TIBCO LogLogic Reports and Alerts Quick Reference
The following table lists the reports and alerts included in the LogLogic® Compliance Suite - NERC Edition.
| Implementation Specification | Description | TIBCO LogLogic Reports and Alerts |
|---|---|---|
| CIP-003-1 | ||
| CIP-003-1 R3.2 | Documented exceptions to the cyber security policy must include an explanation as to why the exception is necessary and any compensating measures. | Compliance Suite Reports
NERC: Escalated Privilege Activities on Servers Compliance Suite Alerts NERC: UNIX Privilege Escalated |
| CIP-003-1 R5.2 | The Responsible Entity shall review at least annually the access privileges to protected information to confirm that access privileges are correct and that they correspond with the Responsible Entity’s needs and appropriate personnel roles and responsibilities. | Compliance Suite Reports
NERC: Account Activities on UNIX Servers NERC: Account Activities on Windows Servers NERC: Accounts Changed on NetApp Filer NERC: Accounts Changed on TIBCO Administrator NERC: Accounts Changed on TIBCO ActiveMatrix Administrator NERC: Accounts Changed on UNIX Servers NERC: Accounts Changed on Windows Servers NERC: Accounts Created on NetApp Filer NERC: Accounts Created on NetApp Filer Audit NERC: Accounts Created on Sidewinder NERC: Accounts Created on Symantec Endpoint Protection NERC: Accounts Created on TIBCO Administrator NERC: Accounts Created on TIBCO ActiveMatrix Administrator |
| CIP-003-1 R5.2 | The Responsible Entity shall review at least annually the access privileges to protected information to confirm that access privileges are correct and that they correspond with the Responsible Entity’s needs and appropriate personnel roles and responsibilities. | Compliance Suite Reports
(Cont.)
NERC: Accounts Created on UNIX Servers NERC: Accounts Created on Windows Servers NERC: Accounts Deleted on NetApp Filer NERC: Accounts Deleted on NetApp Filer Audit NERC: Accounts Deleted on Symantec Endpoint Protection NERC: Accounts Deleted on TIBCO Administrator NERC: Accounts Deleted on TIBCO ActiveMatrix Administrator NERC: Accounts Deleted on Sidewinder NERC: Accounts Deleted on UNIX Servers NERC: Accounts Deleted on Windows Servers NERC: Cisco ISE, ACS Accounts Created NERC: Cisco ISE, ACS Accounts Removed NERC: DB2 Database Successful Logins NERC: ESX Accounts Activities NERC: ESX Accounts Created NERC: ESX Accounts Deleted NERC: ESX Logins Succeeded NERC: F5 BIG-IP TMOS Login Successful NERC: Guardium SQL Guard Audit Logins NERC: Guardium SQL Guard Logins NERC: HP NonStop Audit Login Successful NERC: LogLogic DSM Logins NERC: LogLogic Management Center Account Activities NERC: LogLogic Management Center Login NERC: Microsoft Operations Manager - Windows Accounts Activities NERC: Microsoft Operations Manager - Windows Accounts Changed NERC: Microsoft Operations Manager - Windows Accounts Created NERC: Microsoft Operations Manager - Windows Accounts Enabled NERC: Microsoft SQL Server Database Successful Logins |
| CIP-003-1 R5.2 | The Responsible Entity shall review at least annually the access privileges to protected information to confirm that access privileges are correct and that they correspond with the Responsible Entity’s needs and appropriate personnel roles and responsibilities. | Compliance Suite Reports
(Cont.)
NERC: NetApp Filer Audit Accounts Enabled NERC: NetApp Filer Audit Group Members Added NERC: NetApp Filer Audit Group Members Deleted NERC: NetApp Filer Audit Login Successful NERC: NetApp Filer Login Successful NERC: Oracle Database Successful Logins NERC: RACF Accounts Created NERC: RACF Accounts Deleted NERC: RACF Accounts Modified NERC: RACF Successful Logins NERC: Successful Logins NERC: Sybase ASE Successful Logins NERC: TIBCO ActiveMatrix Administrator Successful Logins NERC: vCenter Successful Logins NERC: vCloud Successful Logins NERC: vCloud User Created NERC: vCloud User Deleted or Removed NERC: Windows Accounts Enabled NERC: Windows Accounts Locked NERC: Windows Group Members Added NERC: Windows Group Members Deleted |
| CIP-003-1 R5.2 | The Responsible Entity shall review at least annually the access privileges to protected information to confirm that access privileges are correct and that they correspond with the Responsible Entity’s needs and appropriate personnel roles and responsibilities. | Compliance Suite Alerts
NERC: Accounts Created NERC: Accounts Deleted NERC: Accounts Enabled NERC: Accounts Locked NERC: Accounts Modified NERC: Group Members Added NERC: Group Members Deleted NERC: Guardium SQL Guard Logins NERC: Logins Succeeded NERC: LogLogic DSM Logins NERC: vCenter User Login Successful NERC: vCloud Director Login Success NERC: vCloud User Created NERC: Windows Group Members Added NERC: Windows Group Members Deleted |
| CIP-003-1 R5.3 | The Responsible Entity shall assess and document at least annually the processes for controlling access privileges to protected information. | Compliance Suite Reports
NERC: Check Point Configuration Changes NERC: Cisco ISE, ACS Configuration Changes NERC: Cisco PIX, ASA, FWSM Failover Disabled NERC: Cisco PIX, ASA, FWSM Failover Performed NERC: Cisco PIX, ASA, FWSM Policy Changed NERC: Cisco PIX, ASA, FWSM Restarted NERC: Cisco Switch Policy Changes NERC: DB2 Database Failed Logins NERC: DB2 Database Configuration Changes NERC: ESX Failed Logins NERC: ESX Logins Failed Unknown User NERC: F5 BIG-IP TMOS Login Failed NERC: Failed Logins NERC: Guardium SQL Guard Audit Configuration Changes NERC: Guardium SQL Guard Configuration Changes NERC: HP NonStop Audit Configuration Changes NERC: HP NonStop Audit Login Failed NERC: HP NonStop Audit Object Changes NERC: i5/OS Audit Configuration Changes NERC: i5/OS System Management Changes NERC: i5/OS User Profile Creation, Modification, or Restoration NERC: Juniper Firewall HA State Changed NERC: Juniper Firewall Policy Changed NERC: Juniper Firewall Policy Out of Sync NERC: LogLogic DSM Configuration Changes NERC: LogLogic Universal Collector Configuration Changes NERC: Microsoft Sharepoint Policy Add, Remove, or Modify NERC: Microsoft SQL Server Configuration Changes NERC: Microsoft SQL Server Database Failed Logins |
| CIP-003-1 R5.3 | The Responsible Entity shall assess and document at least annually the processes for controlling access privileges to protected information. | Compliance Suite Reports
(Cont.)
NERC: NetApp Filer Audit Login Failed NERC: NetApp Filer Login Failed NERC: Oracle Database Configuration Changes NERC: Oracle Database Failed Logins NERC: RACF Failed Logins NERC: Sidewinder Configuration Changes NERC: Sybase ASE Database Configuration Changes NERC: Sybase ASE Failed Logins NERC: Symantec Endpoint Protection Configuration Changes NERC: TIBCO ActiveMatrix Administrator Failed Logins NERC: vCenter Change Attributes NERC: vCenter Failed Logins NERC: vCenter Modify Firewall Policy NERC: vCenter Orchestrator Change Attributes NERC: vCenter Orchestrator Failed Logins NERC: vCenter Orchestrator vSwitch Added, Changed or Removed NERC: vCenter Resource Usage Change NERC: vCenter vSwitch Added, Changed or Removed NERC: vCloud Failed Logins NERC: vShield Edge Configuration Changes Compliance Suite Alerts NERC: Check Point Policy Changed NERC: Cisco ISE, ACS Configuration Changed |
| CIP-003-1 R5.3 | The Responsible Entity shall assess and document at least annually the processes for controlling access privileges to protected information. | Compliance Suite Alerts (Cont.)
NERC: System Restarted NERC: Cisco PIX, ASA, FWSM Failover Disabled NERC: Cisco PIX, ASA, FWSM Failover Performed NERC: Cisco PIX, ASA, FWSM Logon Failure NERC: Cisco PIX, ASA, FWSM Logon Success NERC: Cisco PIX, ASA, FWSM Policy Changed NERC: Cisco PIX, ASA, FWSM Shun Added NERC: Cisco PIX, ASA, FWSM Shun Deleted NERC: Cisco Switch Card Insert NERC: Cisco Switch Device Reload NERC: Cisco Switch Device Restart NERC: Cisco Switch HA Failure (ver) NERC: Cisco Switch Interface Change NERC: Cisco Switch Interface Down NERC: Cisco Switch Interface Up NERC: Cisco Switch Policy Changed NERC: DB2 Database Configuration Change NERC: Disallowed Services NERC: DNS Server Shutdown NERC: DNS Server Started NERC: Excessive IDS Attack NERC: Guardium SQL Guard Config Changes NERC: HP NonStop Audit Configuration Changed NERC: Juniper Firewall HA State Change NERC: Juniper Firewall Logon Failure NERC: Juniper Firewall Logon Success NERC: Juniper Firewall Policy Changes NERC: Juniper Firewall Policy Out of Sync NERC: Juniper Firewall Peer Missing NERC: Juniper Firewall System Reset NERC: Logins Failed |
| CIP-003-1 R5.3 | The Responsible Entity shall assess and document at least annually the processes for controlling access privileges to protected information. | Compliance Suite Alerts (Cont.)
