Vulnerabilities parameters can be modified at runtime default all the systems . the
query is using a full text search on different fields (both indexed and un-
indexed fields) and this could lead to some slowness when running this
report.
Micro Focus Logger CIP for NERC (1.01) Page 39 of 60
Solutions Guide
NERC-010 Reports, continued
CIP-010
Requirement
Report Name Report Description ID
NERC - This report displays changes to Microsoft Active Directory. R2.1|CIP-007
Windows 5.5
Group Policy
Changes
NERC - This report displays changes to Microsoft Domain Policy. R2.1
Windows
Domain Policy
Changes
NERC - New Displays all the new processes by system, user and process name, R2.1
Processes where system ,user and process name are parameters which configured
at run-time ,by default displays all the new processes on the
organization.
NERC - Displays vulnerabilities by specific host. Default all hosts and all R3.1
Vulnerabilities vulnerabilities.
per Host
Drill downs :
Destination Host Name: Shows All the Vulnerabilities on this Host Name
Signature ID: Shows All the hosts vulnerable to this Signature ID
CVE ID -> Shows All the hosts vulnerable to this CVE ID
CVSS Score -> Shows all the CVEs which have a CVSS Score equal or
greater than 8 on this specific host.
NERC-011 Reports
CIP-011
Requirement
Report Name Report Description ID
NERC - Displays insecure cryptographic storage detected on your systems. R1.2
Insecure
cryptographic
storage
NERC - Displays systems that provide unencrypted communications and the R1.2
Systems number of such events recorded. Unencrypted communication is defined
Providing as using one of the following services: telnetd, ftpd, in.rexecd, rexec,
Unencrypted pop3, rsh, imapd; or is performed on the following ports: 20, 21, 25, 110,
Services 143, 23. These values are defined in the query and can be adjusted
according to the customer's definitions.
Micro Focus Logger CIP for NERC (1.01) Page 40 of 60
Chapter 5: Configuring Alerts
Many of the NERC alerts contain site-specific data, such as administrator account names
and default ports and protocols, which you need to configure with details specific to your
environment.
The following table lists the alerts that require configuration.
Alert Name Required Configuration
NERC - Default In the Query Terms field that lists the default user names, change the set of default
Vendor Account Used account names to reflect the set of account names used by software applications
at your site. For example, add the CTXSYS user name to the user list:
user=(admin|root |sa |nobody |guest |manager |sys |system |oracle
|orcladmin |cisco |pixadmin |CTXSYS )
Separate the user names using the pipe character (|). The pipe character
represents an OR operator.
NERC - Disallowed In the Query Terms field that lists the default ports, change the set of default ports
Port Access to reflect your site. For example, add the 8080 port to the list:
(d|s)pt=(80 |443 |8080 )
Separate the port using the pipe character (|). The pipe character represents an
OR operator. To specify a unique port number add a space character after the
number. For example, specifying port 90 without a space matches any port number
that starts with 90 such as 9000 or 9090.
To configure an alert with site specific data:
1. Select the Configuration tab.
2. From the left panel menu, select Alerts.
3. Click on the alert you need to configure.
4. Find the Query Term with the site specific data and change it to reflect your site.
5. Click Save.
Micro Focus Logger CIP for NERC (1.01) Page 41 of 60
Solutions Guide
NERC Alerts
NERC-002 Alerts
CIP-002
Alert Name Alert Description Requirement ID
NERC - New Host Triggers when a new host is detected on the R2 2.1
network.
NERC - Microsoft Computer Triggers when a new Microsoft computer R1 1.1|R2 2.1
Account Created account is created.
NERC - Microsoft Computer Triggers when a Microsoft computer account is R2 2.1
Account Deleted deleted.
NERC-004 Alerts
CIP-004
Requirement
Alert Name Alert Description ID
NERC - Anonymous User Triggers when anonymous user activity is detected. R3.1
Activity
NERC - Modified User Group Triggers when a user Group is modified, where user R4.3|R4.1
group is configuration variable.
Configuration :
On duser=GROUP_NAME
Replace the GROUP_NAME string with the group you
want to monitor
NERC - User Added to Group Triggers when a user is added to group name ,where R4.3|R4.1
group name is configuration variable.
Configuration :
On cs6=Group_Name
Replace the Group_name string with the group you want
to monitor
NERC - Windows User Added Triggers when received Windows event which indicate R4.3|R4.1
to Privileged Group that a user is added to privileged group.
