TIBCO LogLogic Reports and Filter Bloks for NERC
The following table lists the reports and filter bloks included in LogLogic Compliance Suite - NERC Edition.
| # | Real-time Report Name | Advanced Filter Blok Name | Report Description | Compliance Mapping |
|---|---|---|---|---|
| 1 | Not Applicable | NERC_Amazon_Cloudtrail_Successful_Logins | Displays all Amazon CloudTrail successful logins. | CIP-007-5 R3, CIP-007 R5, CIP-007 R5.2, CIP-007-5 R5.3 |
| 2 | Not Applicable | NERC_Amazon_Cloudtrail_Change_Events | Displays all Amazon CloudTrail change events. | CIP-003-1 R5.2, CIP-007 R5.1.1, CIP-007 R5.2, CIP-007-5 R5.3 |
| 3 | Not Applicable | NERC_Amazon_Cloudtrail_Create_Events | Displays all Amazon CloudTrail create events. | CIP-003-1 R5.2, CIP-007 R5.1.1 |
| 4 | Not Applicable | NERC_Amazon_Cloudtrail_Delete_Events | Displays all Amazon CloudTrail delete events. | CIP-003-1 R5.2, CIP-007 R5.1.1 |
| 5 | Not Applicable | NERC_Amazon_Cloudtrail_Failed_Logins | Displays all Amazon CloudTrail failed logins. | CIP-003-1 R5.3, CIP-003-1 R6, CIP-005-1 R3, CIP-007-5 R3, CIP-007 R5 |
| 6 | NERC: Account Activities on UNIX Servers | NERC_Account_Activities_on_UNIX_Servers | Displays all accounts activities on UNIX servers to ensure authorized and appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1, CIP-007 R5.1.2, CIP-007-5 R4.1 |
| 7 | NERC: Account Activities on Windows Servers | NERC_Account_Activities_on_Windows_Servers | Displays all accounts activities on Windows servers to ensure authorized and appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1, CIP-007 R5.1.2, CIP-007-5 R4.1 |
| 8 | NERC: Accounts Changed on NetApp Filer | NERC_Accounts_Changed_on_NetApp_Filer | Displays all accounts changed on NetApp Filer to ensure authorized and appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1, CIP-007 R5.2, CIP-007-5 R5.3 |
| 9 | NERC: Accounts Changed on TIBCO Administrator |
NERC_Accounts_Changed_on_TIBCO_Administrator | Displays all accounts changed on TIBCO Administrator to ensure authorized and appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1, CIP-007 R5.2, CIP-007-5 R5.3 |
| 10 | NERC: Accounts Changed on TIBCO ActiveMatrix Administrator |
NERC_Accounts_Changed_on_TIBCO_ActiveMatrix_Administrator | Displays all accounts changed on TIBCO ActiveMatrix Administrator to ensure authorized and appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1, CIP-007 R5.2, CIP-007-5 R5.3 |
| 11 | NERC: Accounts Changed on UNIX Servers | NERC_Accounts_Changed_on_UNIX_Servers | Displays all accounts changed on UNIX servers to ensure authorized and appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1, CIP-007 R5.2, CIP-007-5 R5.3 |
| 12 | NERC: Accounts Changed on Windows Servers | NERC_Accounts_Changed_on_Windows_Servers | Displays all accounts changed on Windows servers to ensure authorized and appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1, CIP-007 R5.2, CIP-007-5 R5.3 |
| 13 | NERC: Accounts Created on NetApp Filer | NERC_Accounts_Created_on_NetApp_Filer | Displays all accounts created on NetApp Filer to ensure authorized and appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1 |
| 14 | NERC: Accounts Created on NetApp Filer Audit | NERC_Accounts_Created_on_NetApp_Filer_Audit | Displays all accounts created on NetApp Filer Audit to ensure authorized and appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1 |
| 15 | NERC: Accounts Created on Symantec Endpoint Protection |
NERC_Accounts_Created_on_Symantec_Endpoint_Protection | Displays all accounts created on Symantec Endpoint Protection to ensure authorized and appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1 |
| 16 | NERC: Accounts Created on TIBCO Administrator |
NERC_Accounts_Created_on_TIBCO_Administrator | Displays all accounts created on TIBCO Administrator to ensure authorized and appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1 |
| 17 | NERC: Accounts Created on TIBCO ActiveMatrix Administrator |
NERC_Accounts_Created_on_TIBCO_ActiveMatrix_Administrator | Displays all accounts created on TIBCO ActiveMatrix Administrator to ensure authorized and appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1 |
| 18 | NERC: Accounts Created on UNIX Servers | NERC_Accounts_Created_on_UNIX_Servers | Displays all accounts created on UNIX servers to ensure authorized and appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1 |
| 19 | NERC: Accounts Created on Windows Servers | NERC_Accounts_Created_on_Windows_Servers | Displays all accounts created on Windows servers to ensure authorized and appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1 |
| 20 | NERC: Accounts Deleted on NetApp Filer | NERC_Accounts_Deleted_on_NetApp_Filer | Displays all accounts deleted on NetApp Filer to ensure authorized and appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1 |