NERC: LogLogic DSM Configuration Changes NERC: LogLogic Universal Collector Configuration Changed NERC: Microsoft Sharepoint Policies Added, Removed, Modified NERC: NetApp Authentication Failure NERC: NetApp Bad File Handle NERC: NetApp Bootblock Update NERC: NetApp Filer Disk Failure NERC: NetApp Filer File System Full NERC: NetApp Filer Disk Inserted NERC: NetApp Filer Disk Pulled NERC: NetApp Filer Snapshot Error NERC: NetApp Filer Unauthorized Mounting NERC: Oracle Database Configuration Change NERC: Policy Violation NERC: Sidewinder Configuration Changed NERC: Sybase ASE Database Config Changes NERC: Symantec Endpoint Protection Configuration Changed NERC: Symantec Endpoint Protection Policy Add, Delete, Modify NERC: System Anomalies NERC: UNIX Groups Added NERC: UNIX Groups Deleted NERC: UNIX Groups Modified NERC: vCenter Firewall Policy Change NERC: vCenter Orchestrator Login Failed NERC: vCenter Orchestrator vSwitch Add, Modify or Delete NERC: vCenter User Login Failed NERC: vCenter vSwitch Add, Modify or Delete NERC: vCloud Director Login Failed NERC: vCloud User, Group, or Role Modified NERC: vShield Edge Configuration Change |
| CIP-003-1 R6 | Change Control and Configuration Management — The Responsible Entity shall establish and document a process of change control and configuration management for adding, modifying, replacing, or removing Critical Cyber Asset hardware or software, and implement supporting configuration management activities to identify, control and document all entity-or vendor-related changes to hardware and software components of Critical Cyber Assets pursuant to the change control process. | Compliance Suite Reports
NERC: Check Point Configuration Changes NERC: Cisco ISE, ACS Configuration Changes NERC: Cisco PIX, ASA, FWSM Failover Disabled NERC: Cisco PIX, ASA, FWSM Failover Performed NERC: Cisco PIX, ASA, FWSM Policy Changed NERC: Cisco PIX, ASA, FWSM Restarted NERC: Cisco Switch Policy Changes NERC: DB2 Database Failed Logins NERC: DB2 Database Configuration Changes NERC: ESX Failed Logins NERC: ESX Logins Failed Unknown User NERC: F5 BIG-IP TMOS Login Failed NERC: Failed Logins NERC: Guardium SQL Guard Audit Configuration Changes NERC: Guardium SQL Guard Configuration Changes NERC: HP NonStop Audit Configuration Changes NERC: HP NonStop Audit Login Failed NERC: HP NonStop Audit Object Changes NERC: i5/OS Audit Configuration Changes NERC: i5/OS System Management Changes NERC: i5/OS User Profile Creation, Modification, or Restoration NERC: Juniper Firewall HA State Changed NERC: Juniper Firewall Policy Changed NERC: Juniper Firewall Policy Out of Sync NERC: LogLogic DSM Configuration Changes NERC: LogLogic Universal Collector Configuration Changes NERC: Microsoft Sharepoint Policy Add, Remove, or Modify NERC: Microsoft SQL Server Configuration Changes NERC: Microsoft SQL Server Database Failed Logins |
| CIP-003-1 R6 | Change Control and Configuration Management — The Responsible Entity shall establish and document a process of change control and configuration management for adding, modifying, replacing, or removing Critical Cyber Asset hardware or software, and implement supporting configuration management activities to identify, control and document all entity-or vendor-related changes to hardware and software components of Critical Cyber Assets pursuant to the change control process. | Compliance Suite Reports
(Cont.)
NERC: NetApp Filer Audit Login Failed NERC: NetApp Filer Login Failed NERC: Oracle Database Configuration Changes NERC: Oracle Database Failed Logins NERC: RACF Failed Logins NERC: Sidewinder Configuration Changes NERC: Sybase ASE Database Configuration Changes NERC: Sybase ASE Failed Logins NERC: Symantec Endpoint Protection Configuration Changes NERC: TIBCO ActiveMatrix Administrator Failed Logins NERC: vCenter Change Attributes NERC: vCenter Failed Logins NERC: vCenter Modify Firewall Policy NERC: vCenter Orchestrator Change Attributes NERC: vCenter Orchestrator Failed Logins NERC: vCenter Orchestrator Virtual Machine Created NERC: vCenter Orchestrator Virtual Machine Deleted NERC: vCenter Orchestrator vSwitch Added, Changed or Removed NERC: vCenter Resource Usage Change NERC: vCenter Virtual Machine Created NERC: vCenter Virtual Machine Deleted NERC: vCenter vSwitch Added, Changed or Removed NERC: vCloud Failed Logins NERC: vCloud Organization Created NERC: vCloud Organization Deleted NERC: vCloud Organization Modified NERC: vCloud vApp Created, Modified, or Deleted NERC: vCloud vDC Created, Modified, or Deleted NERC: vShield Edge Configuration Changes Compliance Suite Alerts NERC: Check Point Policy Changed NERC: Cisco ISE, ACS Configuration Changed |
| CIP-003-1 R6 | Change Control and Configuration Management — The Responsible Entity shall establish and document a process of change control and configuration management for adding, modifying, replacing, or removing Critical Cyber Asset hardware or software, and implement supporting configuration management activities to identify, control and document all entity or vendor related changes to hardware and software components of Critical Cyber Assets pursuant to the change control process. | Compliance Suite Alerts (Cont.)
NERC: System Restarted NERC: Cisco PIX, ASA, FWSM Failover Disabled NERC: Cisco PIX, ASA, FWSM Failover Performed NERC: Cisco PIX, ASA, FWSM Logon Failure NERC: Cisco PIX, ASA, FWSM Logon Success NERC: Cisco PIX, ASA, FWSM Policy Changed NERC: Cisco PIX, ASA, FWSM Shun Added NERC: Cisco PIX, ASA, FWSM Shun Deleted NERC: Cisco Switch Card Insert NERC: Cisco Switch Device Reload NERC: Cisco Switch Device Restart NERC: Cisco Switch HA Failure (ver) NERC: Cisco Switch Interface Change NERC: Cisco Switch Interface Down NERC: Cisco Switch Interface Up NERC: Cisco Switch Policy Changed NERC: DB2 Database Configuration Change NERC: Disallowed Services NERC: DNS Server Shutdown NERC: DNS Server Started NERC: Excessive IDS Attack NERC: Guardium SQL Guard Config Changes NERC: HP NonStop Audit Configuration Changed NERC: Juniper Firewall HA State Change NERC: Juniper Firewall Logon Failure NERC: Juniper Firewall Logon Success NERC: Juniper Firewall Policy Changes NERC: Juniper Firewall Policy Out of Sync NERC: Juniper Firewall Peer Missing NERC: Juniper Firewall System Reset NERC: Logins Failed |
| CIP-003-1 R6 | Change Control and Configuration Management — The Responsible Entity shall establish and document a process of change control and configuration management for adding, modifying, replacing, or removing Critical Cyber Asset hardware or software, and implement supporting configuration management activities to identify, control and document all entity or vendor related changes to hardware and software components of Critical Cyber Assets pursuant to the change control process. | Compliance Suite Alerts (Cont.)
NERC: LogLogic DSM Configuration Changes NERC: LogLogic Universal Collector Configuration Changed NERC: Microsoft Sharepoint Policies Added, Removed, Modified NERC: NetApp Authentication Failure NERC: NetApp Bad File Handle NERC: NetApp Bootblock Update NERC: NetApp Filer Disk Failure NERC: NetApp Filer File System Full NERC: NetApp Filer Disk Inserted NERC: NetApp Filer Disk Pulled NERC: NetApp Filer Snapshot Error NERC: NetApp Filer Unauthorized Mounting NERC: Oracle Database Configuration Change NERC: Policy Violation NERC: Sidewinder Configuration Changed NERC: Sybase ASE Database Config Changes NERC: Symantec Endpoint Protection Configuration Changed NERC: Symantec Endpoint Protection Policy Add, Delete, Modify NERC: System Anomalies NERC: UNIX Groups Added NERC: UNIX Groups Deleted NERC: UNIX Groups Modified NERC: vCenter Create Virtual Machine NERC: vCenter Delete Virtual Machine NERC: vCenter Firewall Policy Change NERC: vCenter Orchestrator Create Virtual Machine NERC: vCenter Orchestrator Delete Virtual Machine NERC: vCenter Orchestrator Login Failed NERC: vCenter Orchestrator vSwitch Add, Modify or Delete |
| CIP-003-1 R6 | Change Control and Configuration Management — The Responsible Entity shall establish and document a process of change control and configuration management for adding, modifying, replacing, or removing Critical Cyber Asset hardware or software, and implement supporting configuration management activities to identify, control and document all entity or vendor related changes to hardware and software components of Critical Cyber Assets pursuant to the change control process. | Compliance Suite Alerts (Cont.)