Micro Focus Logger CIP for NERC (1.01) Page 42 of 60
Solutions Guide
NERC-005 Alerts
CIP-005
Requirement
Alert Name Alert Description ID
NERC - Traffic Anomaly Triggers when a network traffic anomaly is detected. R1.5 /CIP-007-6
R4.1
NERC - Email Attacks Triggers when an email attack is detected. R1.5/ CIP-007-6
R4.1
NERC - Redirection Triggers when redirection attack is detected. R1.5/ CIP-007-6
Attacks R4.1
NERC - Information Triggers when information interception is detected. R1.5/ CIP-007-6
Interception Events R4.1
NERC - Covert Channel Triggers when covert channel activity is detected. R1.5/ CIP-007-6
Activity R4.1
NERC - Insecure Triggers when an insecure service, such as FTP, TFTP, R1.5/ CIP-007-6
Services Detected telnet, POP3, or NetBIOS is identified. R1.1
NERC-006 Alerts
CIP-006
Alert Name Alert Description Requirement ID
NERC - Failed Building Access Triggers when a failed building access attempt 1.7
Attempts is detected.
NERC-007 Alerts
CIP-007
Requirement
Alert Name Alert Description ID
NERC - Anti- Triggers when an anti-virus disabled action is detected. R3.3
Virus Disabled
NERC - Anti- Triggers when a failed anti-virus update event is detected. R3.3
Virus Failed
Update
NERC - Brute Triggers when a brute force attack is detected. R4.2.1
Force Attacks
NERC - Code Triggers when a code injection attack is detected. R4.2.1
Injection Attacks
NERC - Triggers when a directory traversal attack is detected. R4.2.1
Directory
Traversal
Attacks
Micro Focus Logger CIP for NERC (1.01) Page 43 of 60
Solutions Guide
NERC-007 Alerts, continued
CIP-007
Requirement
Alert Name Alert Description ID
NERC - Triggers when a Denial of Service attack is detected. R4.2.1
DoS Attacks
NERC - Triggers when an excessive number of failed actions occur by R4.1/R5.7
Excessive Failed administrative user accounts.
Administrative
Default Match Count: 20
Actions
Default Threshold (Sec): 300
NERC - Triggers when an excessive number of failed login attempts occur by R4.1/R5.7
Excessive Failed administrative user accounts.
Administrative
Default Match Count: 10
Logins
Default Threshold (Sec): 300
NERC - Triggers when an excessive number of failed actions occur by non- R4.1/R5.7
Excessive Failed administrative user accounts. Triggers for any accounts that are not
User Actions listed as an administrative account in the alert. Default Match Count: 20
Default Threshold (Sec): 300
NERC - Triggers when an excessive number of failed login attempts occur by R4.2.2/R5.7
Excessive Failed non-administrative user accounts. This alert is triggered for any
User Logins accounts that are not listed as an administrative account in the alert.
Default Match Count: 10
Default Threshold (Sec): 300
NERC - Triggers when an excessive number of successful actions by R4.1
Excessive administrative user accounts occur.
Successful
Default Match Count: 300
Administrative
Actions Default Threshold (Sec): 300
NERC - Triggers when a large number of successful logins by administrative R4.1
Excessive user accounts occur.
Successful
Default Match Count: 10
Administrative
Logins Default Threshold (Sec): 300
NERC - Triggers when a large number of successful actions occur by non- R4.1
Excessive administrative user accounts. Triggers for any accounts that are not
Successful User listed as an administrative account in the alert.
Actions
Default Match Count: 2000
Default Threshold (Sec): 300
NERC - Triggers when a large number of successful logins by non- R4.1
Excessive administrative user accounts occur. Triggers for any accounts that are
Successful User not listed as an administrative account in the alert. Default Match
Logins Count: 30 Default Threshold (Sec): 300
Micro Focus Logger CIP for NERC (1.01) Page 44 of 60
Solutions Guide
NERC-007 Alerts, continued
CIP-007
Requirement
Alert Name Alert Description ID
NERC - Failed Triggers when a failed user login event is detected. R4.2.2
User Logins
NERC - Failed Triggers when a failed user login event is detected on BES Cyber R4.2.2
User Logins on Systems.
BES Cyber
Configuration : On dst=BES_CYBER_SYSTEMS replace the BES_
Systems
CYBER_SYSTEMS string with a regular expression that specifies a
range of IP addresses for machines in the BES CYBER SYSTEMS For
example, the following regular expression could be specified in the
Query Terms field:
dst=(172\.168\.(1[6-9]|2[0-9]|3[0-1])\.)
This regular expression matches addresses in the range of
172.168.16-31.
NERC - Triggers when an information leakage is detected. R4.2.1
Information
Leakage
NERC - Triggers when malicious code is detected. R4.2.1
Malicious Code
Detection
NERC - Privilege Triggers when a privilege escalation is detected. R4.2.1
Escalation
Attacks
NERC- Scan Triggers when a scan attack (such port scanning, IP scanning , or R4.2.1
Attacks service scanning) attack is detected
NERC - Triggers when a spoof is detected. R4.2.1
Spoofing Attacks
NERC - Triggers when an excessive number of failed database access R4.2.2
Excessive Failed attempts occur.
Database
Default Match Count: 100
Access
Default Threshold (Sec): 300
NERC - Triggers when an excessive number of successful database access R4.1
Excessive attempts occur.