NERC: vCenter User Login Failed NERC: vCenter vSwitch Add, Modify or Delete NERC: vCloud Director Login Failed NERC: vCloud Organization Created NERC: vCloud Organization Deleted NERC: vCloud Organization Modified NERC: vCloud User, Group, or Role Modified NERC: vCloud vApp Created, Deleted, or Modified NERC: vCloud vDC Created, Modified, or Deleted NERC: vShield Edge Configuration Change |
| CIP-005-1 | ||
| CIP-005-1 R1.6 | The Responsible Entity shall maintain documentation of Electronic Security Perimeter(s), all interconnected Critical and non-critical Cyber Assets within the Electronic Security Perimeter(s), all electronic access points to the Electronic Security Perimeter(s) and the Cyber Assets deployed for the access control and monitoring of these access points. | Compliance Suite Reports
NERC: Active Connections for Cisco ASA NERC: Active Connections for Cisco FWSM NERC: Active Connections for Cisco PIX NERC: Active VPN Connections for Cisco VPN Concentrators NERC: Active VPN Connections for Nortel Contivity NERC: Active VPN Connections for RADIUS NERC: Denied Connections by IP Addresses NERC: Denied Connections - Cisco Router NERC: Denied Connections - Cisco IOS NERC: Denied Connections - Cisco NXOS NERC: Denied Connections - F5 BIG-IP TMOS NERC: Denied Connections - Sidewinder NERC: Denied Connections - VMware vShield NERC: Denied Inbound Connections - Check Point NERC: Denied Inbound Connections - Cisco ASA NERC: Denied Inbound Connections - Cisco FWSM NERC: Denied Inbound Connections - Cisco PIX NERC: Denied Inbound Connections - Juniper Firewall NERC: Denied Outbound Connections - Check Point NERC: Denied Outbound Connections - Cisco ASA NERC: Denied Outbound Connections - Cisco FWSM NERC: Denied Outbound Connections - Cisco PIX NERC: Denied Outbound Connections - Juniper Firewall NERC: Files Downloaded via Proxy NERC: Files Downloaded via Proxy - Blue Coat Proxy NERC: Files Downloaded via Proxy - Cisco WSA NERC: Files Downloaded via Proxy - Microsoft IIS NERC: Files Downloaded via the Web NERC: Files Downloaded via the Web - F5 BIG-IP TMOS NERC: Files Downloaded via the Web - Microsoft IIS NERC: Files Uploaded via Proxy - Microsoft IIS |
| CIP-005-1 R1.6 | The Responsible Entity shall maintain documentation of Electronic Security Perimeter(s), all interconnected Critical and non-critical Cyber Assets within the Electronic Security Perimeter(s), all electronic access points to the Electronic Security Perimeter(s) and the Cyber Assets deployed for the access control and monitoring of these access points. | Compliance Suite Reports
-(Cont.)
NERC: Files Uploaded via the Web - Microsoft IIS NERC: Files Uploaded via Proxy NERC: Files Uploaded via Proxy - Blue Coat Proxy NERC: Files Uploaded via Proxy - Cisco WSA NERC: Files Uploaded via the Web NERC: Files Uploaded via the Web - F5 BIG-IP TMOS NERC: Most Active Ports Through Firewall - Check Point NERC: Most Active Ports Through Firewall - Cisco ASA NERC: Most Active Ports Through Firewall - Cisco FWSM NERC: Most Active Ports Through Firewall - Cisco PIX NERC: Most Active Ports Through Firewall - Fortinet NERC: Most Active Ports Through Firewall - Juniper Firewall NERC: Most Active Ports Through Firewall - Nortel NERC: NetApp Filer Accounts Locked NERC: Ports Allowed Access - Cisco IOS NERC: Ports Allowed Access - Cisco Netflow NERC: Ports Allowed Access - Cisco PIX NERC: Ports Allowed Access - Check Point NERC: Ports Allowed Access - Cisco ASA NERC: Ports Allowed Access - Cisco FWSM NERC: Ports Allowed Access - F5 BIG-IP TMOS NERC: Ports Allowed Access - Fortinet NERC: Ports Allowed Access - Juniper Firewall NERC: Ports Allowed Access - Juniper JunOS NERC: Ports Allowed Access - Juniper RT Flow NERC: Ports Allowed Access - PANOS |
| CIP-005-1 R1.6 | The Responsible Entity shall maintain documentation related to the following entities: | Compliance Suite Reports
(Cont.)
NERC: Ports Allowed Access - Sidewinder NERC: Ports Allowed Access - Nortel NERC: Ports Allowed Access - VMware vShield NERC: VPN Denied Connections by Users NERC: vShield Risky Firewall Traffic Compliance Suite Alerts NERC: F5 BIG-IP TMOS Risky Traffic NERC: vShield Risky Traffic |
| CIP-005-1 R2.2 | At all access points to the Electronic Security Perimeter(s), the Responsible Entity shall enable only ports and services required for operations and for monitoring Cyber Assets within the Electronic Security Perimeter, and shall document, individually or by specified grouping, the configuration of those ports and services. | Compliance Suite Reports
NERC: Allowed URLs by Source IPs NERC: Allowed URLs by Source IPs - F5 BIG-IP TMOS NERC: Allowed URLs by Source IPs - Microsoft IIS NERC: Allowed URLs by Source Users NERC: Allowed URLs by Source Users - F5 BIG-IP TMOS NERC: Allowed URLs by Source Users - Microsoft IIS NERC: Blocked URLs by Source IPs NERC: Blocked URLs by Source IPs - F5 BIG-IP TMOS NERC: Blocked URLs by Source IPs - Microsoft IIS NERC: Blocked URLs by Source Users NERC: Blocked URLs by Source Users - F5 BIG-IP TMOS NERC: Blocked URLs by Source Users - Microsoft IIS Compliance Suite Alerts None |
| CIP-005-1 R2.3 | The Responsible Entity shall maintain a procedure for securing dial-up access to the Electronic Security Perimeter(s). | Compliance Suite Reports
NERC: Logins by Authentication Type Compliance Suite Alerts None |
| CIP-005-1 R2.4 | Where external interactive access into the Electronic Security Perimeter has been enabled, the Responsible Entity shall implement strong procedural or technical controls at the access points to ensure authenticity of the accessing party, where technically feasible. | Compliance Suite Reports
NERC: DB2 Database User Additions and Deletions NERC: DB2 Database Successful Logins NERC: Denied Connections by IP Addresses NERC: Denied Connections - Cisco IOS NERC: Denied Connections - Cisco NXOS NERC: Denied Connections - Cisco Router NERC: Denied Connections - F5 BIG-IP TMOS NERC: Denied Connections - Sidewinder NERC: Denied Connections - VMware vShield NERC: Denied Inbound Connections - Check Point NERC: Denied Inbound Connections - Cisco ASA NERC: Denied Inbound Connections - Cisco FWSM NERC: Denied Inbound Connections - Cisco PIX NERC: Denied Inbound Connections - Juniper Firewall NERC: Denied Outbound Connections - Check Point NERC: Denied Outbound Connections - Cisco ASA NERC: Denied Outbound Connections - Cisco FWSM NERC: Denied Outbound Connections - Cisco PIX NERC: Denied Outbound Connections - Juniper Firewall NERC: ESX Logins Succeeded NERC: F5 BIG-IP TMOS Login Successful NERC: Files Accessed on Servers NERC: Files Accessed on NetApp Filer Audit NERC: Files Accessed through Juniper SSL VPN (Secure Access) NERC: Files Accessed through PANOS NERC: Files Accessed Through Pulse Connect Secure NERC: Guardium SQL Guard Audit Logins NERC: Guardium SQL Guard Logins NERC: HP NonStop Audit Login Successful NERC: HP NonStop Audit Object Access NERC: i5/OS Object Access NERC: LogLogic DSM Logins NERC: LogLogic Management Center Login NERC: Microsoft Sharepoint Content Deleted NERC: Microsoft Sharepoint Content Updates |
| CIP-005-1 R2.4 | Where external interactive access into the Electronic Security Perimeter has been enabled, the Responsible Entity shall implement strong procedural or technical controls at the access points to ensure authenticity of the accessing party, where technically feasible. | Compliance Suite Reports
(Cont.)