Successful
Default Match Count: 100
Database
Access Default Threshold (Sec): 300
NERC - Triggers when a removable storage is detected on specific host name. R1.2
Detected
Configuration : On dhost=HOST_NAME replace the HOST_NAME
Removable
string with regex of the host names you want to monitor
Storage
Micro Focus Logger CIP for NERC (1.01) Page 45 of 60
Solutions Guide
NERC-007 Alerts, continued
CIP-007
Requirement
Alert Name Alert Description ID
NERC - Data Triggers when a data written to removable storage device from specific R1.2
Written to host name.
Removable
Configuration : On dhost=HOST_NAME replace the HOST_NAME
Storage Device
string with regex of the host names you want to monitor.
NERC - User Triggers when a Windows user account enablement event is detected. R4.2
Account
Enabled
NERC - Triggers when a Windows interactive login of system account event is R4.2
Interactive Login detected.
of System
Accounts
NERC - Triggers when changes by unauthorized users detected on BES critical R4.2
Changes by Un- systems.
Authorized
Configuration : On suser=UNAUTHORIZED_USERS replace the
Users on BES
UNAUTHORIZED_USERS string with regex of the unauthorized users
Critical Systems
you want to monitor.
On dst=BES_CRITICAL_SYSTEMS replace the the BES_CRITICAL_
SYSTEMS string with regex of the BES Critical systems you want to
monitor
NERC - Freak Triggers when a freak attack vulnerability detected. R4.2.1
Attack
Vulnerability
Detected
NERC - GHOST Triggers when a GHOST glibc library vulnerability detected. R4.2.1
glibc library
Vulnerability
Detected
NERC - Triggers when Heartbleed vulnerability detected. R4.2.1
Heartbleed
Vulnerability
Detected
Micro Focus Logger CIP for NERC (1.01) Page 46 of 60
Solutions Guide
NERC-007 Alerts, continued
CIP-007
Requirement
Alert Name Alert Description ID
NERC - Triggers when Microsoft Schannel vulnerability detected. R4.2.1
Microsoft
Schannel
Vulnerability
Detected
NERC - Triggers when POODLE vulnerability detected. R4.2.1
POODLE
Vulnerability
Detected
NERC - Triggers when shellshock vulnerability detected. R4.2.1
Shellshock
Vulnerability
Detected
NERC-008 Alerts
CIP-008
Requirement
Alert Name Alert Description ID
NERC - Triggers when there are events that are categorized as suspicious R1.1/CIP-007-
Suspicious behavior, hostile behavior, or a compromise. R4.2.1
Events
NERC-010 Alerts
CIP-010
Requirement
Alert Name Alert Description ID
NERC - BES Triggers when vulnerability detected on BES Cyber Systems. R3.1
Cyber Systems
Configuration :
with
Vulnerabilities On dst=BES_ADDRESSES
Replace the BES_ADDRESSES string with a regular expression that
specifies a range of IP addresses for machines in the BES CYBER
SYSTEMS For example, the following regular expression could be
specified in the Query Terms field: dst=(172\.168\.(1[6-9]|2[0-9]|3[0-
1])\.) This regular expression matches addresses in the range of
172.168.16-31.
NERC - Triggers when changes to a firewall’s configuration file are reported. R2.1/R1.1
Firewall
Configuration
Changes
Micro Focus Logger CIP for NERC (1.01) Page 47 of 60
Solutions Guide
NERC-010 Alerts, continued
CIP-010
Requirement
Alert Name Alert Description ID
NERC - Triggers when a change to Windows Domain Policy is detected R2.1/R1.1
Windows
Domain Policy
Changed
NERC - Triggers when the Microsoft Audit Log is cleared. R2.1/R1.1
Microsoft Audit
Log Cleared
NERC - Triggers when changes to a network device's configuration file are R2.1/R1.1
Network reported.
Equipment
Configuration
Changes
NERC - Triggers when change to the operating system are reported R2.1/R1.1
Operating
System
Configuration
Changes
NERC - VPN Triggers when changes to the VPN are reported R2.1/R1.1
Configuration
Changes
NERC - Triggers when vulnerability with high CVSS score is detected on BES R3.1
Vulnerability Cyber Systems.
with High CVSS
Configuration :
Score on BES
Cyber Systems On dst=BES_ADDRESSES
Replace the BES_ADDRESSES string with a regular expression that
specifies a range of IP addresses for machines in the BES CYBER
SYSTEMS For example, the following regular expression could be
specified in the Query Terms field: dst=(172\.168\.(1[6-9]|2[0-9]|3[0-
1])\.) This regular expression matches addresses in the range of
172.168.16-31.
NERC - New Triggers when a new process is created on the system. R2.1|R1.1
Process
Configuration :
On dhost=HOST_NAME
Replace the HOST_NAME string with a regular expression that
specifies the host names you want to monitor.
On dproc=PROCESS_NAME
Replace the PROCESS_NAME string with a regular expression that
specifies the process names you want to monitor.