NERC: Microsoft SQL Server Database Permission Events NERC: Microsoft SQL Server Database Successful Logins NERC: Microsoft SQL Server Database User Additions and Deletions NERC: NetApp Filer Audit Login Successful NERC: NetApp Filer Audit Group Members Deleted NERC: NetApp Filer File Activity NERC: NetApp Filer Login Successful NERC: Oracle Database Successful Logins NERC: Oracle Database Permission Events NERC: Oracle Database User Additions and Deletions NERC: Ports Denied Access - Check Point NERC: Ports Denied Access - Cisco ASA NERC: Ports Denied Access - Cisco FWSM NERC: Ports Denied Access - Cisco IOS NERC: Ports Denied Access - Cisco PIX NERC: Ports Denied Access - Cisco Router NERC: Ports Denied Access - F5 BIG-IP TMOS NERC: Ports Denied Access - Fortinet NERC: Ports Denied Access - Juniper Firewall NERC: Ports Denied Access - Juniper JunOS NERC: Ports Denied Access - Juniper RT Flow NERC: Ports Denied Access - Nortel NERC: Ports Denied Access - PANOS NERC: Ports Denied Access - Sidewinder NERC: Ports Denied Access - VMware vShield NERC: RACF Files Accessed NERC: RACF Successful Logins NERC: Root Logins NERC: Successful Logins NERC: Sybase ASE Database User Additions and Deletions NERC: Sybase ASE Successful Logins |
| CIP-005-1 R2.4 | Where external interactive access into the Electronic Security Perimeter has been enabled, the Responsible Entity shall implement strong procedural or technical controls at the access points to ensure authenticity of the accessing party, where technically feasible. | Compliance Suite Reports
(Cont.)
NERC: TIBCO ActiveMatrix Administrator Successful Logins NERC: Unauthorized Logins NERC: vCenter Data Move NERC: vCenter Datastore Events NERC: vCenter Orchestrator Datastore Events NERC: vCenter Orchestrator Data Move NERC: vCenter Successful Logins NERC: vCloud Successful Logins NERC: VPN Denied Connections by Users NERC: VPN Users Accessing Corporate Network NERC: Windows Group Members Deleted Compliance Suite Alerts NERC: DB2 Database User Added or Dropped NERC: Group Members Deleted NERC: Guardium SQL Guard Logins NERC: Logins Succeeded NERC: LogLogic DSM Logins NERC: Microsoft Sharepoint Content Deleted NERC: Microsoft Sharepoint Content Updated NERC: Neoteris Files Accessed NERC: Oracle Database User Added or Deleted NERC: RACF Files Accessed NERC: vCenter Data Move NERC: vCenter Datastore Event NERC: vCenter Orchestrator Data Move NERC: vCenter Orchestrator Datastore Events NERC: vCenter User Login Successful NERC: vCloud Director Login Success NERC: Windows Files Accessed NERC: Windows Group Members Deleted |
| CIP-005-1 R3 | The Responsible Entity shall implement and document an electronic or manual process(es) for monitoring and logging access at access points to the Electronic Security Perimeter(s) twenty-four hours a day, seven days a week | Compliance Suite Reports
NERC: Active Directory System Changes NERC: Cisco ISE, ACS Password Changes NERC: DB2 Database Failed Logins NERC: DB2 Database Successful Logins NERC: DNS Server Error NERC: ESX Failed Logins NERC: ESX Logins Failed Unknown User NERC: ESX Logins Succeeded NERC: F5 BIG-IP TMOS Login Failed NERC: F5 BIG-IP TMOS Login Successful NERC: F5 BIG-IP TMOS Password Changes NERC: Failed Logins NERC: Guardium SQL Guard Audit Logins NERC: Guardium SQL Guard Logins NERC: HP NonStop Audit Login Failed NERC: HP NonStop Audit Login Successful NERC: HP NonStop Audit Permissions Changed NERC: LogLogic DSM Logins NERC: LogLogic Management Center Login NERC: LogLogic Management Center Password Changes NERC: Microsoft Operations Manager - Windows Permissions Modified NERC: Microsoft Sharepoint Content Deleted NERC: Microsoft Sharepoint Content Updates NERC: Microsoft Sharepoint Permissions Changed NERC: Microsoft Sharepoint Policy Add, Remove, or Modify NERC: Microsoft SQL Server Database Failed Logins NERC: Microsoft SQL Server Database Successful Logins |
| CIP-005-1 R3 | The Responsible Entity shall implement and document an electronic or manual process(es) for monitoring and logging access at access points to the Electronic Security Perimeter(s) twenty-four hours a day, seven days a week | Compliance Suite Reports
(Cont.)
NERC: NetApp Filer Audit Login Failed NERC: NetApp Filer Audit Login Successful NERC: NetApp Filer Login Failed NERC: NetApp Filer Login Successful NERC: NetApp Filer Password Changes NERC: Oracle Database Failed Logins NERC: Oracle Database Successful Logins NERC: Periodic Review of Log Reports NERC: Periodic Review of User Access Logs NERC: Permissions Modified on Windows Servers NERC: RACF Failed Logins NERC: RACF Permissions Changed NERC: RACF Successful Logins NERC: Sensors Generating Alerts NERC: Sensors Generating Alerts - Cisco IOS NERC: Sensors Generating Alerts - ISS SiteProtector NERC: Sensors Generating Alerts - SiteProtector NERC: Sensors Generating Alerts - Sourcefire Defense Center NERC: Successful Logins NERC: Sybase ASE Failed Logins NERC: Sybase ASE Successful Logins NERC: Symantec Endpoint Protection Password Changes NERC: TIBCO ActiveMatrix Administrator Failed Logins NERC: TIBCO ActiveMatrix Administrator Permission Changes NERC: TIBCO ActiveMatrix Administrator Successful Logins NERC: TIBCO Administrator Password Changes NERC: TIBCO Administrator Permission Changes NERC: Unauthorized Logins NERC: vCenter Change Attributes NERC: vCenter Data Move NERC: vCenter Datastore Events |
| CIP-005-1 R3 | The Responsible Entity shall implement and document an electronic or manual process(es) for monitoring and logging access at access points to the Electronic Security Perimeter(s) twenty-four hours a day, seven days a week | Compliance Suite Reports
(Cont.)
NERC: vCenter Failed Logins NERC: vCenter Modify Firewall Policy NERC: vCenter Orchestrator Change Attributes NERC: vCenter Orchestrator Datastore Events NERC: vCenter Orchestrator Data Move NERC: vCenter Orchestrator Failed Logins NERC: vCenter Orchestrator Virtual Machine Created NERC: vCenter Orchestrator Virtual Machine Deleted NERC: vCenter Orchestrator Virtual Machine Shutdown NERC: vCenter Orchestrator Virtual Machine Started NERC: vCenter Orchestrator vSwitch Added, Changed or Removed NERC: vCenter Resource Usage Change NERC: vCenter Shutdown or Restart of ESX Server NERC: vCenter Successful Logins NERC: vCenter User Permission Change NERC: vCenter Virtual Machine Created NERC: vCenter Virtual Machine Deleted NERC: vCenter Virtual Machine Shutdown NERC: vCenter Virtual Machine Started NERC: vCenter vSwitch Added, Changed or Removed NERC: vCloud Failed Logins NERC: vCloud Organization Created NERC: vCloud Organization Deleted NERC: vCloud Organization Modified NERC: vCloud Successful Logins NERC: vCloud vApp Created, Modified, or Deleted NERC: vCloud vDC Created, Modified, or Deleted NERC: VPN Sessions by Destination IPs NERC: VPN Sessions by Source IPs NERC: VPN Sessions by Users NERC: vShield Edge Configuration Changes Compliance Suite Alerts NERC: Accounts Enabled NERC: Accounts Locked |
| CIP-005-1 R3 | The Responsible Entity shall implement and document an electronic or manual process(es) for monitoring and logging access at access points to the Electronic Security Perimeter(s) twenty-four hours a day, seven days a week | Compliance Suite Alerts (Cont.)
NERC: Active Directory Changes NERC: Allowed Connections NERC: Cisco ISE, ACS Passwords Changed NERC: Cisco PIX, ASA, FWSM Commands Executed NERC: System Restarted NERC: Cisco PIX, ASA, FWSM Failover Errors NERC: Cisco PIX, ASA, FWSM Failover Performed NERC: Cisco PIX, ASA, FWSM Fragment Database Limit NERC: Cisco PIX, ASA, FWSM Logon Failure NERC: Cisco PIX, ASA, FWSM Logon Success NERC: Cisco PIX, ASA, FWSM NAT Failure NERC: Cisco PIX, ASA, FWSM Policy Changed NERC: Cisco PIX, ASA, FWSM Protocol Failure NERC: Cisco PIX, ASA, FWSM Routing Failure NERC: Cisco PIX, ASA, FWSM Shun Added NERC: Cisco PIX, ASA, FWSM Shun Deleted NERC: Cisco PIX, ASA, FWSM VPN Tunnel Creation NERC: Cisco PIX, ASA, FWSM VPN Tunnel Teardown NERC: Cisco Switch Card Insert NERC: Cisco Switch Device Reload NERC: Cisco Switch Device Restart NERC: Cisco Switch HA Failure (ver) NERC: Cisco Switch Interface Change NERC: Cisco Switch Interface Down NERC: Cisco Switch Interface Up NERC: Cisco Switch Policy Changed NERC: Disallowed Services NERC: DNS Server Shutdown NERC: DNS Server Started NERC: Excessive IDS Attack NERC: Groups Created |
| CIP-005-1 R3 | The Responsible Entity shall implement and document an electronic or manual process(es) for monitoring and logging access at access points to the Electronic Security Perimeter(s) twenty-four hours a day, seven days a week | Compliance Suite Alerts (Cont.)
NERC: Groups Deleted NERC: Groups Modified NERC: Group Members Added NERC: Group Members Deleted NERC: Guardium SQL Guard Logins NERC: HP NonStop Audit Permission Changed NERC: IBM AIX Password Changed NERC: Juniper Firewall HA State Change NERC: Juniper Firewall Logon Failure NERC: Juniper Firewall Logon Success NERC: Juniper Firewall Peer Missing NERC: Juniper Firewall Policy Changes NERC: Juniper Firewall Policy Out of Sync NERC: Juniper Firewall System Reset NERC: Logins Failed NERC: Logins Succeeded NERC: LogLogic DSM Logins NERC: LogLogic File Retrieval Errors NERC: LogLogic Management Center Passwords Changed NERC: LogLogic Message Routing Errors NERC: Microsoft Operations Manager - Permissions Changed NERC: Microsoft Operations Manager - Windows Passwords Changed NERC: Microsoft Operations Manager - Windows Policies Changed NERC: Microsoft Operations Manager - Windows Server Restarted NERC: Microsoft Sharepoint Content Deleted NERC: Microsoft Sharepoint Content Updated NERC: Microsoft Sharepoint Permission Changed NERC: Microsoft Sharepoint Policies Added, Removed, Modified |
| CIP-005-1 R3 | The Responsible Entity shall implement and document an electronic or manual process(es) for monitoring and logging access at access points to the Electronic Security Perimeter(s) twenty-four hours a day, seven days a week. | Compliance Suite Alerts (Cont.)
NERC: Neoteris Files Accessed NERC: NetApp Authentication Failure NERC: NetApp Bad File Handle NERC: NetApp Bootblock Update NERC: NetApp Filer Audit Policies Changed NERC: NetApp Filer Disk Failure NERC: NetApp Filer Disk Missing NERC: NetApp Filer Disk Scrub Suspended NERC: NetApp Filer File System Full NERC: NetApp Filer NIS Group Update NERC: NetApp Filer Disk Inserted NERC: NetApp Filer Disk Pulled NERC: NetApp Filer Snapshot Error NERC: NetApp Filer Unauthorized Mounting NERC: Policy Violation NERC: RACF Files Accessed NERC: RACF Passwords Changed NERC: RACF Permissions Changed NERC: Symantec Endpoint Protection Policy Add, Delete, Modify NERC: System Anomalies NERC: TIBCO ActiveMatrix Administrator Permission Changed NERC: UNIX Groups Added NERC: UNIX Groups Deleted NERC: UNIX Groups Modified NERC: UNIX Privilege Escalated NERC: vCenter Create Virtual Machine NERC: vCenter Data Move NERC: vCenter Datastore Event NERC: vCenter Delete Virtual Machine NERC: vCenter Firewall Policy Change NERC: vCenter Orchestrator Data Move NERC: vCenter Orchestrator Datastore Events |
| CIP-005-1 R3 | The Responsible Entity shall implement and document an electronic or manual process(es) for monitoring and logging access at access points to the Electronic Security Perimeter(s) twenty-four hours a day, seven days a week. | Compliance Suite Alerts (Cont.)
NERC: vCenter Orchestrator Create Virtual Machine NERC: vCenter Orchestrator Delete Virtual Machine NERC: vCenter Orchestrator Login Failed NERC: vCenter Orchestrator Virtual Machine Shutdown NERC: vCenter Orchestrator Virtual Machine Started NERC: vCenter Orchestrator vSwitch Add, Modify or Delete NERC: vCenter Permission Change NERC: vCenter Shutdown or Restart ESX NERC: vCenter User Login Failed NERC: vCenter User Login Successful NERC: vCenter Virtual Machine Shutdown NERC: vCenter Virtual Machine Started NERC: vCenter vSwitch Add, Modify or Delete NERC: vCloud Director Login Failed NERC: vCloud Director Login Success NERC: vCloud Organization Created NERC: vCloud Organization Deleted NERC: vCloud Organization Modified NERC: vCloud User Created NERC: vCloud User, Group, or Role Modified NERC: vCloud vApp Created, Deleted, or Modified NERC: vCloud vDC Created, Modified, or Deleted NERC: vShield Edge Configuration Change NERC: Windows Audit Log Cleared NERC: Windows Files Accessed NERC: Windows Group Members Added NERC: Windows Group Members Deleted NERC: Windows Groups Created NERC: Windows Groups Deleted NERC: Windows Groups Modified NERC: Windows Passwords Changed NERC: Windows Permissions Changed NERC: Windows Policies Changed NERC: Windows Privileges Escalated NERC: System Restarted |
| CIP-005-1 R3.1 | For dial-up accessible Critical Cyber Assets that use non-routable protocols, the Responsible Entity shall implement and document monitoring process(es) at each access point to the dial-up device, where technically feasible. | Compliance Suite Reports
NERC: VPN Sessions by Destination IPs NERC: VPN Sessions by Source IPs NERC: VPN Sessions by Users Compliance Suite Alerts None |
| CIP-005-1 R3.2 | Where technically feasible, the security monitoring process(es) shall detect and alert for attempts at or actual unauthorized accesses. These alerts shall provide for appropriate notification to designated response personnel. Where alerting is not technically feasible, the Responsible Entity shall review or otherwise assess access logs for attempts at or actual unauthorized accesses at least every ninety calendar days. | Compliance Suite Reports
NERC: Denied Connections by IP Addresses NERC: Denied Connections - Cisco IOS NERC: Denied Connections - Cisco NXOS NERC: Denied Connections - Cisco Router NERC: Denied Connections - F5 BIG-IP TMOS NERC: Denied Connections - Sidewinder NERC: Denied Connections - VMware vShield NERC: Denied Inbound Connections - Check Point NERC: Denied Inbound Connections - Cisco ASA NERC: Denied Inbound Connections - Cisco FWSM NERC: Denied Inbound Connections - Cisco PIX NERC: Denied Inbound Connections - Juniper Firewall NERC: Denied Outbound Connections - Check Point NERC: Denied Outbound Connections - Cisco ASA NERC: Denied Outbound Connections - Cisco FWSM NERC: Denied Outbound Connections - Cisco PIX NERC: Denied Outbound Connections - Juniper Firewall NERC: DHCP Activities on Microsoft DHCP NERC: DHCP Activities on VMware vShield NERC: Unauthorized Logins NERC: VPN Denied Connections by Users Compliance Suite Alerts None |
| CIP-005-1 R1.4 | The Responsible Entity shall perform a cyber vulnerability assessment of the electronic access points to the Electronic Security Perimeter(s) at least annually. LogLogic solution can assist with the vulnerability assessment by providing a report on the access points and ports that are available for services. | Compliance Suite Reports
NERC: DHCP Activities on Microsoft DHCP NERC: DHCP Activities on VMware vShield |
| CIP-005-1 R4.2 | A review to verify that only ports and services required for operations at these access points are enabled. | Compliance Suite Reports
NERC: Allowed URLs by Source IPs NERC: Allowed URLs by Source IPs - F5 BIG-IP TMOS NERC: Allowed URLs by Source IPs - Microsoft IIS NERC: Allowed URLs by Source Users NERC: Allowed URLs by Source Users - F5 BIG-IP TMOS NERC: Allowed URLs by Source Users - Microsoft IIS NERC: Blocked URLs by Source IPs NERC: Blocked URLs by Source IPs - F5 BIG-IP TMOS NERC: Blocked URLs by Source IPs - Microsoft IIS NERC: Blocked URLs by Source Users NERC: Blocked URLs by Source Users - F5 BIG-IP TMOS NERC: Blocked URLs by Source Users - Microsoft IIS NERC: Ports Denied Access - Check Point NERC: Ports Denied Access - Cisco ASA NERC: Ports Denied Access - Cisco FWSM NERC: Ports Denied Access - Cisco IOS NERC: Ports Denied Access - Cisco PIX NERC: Ports Denied Access - Cisco Router NERC: Ports Denied Access - F5 BIG-IP TMOS NERC: Ports Denied Access - Fortinet NERC: Ports Denied Access - Juniper Firewall NERC: Ports Denied Access - Juniper JunOS NERC: Ports Denied Access - Juniper RT Flow NERC: Ports Denied Access - Nortel NERC: Ports Denied Access - PANOS NERC: Ports Denied Access - Sidewinder NERC: Ports Denied Access - VMware vShield Compliance Suite Alerts None |
| CIP-005-1 R4.4 | A review of controls for default accounts, passwords, and network management community strings. | Compliance Suite Reports
NERC: Juniper Firewall Reset Accepted NERC: Juniper Firewall Reset Imminent NERC: i5/OS Restore Events NERC: LogLogic Management Center Restore Activities Compliance Suite Alerts None |
| CIP-005-1 R5 | Documentation Review and Maintenance — The Responsible Entity shall review, update, and maintain all documentation to support compliance with the requirements of Standard CIP-005. | N/A |