Micro Focus Logger CIP for NERC (1.01) Page 48 of 60
Chapter 6: NERC Resources
NERC provides alerts, queries, reports, and dashboards.
Alerts
Alerts monitor incoming events in real time and notify analysts when events of interest
are detected. All NERC alerts are disabled by default.
You can view the list of NERC alerts by selecting Configuration on the top-level menu
bar, and then clicking Realtime Alerts in the Data section. To enable an alert, click the
Disabled icon.
Alerts are described under "NERC Alerts" on page 42.
For information about creating alert destinations and sending notifications, see the
ArcSight Logger Administrator's Guide.
Queries
NERC queries are invoked by the NERC reports and have similar names as the reports
themselves. You can view the queries by clicking Reports on the top-level menu bar, and
then clicking Query Explorer in the Navigation section. For information on configuring
queries, see the ArcSight Logger Administrator's Guide.
Queries are not described in this guide.
Dashboards
The dashboards provide a quick high-level overview of the compliance status of different
controls on the organization in various chart formats to help you demonstrate appropriate
risk management and monitoring practices. You can view the dashboards by clicking
Dashboards on the top-level menu bar.
Dashboards are described under "NERC Dashboards" on page 51.
Reports
NERC reports consist of the following:
Micro Focus Logger CIP for NERC (1.01) Page 49 of 60
Solutions Guide
l Standard Reports
NERC standard reports are optimized to provide information that can be used to
satisfy monitoring and reporting requirements of NERC. You can view the NERC
standard reports by clicking Reports on the top-level menu bar, and then clicking
Report Explorer in the Navigation section. Each standard report has a SQL query
associated with it that queries the database for the specified conditions. Certain
reports prompt you to provide site-specific information at run time; this information is
passed from the report to the query via parameters. Some queries contain default
values, which you can customize to match conditions relevant to your environment.
l Drill-down Reports
Some standard reports are enabled with additional investigative links that drill down to
other reports and provide a different perspective about the behavior of an item on the
network. For example, drilling down can provide more detail or generate a higher level
overview about a certain event. Some drill-down reports are designed to be accessed
by reference only from the reports that provide special hyperlinks to them. Other drill-
down reports are top-level reports called entry drill-downs. Run these entry drill-downs
first and use them to drill down to the other drill-down reports to avoid generating
reports with a large number of pages. During an investigation, however, you might
want to run a drill-down report directly; for example, to investigate a specific host or
event name.
Reports are described under "NERC Reports" on page 25.
For information about running, formatting, publishing, and scheduling reports, see the
ArcSight Logger Administrator's Guide.
Micro Focus Logger CIP for NERC (1.01) Page 50 of 60
Chapter 7: NERC Dashboards
NERC CIP-002 Asset Creations and Modifications Dashboard
Requirement
Panel Title Saved Search Description Type ID
1 Created NERC - Created Shows asset creation events for the Column R2 2.1
Assets per Assets per Day last 7 days.
Day
2 Top NERC - Top Shows the top modified assets for Column R2 2.1
Modified Modified Assets the last day.
Assets
3 Modified NERC - Shows the asset modification Column R2 2.1
Assets per Modified Assets events for the last 7 days, grouped
Day per Day by day.
NERC CIP-004 Personel Security Dashboard
Requirement
Panel Title Saved Search Description Type ID
1 Top Anonymous NERC - Anonymous Shows top anonymous Column R3.1
User Activity by User Activity user activity events, by
User user.
2 Top Users NERC - Top Users Shows top users Column R4.1
Authorization Authorization authorization change
Changes Changes events, by user.
3 Last 20 NERC - Last 20 Shows the last 20 Table R5
Terminated Users Terminated Users terminated users.
4 Top Anonymous NERC - Top Shows the top Column R3.1
User Activity by IP Anonymous User anonymous user
Address Activity by IP Address activity, by IP address.
NERC CIP-005 Network Communications Dashboard
Requirement
Panel Title Saved Search Description Type ID
1 Top Traffic to NERC - Top Traffic to Shows top traffic to Column R1.1
Public Addresses Public Addresses by public addresses, by
by Destination Destination Address destination address.
Address
Micro Focus Logger CIP for NERC (1.01) Page 51 of 60
Solutions Guide
NERC CIP-005 Network Communications Dashboard, continued
2 Top Traffic to NERC - Top Traffic to Shows top traffic to Column R1.1
Public Addresses Public Addresses by public addresses, by
by Source Address Source Address source address.
3 Blocked Firewall NERC - Blocked Shows all blocked Column R1.3
Events per Day Firewall Events per firewall events per
Day day.
4 Top Traffic to NERC - Top Traffic to Shows top traffic to Column R1.1
Public Addresses Public Addresses by public addresses by
by Network Device Network Device network device.
NERC CIP-005 Network Attacks Dashboard
Requirement
Panel Title Saved Search Description Type ID
1 Top Redirection NERC – Top Shows top redirection Column R1.5
Attacks Events Redirection Attacks attack events.