| CIP-005-1 R5.3 | The Responsible Entity shall retain electronic access logs for at least ninety calendar days. Logs related to reportable incidents shall be kept in accordance with the requirements of Standard CIP-008. | Compliance Suite Reports
NERC: VPN Users Accessing Corporate Network Compliance Suite Alerts None |
| CIP-006-1 | ||
| CIP-006-1 R4 | Logging shall record sufficient information to uniquely identify individuals and the time of access twenty-four hours a day, seven days a week. The Responsible Entity shall implement and document the technical and procedural mechanisms for logging physical entry at all access points to the Physical Security Perimeter(s) using computerized logging as one of the methods. | N/A |
| CIP-006-1 R5 | Access log retention for at least 90 days. | N/A |
| CIP-007 | ||
| CIP-007 R4 | Use anti-virus software and other malware prevention tools, where technically feasible, to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all cyber assets within the Electronic Security Perimeter(s). | Compliance Suite Reports
NERC: Attackers by Service - FireEye MPS NERC: Attackers by Signature - FireEye MPS NERC: Cisco ESA: Attacks by Event ID NERC: Cisco ESA: Attacks Detected NERC: Cisco ESA: Attacks by Threat Name NERC: Cisco ESA: Scans NERC: Cisco ESA: Updated NERC: FireEye MPS: Attacks by Event ID NERC: FireEye MPS: Attacks by Threat Name NERC: FireEye MPS: Attacks Detected NERC: FortiOS: Attacks Detected NERC: FortiOS: Attacks by Event ID NERC: FortiOS: Attacks by Threat Name NERC: FortiOS DLP Attacks Detected NERC: McAfee AntiVirus: Attacks Detected NERC: McAfee AntiVirus: Attacks by Event ID NERC: McAfee AntiVirus: Attacks by Threat Name NERC: PANOS: Attacks by Event ID NERC: PANOS: Attacks by Threat Name NERC: PANOS: Attacks Detected NERC: Symantec AntiVirus: Attacks by Event ID NERC: Symantec AntiVirus: Attacks by Threat Name NERC: Symantec AntiVirus: Attacks Detected NERC: Symantec AntiVirus: Scans NERC: Symantec AntiVirus: Updated NERC: Symantec Endpoint Protection: Attacks Detected NERC: Symantec Endpoint Protection: Attacks by Threat Name NERC: Symantec Endpoint Protection: Scans NERC: Symantec Endpoint Protection: Updated NERC: TrendMicro Control Manager: Attacks Detected NERC: TrendMicro Control Manager: Attacks Detected by Threat Name |
| CIP-007-5 R1.1 | Where technically feasible, enable only logical network accessible ports that have been determined to be needed by the Responsible Entity, including port ranges or services where needed to handle dynamic ports. | Compliance Suite Reports
NERC: Ports Allowed Access - Check Point NERC: Ports Allowed Access - Cisco ASA NERC: Ports Allowed Access - Cisco FWSM NERC: Ports Allowed Access - Cisco IOS NERC: Ports Allowed Access - Cisco Netflow NERC: Ports Allowed Access - Cisco PIX NERC: Ports Allowed Access - F5 BIG-IP TMOS NERC: Ports Allowed Access - Fortinet NERC: Ports Allowed Access - Juniper Firewall NERC: Ports Allowed Access - Juniper JunOS NERC: Ports Allowed Access - Juniper RT Flow NERC: Ports Allowed Access - Nortel NERC: Ports Allowed Access - PANOS NERC: Ports Allowed Access - Sidewinder NERC: Ports Allowed Access - VMware vShield |
| CIP-007-5 R1.2 | Protect against the use of unnecessary physical input/output ports used for network connectivity, console commands, or removable media. | Compliance Suite Reports
NERC: Ports Denied Access - Check Point NERC: Ports Denied Access - Cisco ASA NERC: Ports Denied Access - Cisco FWSM NERC: Ports Denied Access - Cisco IOS NERC: Ports Denied Access - Cisco Router NERC: Ports Denied Access - Cisco PIX NERC: Ports Denied Access - F5 BIG-IP TMOS NERC: Ports Denied Access - Fortinet NERC: Ports Denied Access - Juniper Firewall NERC: Ports Denied Access - Juniper JunOS NERC: Ports Denied Access - Juniper RT Flow NERC: Ports Denied Access - Nortel NERC: Ports Denied Access - PANOS NERC: Ports Denied Access - Sidewinder NERC: Ports Denied Access - VMware vShield |
| CIP-007-5 R2 | Document and implement a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches for all Cyber Assets in the Electronic Security Perimeters. | Compliance Suite Reports
NERC: Cisco ESA: Updated NERC: Symantec AntiVirus: Updated NERC: Symantec Endpoint Protection: Updated |
| CIP-007-5 R2.1 | Document and implement a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches for all Cyber Assets in the Electronic Security Perimeters. | Compliance Suite Reports
NERC: vCenter Restart ESX Services Compliance Suite Alerts NERC: vCenter Restart ESX Services |
| CIP-007-5 R3 | Use anti-virus software and other malware prevention tools, where technically feasible, to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all cyber assets in the Electronic Security Perimeters. | Compliance Suite Reports
NERC: Administrator Logins on Windows Servers NERC: Cisco ESA: Attacks by Event ID NERC: Cisco ESA: Attacks Detected NERC: Cisco ESA: Attacks by Threat Name NERC: Cisco ESA: Scans NERC: Cisco ESA: Updated NERC: DB2 Database Failed Logins NERC: DB2 Database Successful Logins NERC: ESX Failed Logins NERC: ESX Logins Failed Unknown User NERC: ESX Logins Succeeded NERC: F5 BIG-IP TMOS Login Failed NERC: F5 BIG-IP TMOS Login Successful NERC: Failed Logins NERC: Files Accessed on Servers NERC: Files Accessed on NetApp Filer Audit NERC: Files Accessed through Juniper SSL VPN (Secure Access) NERC: Files Accessed through PANOS NERC: Files Downloaded via Proxy NERC: Files Downloaded via Proxy - Blue Coat Proxy NERC: Files Downloaded via Proxy - Cisco WSA NERC: Files Downloaded via Proxy - Microsoft IIS NERC: Files Downloaded via the Web NERC: Files Downloaded via the Web - F5 BIG-IP TMOS NERC: Files Downloaded via the Web - Microsoft IIS NERC: Files Uploaded via Proxy NERC: Files Uploaded via Proxy - Blue Coat Proxy NERC: Files Uploaded via Proxy - Cisco WSA NERC: Files Uploaded via the Web - F5 BIG-IP TMOS NERC: Files Uploaded via Proxy - Microsoft IIS NERC: Files Uploaded via the Web - Microsoft IIS NERC: Files Uploaded via the Web NERC: FireEye MPS: Attackers by Service NERC: FireEye MPS: Attackers by Signature NERC: FireEye MPS: Attacks by Event ID NERC: FireEye MPS: Attacks by Threat Name NERC: FireEye MPS: Attacks Detected NERC: Files Accessed Through Pulse Connect Secure |
| CIP-007-5 R3 | Use anti-virus software and other malware prevention tools, where technically feasible, to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all cyber assets in the Electronic Security Perimeters. | Compliance Suite Reports
(Cont.)
NERC: FortiOS: Attacks Detected NERC: FortiOS: Attacks by Event ID NERC: FortiOS: Attacks by Threat Name NERC: FortiOS DLP Attacks Detected NERC: Guardium SQL Guard Audit Logins NERC: Guardium SQL Guard Logins NERC: HP NonStop Audit Login Failed NERC: HP NonStop Audit Login Successful NERC: i5/OS Access Control List Modifications NERC: Last Activities Performed by Administrators NERC: Last Activities Performed by All Users NERC: Logins by Authentication Type NERC: LogLogic DSM Logins NERC: LogLogic Management Center Login NERC: McAfee AntiVirus: Attacks Detected NERC: McAfee AntiVirus: Attacks by Event ID NERC: McAfee AntiVirus: Attacks by Threat Name NERC: Microsoft Sharepoint Content Updates NERC: Microsoft SQL Server Database Failed Logins NERC: Microsoft SQL Server Database Successful Logins NERC: NetApp Filer Audit Login Failed NERC: NetApp Filer Audit Login Successful NERC: NetApp Filer File Activity NERC: NetApp Filer Login Failed NERC: NetApp Filer Login Successful NERC: Oracle Database Failed Logins NERC: Oracle Database Successful Logins NERC: PANOS: Attacks by Event ID NERC: PANOS: Attacks by Threat Name NERC: PANOS: Attacks Detected NERC: RACF Failed Logins NERC: RACF Files Accessed NERC: RACF Successful Logins NERC: Root Logins |
| CIP-007-5 R3 | Use anti-virus software and other malware prevention tools, where technically feasible, to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all cyber assets in the Electronic Security Perimeters. | Compliance Suite Reports (Cont.)