Events
2 Covert Channel NERC - Covert Shows top covert Column R1.5
Activity Events Channel Activity channel events.
3 Top Interception NERC – Top Shows top Column R1.5
Events Interception Events interception events.
4 Top Email Attacks NERC - Top Email Shows top email Column R1.5
Events Attacks Events attack events.
NERC CIP-005 Traffic Anomaly Dashboard
Requirement
Panel Title Saved Search Description Type ID
1 Top Network Layer NERC - Top Shows top network Column R1.5
Anomaly Events Network Layer layer anomaly
Anomaly Events events.
2 Top Transport Layer NERC - Top Shows top Column R1.5
Anomaly Events Transport Layer transport layer
Anomaly Events anomaly events.
3 Top Application NERC - Top Shows top Column R1.5
Layer Anomaly Application Layer application layer
Events Anomaly Events anomaly events.
4 Network Anomaly NERC - Network Shows all network Column R1.5
Events per Hour Anomaly Events per anomaly events per
(Last 7 Days) Hour hour.
Micro Focus Logger CIP for NERC (1.01) Page 52 of 60
Solutions Guide
NERC CIP-006 Physical Security Activity Dashboard
Requirement
Panel Title Saved Search Description Type ID
1 Failed Physical NERC - Failed Shows all failed physical Column 1.6/1.1
Facility Access Physical facility access attempts
Attempts at 15 Facility Access at 15-minute intervals for
Minute Intervals Attempts the past day.
(Past Day)
2 Top Physical Access NERC - Shows top devices Column 1.6
Event Reporting Physical reporting physical access
Devices (Past Day) Access Event events.
Reporting
Devices
3 Top Failed Physical NERC - Top Shows top users who Column 1.6/1.1
Facility Access Users Failed Physical most frequently failed to
(Past Day) Facility Access gain physical access.
Users
4 Last 5 Failed NERC - Last Shows last 5 failed Table 1.6/1.1
Physical Facility Failed Physical physical facility access
Access Attempts Facility Access attempts for the past day.
(Past Day) Attempts
NERC CIP-007 Ports Dashboard
Requirement
Panel Title Saved Search Description Type ID
1 Top Addresses NERC - Top Open Shows top addresses Column 1.1
Serving Ports Ports by Address serving ports.
2 Top Unsecured NERC - Top Shows top unsecured Pie 1.1
Ports Unsecured Ports ports.
3 Top Addresses NERC - Top Shows top addresses Column R1.1
Serving Addresses Serving which are serving
Unsecured Ports Unsecured Ports unsecured ports.
4 Top Dynamic NERC - Top Shows top dynamic Pie 1.1
Ports Dynamic Ports ports.
Micro Focus Logger CIP for NERC (1.01) Page 53 of 60
Solutions Guide
NERC CIP-007 Anti-Virus Activity Dashboard
Requirement
Panel Title Saved Search Description Type ID
1 Top Anti-Virus NERC - Top Anti- Shows top anti-virus Column R3.3
Disabled Events by Virus Disabled disabled events by
Host Events by Host host.
2 Top Failed Anti-Virus NERC - Top Shows top failed anti- Column R3.3
Updates by Host Failed Anti-Virus virus updates by host.
updates by Host
3 Anti-Virus Clean or NERC - Anti-Virus Shows all anti-virus or Line R3.1
Quarantine Attempt Clean or quarantine attempt
Events per Hour Quarantine event per hour.
Attempt
4 Top Hosts Attacked NERC - Top Shows the top hosts Column R3.1
by Viruses Hosts Attacked by attacked by viruses
Viruses
NERC CIP-007 Login Activity Dashboard
Requirement
Panel Title Saved Search Description Type ID
1 Top Failed User NERC - Top Failed Shows the top failed Column R4.1.2
Login by System User Login by user logins by system.
System
2 Top Failed User NERC - Top Failed Shows top failed user Column R4.1.2
Logins by User User Logins by User logins by user.
3 Infrequent NERC - Rare Shows all rare Line R4.1.1
Successful User Successful User successful user
Access Accesses accesses.
4 Top Failed NERC - Top Failed Shows top failed Column R4.1.2
Administrative Administrative administrative logins
Logins Events Logins Events events by name.
NERC CIP-007 Malicious Code Activity Dashboard
Requirement
Panel Title Saved Search Description Type ID
1 Malicious NERC - Malicious Shows malicious Line R4.2/3.1
Malware Activity Malware Activity by malware activity by the
by the Hour the Hour hour.
2 Worm Infected NERC - Worm Shows worm-infected Line R4.2/3.1
Systems by the Infected Systems systems, sorted by hour.
Hour by the Hour
Micro Focus Logger CIP for NERC (1.01) Page 54 of 60
Solutions Guide
NERC CIP-007 Malicious Code Activity Dashboard, continued
Requirement
Panel Title Saved Search Description Type ID
3 Top Worm NERC - Top Worm Shows top worm-infected Column R4.2/3.1
Infected Infected Systems system events, sorted by
Systems by Events address.
Address
4 Top Worm NERC - Top Worm Shows top worm-infected Column R4.1.2
Infected Infected Systems system events, sorted by
Systems Events Events name.
NERC CIP-008 Incident Response Dashboard
Requirement
Panel Title Saved Search Description Type ID
1 Top Attacked NERC - Top Shows all top attacked Column R1.1
Hosts Attacked Hosts hosts.
2 Top Attackers NERC - Top Shows the top Column R1.1
Attackers attackers.
3 Top Attack NERC - Top Attack Shows the top attack Column R1.1
Events Events events.
4 Attack Events NERC - Attack Shows attack events for Column R1.1
per hour Events per hour each hour.
NERC CIP-010 Configuration Changes Dashboard
Requirement
Panel Title Saved Search Description Type ID
1 Top Firewall NERC – Firewall Shows the top firewall Column R2.1/R1.1
Configuration Configuration configuration change
Change Events Changes events.
2 Top Network NERC – Network Shows the top network Column R2.1/R1.1
Equipment Equipment equipment
Configuration Configuration configuration change
Change Events Changes events.
3 Top VPN NERC – VPN Shows the top VPN Column R2.1/R1.1
Configuration Configuration configuration change
Change Events Changes events.
4 Top Application NERC - Shows top application Column R2.1/R1.1
Configuration Application configuration change
Change Events Configuration events.
Changes
Micro Focus Logger CIP for NERC (1.01) Page 55 of 60
Solutions Guide
NERC CIP-010 Vulnerability Overview Dashboard
Requirement
Panel Title Saved Search Description Type ID
1 Top IP Addresses NERC– Top IP Shows the top IP Column R3.1
with CVSS Score Addresses with Addresses with CVSS
Vulnerabilities of 4 or CVSS Score score vulnerabilities
More (Past 30 Days) Vulnerabilities of greater than or equal to
4 or More 4.
2 Top Critical NERC - Top Shows the top critical Column R3.1
Vulnerability Events Critical CVEs vulnerability events by
by CVE, CVSS, and CVE, CVSS, and
Destination Address destination address for
(Past 7 Days) the past 7 days.
3 Vulnerability NERC - Shows vulnerability Pie R3.1
Scanner Events by Vulnerability scanner events by
Device Vendor (Past Scanner Events device vendor for the
3 Days) per Device past 3 days.
Vendor
4 Top Vulnerability NERC - Top Shows the top Column R3.1
Events by Vendor Vulnerability vulnerability events by
Signature (Past 14 Events by vendor signature for the
Days) Vendor last 14 days
Signature
NERC CIP-010 Vulnerability Types (Top Addresses) Dashboard
Requirement
Panel Title Saved Search Description Type ID
1 Top Vulnerable NERC - Top Shows the top addresses Column R3.1
Addresses to Vulnerable which are vulnerable to
Overflow Addresses to overflow attacks.
Vulnerabilities Overflow
Vulnerabilities
2 Top Vulnerable NERC - Top Shows the top addresses Column R3.1
Addresses to Vulnerable which are vulnerable to
CSRF Addresses to CSRF (cross-site request
Vulnerabilities CSRF forgery) attacks.
Vulnerabilities
3 Top Vulnerable NERC - Top Shows the top addresses Column R3.1
Addresses to Vulnerable which are vulnerable to
XSS Addresses to XSS XSS attacks.
Vulnerabilities Vulnerabilities
4 Top Vulnerable NERC - Top Shows the top addresses Column R3.1
Addresses to Vulnerable which are vulnerable to
SSL Addresses to SSL SSL attacks.
Vulnerabilities Vulnerabilities
Micro Focus Logger CIP for NERC (1.01) Page 56 of 60
Solutions Guide
NERC CIP-010 Vulnerability Types (Per Month) Dashboard
Requirement
Panel Title Saved Search Description Type ID
1 Overflow NERC - Overflow Shows overflow Line R3.1
Vulnerabilities per Vulnerabilities per vulnerabilities by
Month Month month.
2 CSRF NERC - CSRF Shows CSRF Line R3.1
Vulnerabilities per Vulnerabilities per vulnerabilities by
Month Month month.
3 SSL NERC - SSL Shows SSL Line R3.1
Vulnerabilities per Vulnerabilities per vulnerabilities by
Month Month month.
4 XSS NERC – XSS Shows XSS Column R3.1
Vulnerabilities per Vulnerabilities per vulnerabilities by
Month Month month.
Micro Focus Logger CIP for NERC (1.01) Page 57 of 60
Chapter 8: Additional Information
The dashboard and reports included in the Brute Force Content Package make use of
the following queries, filters, and fieldset.
Queries
The Logger Brute Force Detection Attack Content Package includes queries for each
report discussed under "NERC Reports" on page 25 You can view or edit the query
details as needed.