NERC: Successful Logins NERC: Sybase ASE Failed Logins NERC: Sybase ASE Successful Logins NERC: Symantec AntiVirus: Attacks by Event ID NERC: Symantec AntiVirus: Attacks by Threat Name NERC: Symantec AntiVirus: Attacks Detected NERC: Symantec AntiVirus: Scans NERC: Symantec AntiVirus: Updated NERC: Symantec Endpoint Protection: Attacks Detected NERC: Symantec Endpoint Protection: Attacks by Threat Name NERC: Symantec Endpoint Protection: Scans NERC: Symantec Endpoint Protection: Updated NERC: TIBCO ActiveMatrix Administrator Failed Logins NERC: TIBCO ActiveMatrix Administrator Successful Logins NERC: TrendMicro Control Manager: Attacks Detected NERC: TrendMicro Control Manager: Attacks Detected by Threat Name NERC: TrendMicro OfficeScan: Attacks Detected NERC: TrendMicro OfficeScan: Attacks Detected by Threat Name NERC: Unencrypted Logins NERC: vCenter Failed Logins NERC: vCenter Orchestrator Failed Logins NERC: vCenter Successful Logins NERC: vCloud Failed Logins NERC: vCloud Successful Logins NERC: VPN Connections by Users NERC: Web Access from All Users |
| CIP-007-5 R3 | Use anti-virus software and other malware prevention tools, where technically feasible, to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all cyber assets in the Electronic Security Perimeters. | Compliance Suite Reports
(Cont.)
NERC: Web Access from All Users - Fortinet NERC: Web Access from All Users - F5 BIG-IP TMOS NERC: Web Access from All Users - Microsoft IIS NERC: Web Access from All Users - PANOS NERC: Web Access to Applications - Fortinet NERC: Web Access to Applications - F5 BIG-IP TMOS NERC: Web Access to Applications - Microsoft IIS NERC: Web Access to Applications - PANOS NERC: Web Access to Applications |
| CIP-007-5 R3 | Use anti-virus software and other malware prevention tools, where technically feasible, to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all cyber assets in the Electronic Security Perimeters. | Compliance Suite Alerts
NERC: Cisco PIX, ASA, FWSM Logon Failure NERC: Guardium SQL Guard Logins NERC: Juniper Firewall Logon Failure NERC: Logins Failed NERC: Logins Succeeded NERC: LogLogic DSM Logins NERC: Microsoft SharePoint Content Updated NERC: vCenter User Login Failed NERC: vCenter User Login Successful NERC: vCenter Orchestrator Login Failed NERC: vCloud Director Login Failed NERC: vCloud Director Login Success |
| CIP-007 R5 | Establish, implement, and document technical and procedural controls that enforce access authentication of, and accountability for, all user activity and that minimize the risk of unauthorized system access. | Compliance Suite Reports
NERC: Administrator Logins on Windows Servers NERC: DB2 Database Failed Logins NERC: DB2 Database Successful Logins NERC: ESX Failed Logins NERC: ESX Logins Failed Unknown User NERC: ESX Logins Succeeded NERC: F5 BIG-IP TMOS Login Failed NERC: F5 BIG-IP TMOS Login Successful NERC: Failed Logins NERC: Files Accessed on Servers NERC: Files Accessed on NetApp Filer Audit NERC: Files Accessed through Juniper SSL VPN (Secure Access) NERC: Files Accessed through PANOS NERC: Files Accessed Through Pulse Connect Secure NERC: Files Downloaded via Proxy NERC: Files Downloaded via Proxy - Blue Coat Proxy NERC: Files Downloaded via Proxy - Cisco WSA NERC: Files Downloaded via Proxy - Microsoft IIS NERC: Files Downloaded via the Web NERC: Files Downloaded via the Web - F5 BIG-IP TMOS NERC: Files Downloaded via the Web - Microsoft IIS NERC: Files Uploaded via Proxy NERC: Files Uploaded via Proxy - Blue Coat Proxy NERC: Files Uploaded via Proxy - Cisco WSA NERC: Files Uploaded via Proxy - Microsoft IIS NERC: Files Uploaded via the Web NERC: Files Uploaded via the Web - F5 BIG-IP TMOS NERC: Files Uploaded via the Web - Microsoft IIS NERC: Guardium SQL Guard Audit Logins NERC: Guardium SQL Guard Logins NERC: HP NonStop Audit Login Failed NERC: HP NonStop Audit Login Successful NERC: i5/OS Access Control List Modifications |
| CIP-007 R5 | Establish, implement, and document technical and procedural controls that enforce access authentication of, and accountability for, all user activity and that minimize the risk of unauthorized system access. | Compliance Suite Reports (Cont.)
NERC: Last Activities Performed by Administrators NERC: Last Activities Performed by All Users NERC: Logins by Authentication Type NERC: LogLogic DSM Logins NERC: LogLogic Management Center Login NERC: Microsoft SQL Server Database Failed Logins NERC: Microsoft SQL Server Database Successful Logins NERC: NetApp Filer Audit Login Failed NERC: NetApp Filer Audit Login Successful NERC: NetApp Filer File Activity NERC: NetApp Filer Login Failed NERC: NetApp Filer Login Successful NERC: Oracle Database Failed Logins NERC: Oracle Database Successful Logins NERC: RACF Failed Logins NERC: RACF Files Accessed NERC: RACF Successful Logins NERC: Root Logins NERC: Successful Logins NERC: Sybase ASE Failed Logins NERC: Sybase ASE Successful Logins NERC: TIBCO ActiveMatrix Administrator Failed Logins NERC: TIBCO ActiveMatrix Administrator Successful Logins NERC: Unauthorized Logins NERC: Unencrypted Logins NERC: Users Using the Proxies NERC: Users Using the Proxies - Blue Coat Proxy NERC: Users Using the Proxies - Cisco WSA NERC: Users Using the Proxies - Microsoft IIS |
| CIP-007 R5 | Establish, implement, and document technical and procedural controls that enforce access authentication of, and accountability for, all user activity and that minimize the risk of unauthorized system access. | Compliance Suite Reports
(Cont.)
NERC: vCenter Failed Logins NERC: vCenter Orchestrator Failed Logins NERC: vCloud Failed Logins NERC: vCenter Successful Logins NERC: vCloud Successful Logins NERC: VPN Connections by Users NERC: Web Access from All Users NERC: Web Access from All Users - F5 BIG-IP TMOS NERC: Web Access from All Users - Fortinet NERC: Web Access from All Users - Microsoft IIS NERC: Web Access from All Users - PANOS NERC: Web Access to Applications - Fortinet NERC: Web Access to Applications - F5 BIG-IP TMOS NERC: Web Access to Applications - Microsoft IIS NERC: Web Access to Applications - PANOS NERC: Web Access to Applications |
| CIP-007 R5 | Establish, implement, and document technical and procedural controls that enforce access authentication of, and accountability for, all user activity and that minimize the risk of unauthorized system access. | Compliance Suite Alerts
NERC: Cisco PIX, ASA, FWSM Logon Failure NERC: Guardium SQL Guard Logins NERC: Juniper Firewall Logon Failure NERC: Logins Failed NERC: Logins Succeeded NERC: LogLogic DSM Logins NERC: vCenter User Login Failed NERC: vCenter User Login Successful NERC: vCenter Orchestrator Login Failed NERC: vCloud Director Login Failed NERC: vCloud Director Login Success |
| CIP-007 R5.1.1 | Ensure that user accounts are implemented as approved by designated personnel as specified in CIP-003 Requirement 5. | Compliance Suite Reports
NERC: Account Activities on UNIX Servers NERC: Account Activities on Windows Servers NERC: Accounts Changed on NetApp Filer NERC: Accounts Changed on TIBCO Administrator NERC: Accounts Changed on TIBCO ActiveMatrix Administrator NERC: Accounts Changed on UNIX Servers NERC: Accounts Changed on Windows Servers NERC: Accounts Created on NetApp Filer NERC: Accounts Created on NetApp Filer Audit NERC: Accounts Created on Sidewinder NERC: Accounts Created on Symantec Endpoint Protection NERC: Accounts Created on TIBCO Administrator NERC: Accounts Created on TIBCO ActiveMatrix Administrator NERC: Accounts Created on UNIX Servers NERC: Accounts Created on Windows Servers NERC: Accounts Deleted on NetApp Filer NERC: Accounts Deleted on NetApp Filer Audit NERC: Accounts Deleted on Symantec Endpoint Protection NERC: Accounts Deleted on TIBCO Administrator NERC: Accounts Deleted on TIBCO ActiveMatrix Administrator NERC: Accounts Deleted on Sidewinder NERC: Accounts Deleted on UNIX Servers NERC: Accounts Deleted on Windows Servers NERC: Cisco ISE, ACS Accounts Created NERC: Cisco ISE, ACS Accounts Removed NERC: ESX Accounts Activities NERC: ESX Accounts Created NERC: ESX Accounts Deleted NERC: LogLogic Management Center Account Activities |
| CIP-007 R5.1.1 | Ensure that user accounts are implemented as approved by designated personnel as specified in CIP-003 Requirement 5. | Compliance suite Reports (Cont.)