To view or edit query details:
1. In the main menu, click Reports.
2. In the left navigation menu, click Query Explorer.
3. Select Brute Force Attack in the first column.
4. In the second column, double-click the query you wish to view or edit.
For complete details on editing or managing queries, see the Logger Administrator's
Guide.
Filters
These filters are part of the Logger Brute Force Detection Attack Content Package.
l Brute Force Attack - Failed Login Events
l Brute Force Attack - Successful Login Events
To view or edit filter details:
1. On the main menu, click Configuration.
2. Under Search, click Filters.
3. The Brute Force filters are displayed in the list. Click any filter to display its details.
For complete details on editing or managing filters, see the Logger Administrator's Guide.
Fieldset
A single fieldset is part of the Content Package.
l Brute Force Attack Detection
Micro Focus Logger CIP for NERC (1.01) Page 58 of 60
Solutions Guide
To view or edit fieldset details:
1. On the main menu, click Configuration.
2. Under Search, click Fieldsets.
3. The Brute Force fieldset is displayed in the list, with details.
For complete details on editing or managing fieldsets, see the Logger Administrator's
Guide.
Micro Focus Logger CIP for NERC (1.01) Page 59 of 60
Solutions Guide
Send Documentation Feedback
Send Documentation Feedback
If you have comments about this document, you can contact the documentation team by
email. If an email client is configured on this computer, click the link above and an email
window opens with the following information in the subject line:
Feedback on Solutions Guide (Logger CIP for NERC 1.01)
Just add your feedback to the email and click send.
If no email client is available, copy the information above to a new message in a web mail
client, and send your feedback to [email protected].
We appreciate your feedback!
Micro Focus Logger CIP for NERC (1.01) Page 60 of 60
You might also like
- Koto-Ryu Koppojutsu (Full Chapter Translation)No ratings yetKoto-Ryu Koppojutsu (Full Chapter Translation)32 pages
- MicroTrap VOD Operations Manual Revision 4-2-1No ratings yetMicroTrap VOD Operations Manual Revision 4-2-174 pages
- Microprocessor Interfacing & Programming - Lab-Manual - September - 2021No ratings yetMicroprocessor Interfacing & Programming - Lab-Manual - September - 202140 pages
- Japanese Sword Fighting Secrets of The Samurai88% (24)Japanese Sword Fighting Secrets of The Samurai215 pages
- Chemical Engineering Design Project - Potash Production - The Design of A Rod MillNo ratings yetChemical Engineering Design Project - Potash Production - The Design of A Rod Mill44 pages
- Splunk Ot Security Solution Technical Guide and DocumentationNo ratings yetSplunk Ot Security Solution Technical Guide and Documentation101 pages
- whitepaper-pharmacopeia-ftir-5994-2339en-agilentNo ratings yetwhitepaper-pharmacopeia-ftir-5994-2339en-agilent12 pages
- Common Industrial Protocol and Family of CIP Networks de ODV100% (1)Common Industrial Protocol and Family of CIP Networks de ODV134 pages
- Benefits of an Updated Mapping between the NIST Cybersecurity Frameworks and NERC Critical Infrastructure Protection StandardsNo ratings yetBenefits of an Updated Mapping between the NIST Cybersecurity Frameworks and NERC Critical Infrastructure Protection Standards9 pages
- XPM CDC Generator V1.0: Logicore Ip Product GuideNo ratings yetXPM CDC Generator V1.0: Logicore Ip Product Guide42 pages
- EN - RSA Surveillance Integration Guide For OPTEX DevicesNo ratings yetEN - RSA Surveillance Integration Guide For OPTEX Devices26 pages
- Instant Access to (Ebook) TCP/IP Analysis and Troubleshooting Toolkit by Kevin Burns ISBN 9780471429753, 0471429759 ebook Full Chapters100% (1)Instant Access to (Ebook) TCP/IP Analysis and Troubleshooting Toolkit by Kevin Burns ISBN 9780471429753, 0471429759 ebook Full Chapters82 pages
- NBU 5230 Appliances - Systems Engineer Guide Partner Version Aug 2014No ratings yetNBU 5230 Appliances - Systems Engineer Guide Partner Version Aug 201441 pages
- TDK-InvenSense MotionLink_4.2.x_User_Manual v1.0No ratings yetTDK-InvenSense MotionLink_4.2.x_User_Manual v1.038 pages
- FLM2-PRT-0287 FA Link RP2plus v1.0 ERM Technical NoteNo ratings yetFLM2-PRT-0287 FA Link RP2plus v1.0 ERM Technical Note10 pages
- Network Searching Scheme Introduction: Nb-Iot Module SeriesNo ratings yetNetwork Searching Scheme Introduction: Nb-Iot Module Series20 pages
- Microsoft General - Cloud Implementation GuideNo ratings yetMicrosoft General - Cloud Implementation Guide193 pages
- Semester-1: Course Code Course Name L-T-P Credits Total MarksNo ratings yetSemester-1: Course Code Course Name L-T-P Credits Total Marks7 pages
- Development of Compactrio Based Pid Temperature ControllerNo ratings yetDevelopment of Compactrio Based Pid Temperature Controller110 pages
- Neuroelectrics User Manual: - Part 3. NIC2No ratings yetNeuroelectrics User Manual: - Part 3. NIC269 pages
- Challenges of Substation Hardware Upgrades - WhitePaper - SargentLundyNo ratings yetChallenges of Substation Hardware Upgrades - WhitePaper - SargentLundy5 pages
- A Security Analysis of The TP-Link TL-WR802N RouterNo ratings yetA Security Analysis of The TP-Link TL-WR802N Router120 pages
- Micro Focus Security Arcsight Esm: Installation GuideNo ratings yetMicro Focus Security Arcsight Esm: Installation Guide141 pages
- 615 Series Firmware Update Guideline, Comprehensive 758624 - EN - Rev1.4No ratings yet615 Series Firmware Update Guideline, Comprehensive 758624 - EN - Rev1.457 pages
- Network Performance Monitor: Evaluation GuideNo ratings yetNetwork Performance Monitor: Evaluation Guide28 pages
- ProVision 6 11 6 Installation and Administration ManualNo ratings yetProVision 6 11 6 Installation and Administration Manual378 pages
- NN44200-600 - 01.01 - CallPilot Software Admin and MaintenanceNo ratings yetNN44200-600 - 01.01 - CallPilot Software Admin and Maintenance96 pages
- VPLEX - VPLEX Installation and Upgrade Procedures-Install Procedures - Install VPLEX Cluster-6No ratings yetVPLEX - VPLEX Installation and Upgrade Procedures-Install Procedures - Install VPLEX Cluster-628 pages
- Security Hardening Guide For NetApp ONTAP 9No ratings yetSecurity Hardening Guide For NetApp ONTAP 935 pages
- Netskope Security Cloud DSM User Guide S1 3.0.0No ratings yetNetskope Security Cloud DSM User Guide S1 3.0.030 pages
- TCP IP Analysis and Troubleshooting Toolkit 1st Edition Kevin Burns instant downloadNo ratings yetTCP IP Analysis and Troubleshooting Toolkit 1st Edition Kevin Burns instant download42 pages
- MicroTrap SCOPE Operations Manual Edition 3 PDFNo ratings yetMicroTrap SCOPE Operations Manual Edition 3 PDF56 pages
- About Kubernetes and Security Practices - Short Edition: First Edition, #1From EverandAbout Kubernetes and Security Practices - Short Edition: First Edition, #1No ratings yet
- NC Next Steps - Small Claims Money Owed - DOWNLOAD - PRINT NOWNo ratings yetNC Next Steps - Small Claims Money Owed - DOWNLOAD - PRINT NOW7 pages
- A Generalized Framework For Chance Constraine - 2018 - Sustainable Energy GridsNo ratings yetA Generalized Framework For Chance Constraine - 2018 - Sustainable Energy Grids12 pages
- Liberty Martial Arts Combat Hap Ki Do Manual PDF100% (2)Liberty Martial Arts Combat Hap Ki Do Manual PDF41 pages
- Daito-Ryu Goshinkan Requirements To ShodanNo ratings yetDaito-Ryu Goshinkan Requirements To Shodan1 page
- THE CCOAF Baby of Darshna Tudankar Premature Baby01No ratings yetTHE CCOAF Baby of Darshna Tudankar Premature Baby0111 pages
- Military Modelcraft International July2016100% (4)Military Modelcraft International July201676 pages
- Nursing Management of A Patient With CardiomyopathyNo ratings yetNursing Management of A Patient With Cardiomyopathy4 pages
- IELTS 03 - Listening 03 & Reading 03 - Transcripts & KeysNo ratings yetIELTS 03 - Listening 03 & Reading 03 - Transcripts & Keys7 pages
- Determination of Heat of Reaction As Function of Temperature by Calorimetry100% (1)Determination of Heat of Reaction As Function of Temperature by Calorimetry38 pages
- 20-12-17 Apple Motion To Dismiss Pistacchio Apple Arcade CaseNo ratings yet20-12-17 Apple Motion To Dismiss Pistacchio Apple Arcade Case37 pages
- Product Brochure of Graphite Electrode 1No ratings yetProduct Brochure of Graphite Electrode 111 pages
- Pronoun-Antecednet Agreement Lesson PlanNo ratings yetPronoun-Antecednet Agreement Lesson Plan3 pages
- 174-Article Text-1125-1-10-20121226 (Dragged) 2No ratings yet174-Article Text-1125-1-10-20121226 (Dragged) 21 page
- UCTMCFSP PG Scholarship AppGuidelines 2023 IntakeNo ratings yetUCTMCFSP PG Scholarship AppGuidelines 2023 Intake4 pages