NERC: Microsoft Operations Manager - Windows Accounts Activities NERC: Microsoft Operations Manager - Windows Accounts Changed NERC: Microsoft Operations Manager - Windows Accounts Created NERC: Microsoft Operations Manager - Windows Accounts Enabled NERC: NetApp Filer Audit Accounts Enabled NERC: NetApp Filer Audit Group Members Added NERC: NetApp Filer Audit Group Members Deleted NERC: RACF Accounts Created NERC: RACF Accounts Deleted NERC: RACF Accounts Modified NERC: vCloud User Created NERC: vCloud User Deleted or Removed NERC: Windows Accounts Enabled NERC: Windows Accounts Locked NERC: Windows Group Members Added NERC: Windows Group Members Deleted Compliance Suite Alerts NERC: Accounts Created NERC: Accounts Deleted NERC: Accounts Enabled NERC: Accounts Locked NERC: Accounts Modified NERC: Group Members Added NERC: Group Members Deleted NERC: vCloud User Created NERC: Windows Group Members Added NERC: Windows Group Members Deleted |
| CIP-007 R5.1.2 / CIP-007-5 R4.1 | Establish methods and procedures that generate logs of sufficient detail to create historical and audit trails to individual user account access activity for a minimum of 90 days. | Compliance Suite Reports
NERC: Account Activities on UNIX Servers NERC: Account Activities on Windows Servers NERC: Bandwidth Usage by User NERC: ESX Accounts Activities NERC: ESX Group Activities NERC: ESX Kernel log daemon terminating NERC: ESX Kernel logging Stop NERC: ESX Syslogd Restart NERC: F5 BIG-IP TMOS Restarted NERC: Group Activities on NetApp Filer Audit NERC: Group Activities on Symantec Endpoint Protection NERC: Group Activities on TIBCO ActiveMatrix Administrator NERC: Group Activities on UNIX Servers NERC: Group Activities on Windows Servers NERC: LogLogic Management Center Account Activities NERC: Microsoft Operations Manager - Windows Accounts Activities NERC: Microsoft Operations Manager - Windows Events by Users NERC: Users Created on Servers NERC: Users Removed from Servers NERC: Users Using the Proxies NERC: Users Using the Proxies - Blue Coat Proxy NERC: Users Using the Proxies - Cisco WSA NERC: Users Using the Proxies - Microsoft IIS NERC: vCenter Restart ESX Services NERC: VPN Connections by Users NERC: VPN Sessions by Users NERC: VPN Users Accessing Corporate Network NERC: Windows Events by Users Compliance Suite Alerts NERC: vCenter Restart ESX Services |
| CIP-007 R5.2 / CIP-007-5 R5.3 | Implement a policy to minimize and manage the scope and acceptable use of admin, shared and other generic account privileges. | Compliance Suite Reports
NERC: Accounts Changed on NetApp Filer NERC: Accounts Changed on TIBCO Administrator NERC: Accounts Changed on TIBCO ActiveMatrix Administrator NERC: Accounts Changed on UNIX Servers NERC: Accounts Changed on Windows Servers NERC: Administrator Logins on Windows Servers NERC: DB2 Database Successful Logins NERC: Domain activities on Symantec Endpoint Protection NERC: ESX Logins Succeeded NERC: F5 BIG-IP TMOS Login Successful NERC: Guardium SQL Guard Audit Logins NERC: Guardium SQL Guard Logins NERC: HP NonStop Audit Login Successful NERC: HP NonStop Audit Permissions Changed NERC: LogLogic DSM Logins NERC: LogLogic Management Center Login NERC: Microsoft Operations Manager - Windows Accounts Changed NERC: Microsoft Operations Manager - Windows Permissions Modified NERC: Microsoft Operations Manager - Windows Policies Modified NERC: Microsoft Sharepoint Permissions Changed NERC: Microsoft SQL Server Database Successful Logins NERC: NetApp Filer Audit Group Members Added NERC: NetApp Filer Audit Group Members Deleted NERC: NetApp Filer Audit Login Successful NERC: NetApp Filer Audit Policies Modified NERC: NetApp Filer Login Successful NERC: Oracle Database Successful Logins NERC: Permissions Modified on Windows Servers NERC: Policies Modified on Windows Servers NERC: RACF Accounts Modified |
| CIP-007 R5.2 / CIP-007-5 R5.3 | Implement a policy to minimize and manage the scope and acceptable use of admin, shared and other generic account privileges. | Compliance Suite Reports (Cont.)
NERC: RACF Permissions Changed NERC: RACF Successful Logins NERC: Successful Logins NERC: Sybase ASE Successful Logins NERC: Symantec Endpoint Protection Policy Add, Remove, or Modify NERC: TIBCO Administrator Permission Changes NERC: TIBCO ActiveMatrix Administrator Permission Changes NERC: TIBCO ActiveMatrix Administrator Successful Logins NERC: Trusted Domain Created on Windows Servers NERC: Trusted Domain Deleted on Windows Servers NERC: vCenter Successful Logins NERC: vCenter User Permission Change NERC: vCloud Successful Logins NERC: Windows Group Members Added NERC: Windows Group Members Deleted Compliance Suite Alerts NERC: Accounts Modified NERC: Guardium SQL Guard Logins NERC: HP NonStop Audit Permission Changed NERC: Logins Succeeded NERC: LogLogic DSM Logins NERC: Microsoft Operations Manager - Permissions Changed NERC: Microsoft Operations Manager - Windows Policies Changed NERC: Microsoft Sharepoint Permission Changed NERC: NetApp Filer Audit Policies Changed NERC: RACF Permissions Changed NERC: TIBCO ActiveMatrix Administrator Permission Changed |
| CIP-007 R5.2 / CIP-007-5 R5.3 | Implement a policy to minimize and manage the scope and acceptable use of admin, shared and other generic account privileges. | Compliance Suite Reports
(Cont.)
NERC: vCenter Permission Change NERC: vCenter User Login Successful NERC: vCloud Director Login Success NERC: Windows Group Members Deleted NERC: Windows Permissions Changed NERC: Windows Policies Changed |
| CIP-007 R5.3.3 / CIP-007-5 R5.6 | Each password shall be changed at least annually or more frequently based on risk. | Compliance Suite Reports
NERC: Cisco ISE, ACS Password Changes NERC: F5 BIG-IP TMOS Password Changes NERC: i5/OS DST Password Reset NERC: LogLogic Management Center Password Changes NERC: Microsoft Operations Manager - Windows Password Changes NERC: Microsoft SQL Server Password Changes NERC: NetApp Filer Password Changes NERC: Novell eDirectory Password Changes NERC: Password Changes on Windows Servers NERC: RACF Password Changed NERC: Symantec Endpoint Protection Password Changes NERC: TIBCO Administrator Password Changes NERC: Unix Password Changes Compliance Suite Alerts NERC: Cisco ISE, ACS Passwords Changed NERC: IBM AIX Password Changed NERC: LogLogic Management Center Passwords Changed NERC: Microsoft Operations Manager - Windows Passwords Changed NERC: RACF Passwords Changed NERC: Windows Passwords Changed |
| CIP-007 R6.2 / CIP-007-5 R4.2 | The security monitoring controls shall issue automated or manual alerts for security incidents. | Compliance Suite Reports
NERC: Attackers by Service NERC: Attackers by Signature NERC: Attackers by Service - Cisco IOS NERC: Attackers by Service - ISS SiteProtector NERC: Attackers by Service - SiteProtector NERC: Attackers by Service - Sourcefire Defense Center NERC: Attackers by Signature - Cisco IOS NERC: Attackers by Signature - ISS SiteProtector NERC: Attackers by Signature - SiteProtector NERC: Attackers by Signature - Sourcefire Defense Center NERC: Attacks Detected NERC: Attacks Detected - Cisco IOS NERC: Attacks Detected - HIPS NERC: Attacks Detected - ISS SiteProtector NERC: Attacks Detected - SiteProtector NERC: Attackers Detected - Sourcefire Defense Center NERC: FireEye MPS: Sensors Generating Alerts Compliance Suite Alerts NERC: Anomalous IDS Alerts NERC: Sensors Generating Alerts - FireEye MPS |
| CIP-007 R6.5 / CIP-007-5 R4.4 | Review logs of system events related to cyber security and maintain records documenting review of logs. | Compliance Suite Reports
NERC: Periodic Review of Log Reports NERC: Periodic Review of User Access Logs Compliance Suite Alerts None |