| 21 | NERC: Accounts Deleted on NetApp Filer Audit | NERC_Accounts_Deleted_on_NetApp_Filer_Audit | Displays all accounts deleted on NetApp Filer Audit to ensure authorized and appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1 |
| 22 | NERC: Accounts Deleted on Symantec Endpoint Protection |
NERC_Accounts_Deleted_on_Symantec_Endpoint_Protection | Displays all accounts deleted on Symantec Endpoint Protection to ensure authorized and appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1 |
| 23 | NERC: Accounts Deleted on TIBCO Administrator | NERC_Accounts_Deleted_on_TIBCO_Administrator | Displays all accounts deleted on TIBCO Administrator to ensure authorized and appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1 |
| 24 | NERC: Accounts Deleted on TIBCO ActiveMatrix Administrator |
NERC_Accounts_Deleted_on_TIBCO_ActiveMatrix_Administrator | Displays all accounts deleted on TIBCO ActiveMatrix Administrator to ensure authorized and appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1 |
| 25 | NERC: Accounts Deleted on UNIX Servers | NERC_Accounts_Deleted_on_UNIX_Servers | Displays all accounts deleted on UNIX servers to ensure authorized and appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1 |
| 26 | NERC: Accounts Deleted on Windows Servers | NERC_Accounts_Deleted_on_Windows_Servers | Displays all accounts deleted on Windows servers to ensure authorized and appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1 |
| 27 | NERC: Active Connections for Cisco ASA | Not Applicable | Displays all currently active firewall connections for Cisco ASA. | CIP-005-1 R1.6 |
| 28 | NERC: Active Connections for Cisco FWSM | Not Applicable | Displays all currently active firewall connections for Cisco FWSM. | CIP-005-1 R1.6 |
| 29 | NERC: Active Directory System Changes | Not Applicable | Displays changes made within Active Directory. | CIP-005-1 R3 |
| 30 | NERC: Active VPN Connections for Cisco VPN Concentrators |
Not Applicable | Displays all currently active VPN connections for Cisco VPN Concentrators. | CIP-005-1 R1.6, CIP-012-1 R1.1 |
| 31 | NERC: Active VPN Connections for Nortel Contivity | Not Applicable | Displays all currently active VPN connections for Nortel Contivity VPN devices. | CIP-005-1 R1.6, CIP-012-1 R1.1 |
| 32 | NERC: Administrator Logins on Windows Servers | NERC_Administrator_Logins_on_Windows_Servers | Displays all logins with the administrator account on Windows servers. | CIP-007-5 R3, CIP-007 R5, CIP-007 R5.2, CIP-007-5 R5.3 |
| 33 | NERC: Allowed URLs by Source IPs | Not Applicable | Displays successful access to URLs by source IP addresses. | CIP-005-1 R2.2, CIP-005-1 R4.2 |
| 34 | NERC: Allowed URLs by Source IPs - F5 BIG-IP TMOS | NERC_Allowed_URLs_by_Source_IPs_F5_BIG-IP_TMOS | Displays successful access to URLs by source IP addresses on F5 BIG-IP TMOS. | CIP-005-1 R2.2, CIP-005-1 R4.2 |
| 35 | NERC: Allowed URLs by Source IPs - Microsoft IIS | Not Applicable | Displays successful access to URLs by source IP addresses on Microsoft IIS. | CIP-005-1 R2.2, CIP-005-1 R4.2 |
| 36 | NERC: Allowed URLs by Source Users | Not Applicable | Displays successful access to URLs by source users. | CIP-005-1 R2.2, CIP-005-1 R4.2 |
| 37 | NERC: Allowed URLs by Source Users - F5 BIG-IP TMOS |
NERC_Allowed_URLs_by_Source_Users_F5_BIG-IP_TMOS | Displays successful access to URLs by source users on F5 BIG-IP TMOS. | CIP-005-1 R2.2, CIP-005-1 R4.2 |
| 38 | NERC: Allowed URLs by Source Users - Microsoft IIS |
Not Applicable | Displays successful access to URLs by source users on Microsoft IIS. | CIP-005-1 R2.2, CIP-005-1 R4.2 |
| 39 | NERC: Attackers by Service | Not Applicable | Displays all attack source IP address and service ports. | CIP-007 R6.2, CIP-007-5 R4.2 |
| 40 | NERC: Attackers by Service - Cisco IOS | NERC_Attackers_by_Service_Cisco_IOS | Displays all attack source IP address and service ports by Cisco IOS. | CIP-007 R6.2, CIP-007-5 R4.2 |
| 41 | NERC: Attackers by Service - ISS SiteProtector | NERC_Attackers_by_Service_ISS_SiteProtector | Displays all attack source IP address and service ports by ISS SiteProtector. | CIP-007 R6.2, CIP-007-5 R4.2 |
| 42 | NERC: Attackers by Service - FireEye MPS | NERC_Attackers_by_Service_FireEye_MPS | Displays all attack source IP address and service ports by FireEye MPS. | CIP-007 R4, CIP-007-5 R3 |
| 43 | NERC: Attackers by Service - SiteProtector | NERC_Attackers_by_Service_SiteProtector | Displays all attack source IP address and service ports by SiteProtector. | CIP-007 R6.2, CIP-007-5 R4.2 |
| 44 | NERC: Attackers by Service - Sourcefire Defense Center | NERC_Attackers_by_Service_Cisco_FirePower | Displays all attack source IP address and service ports by Sourcefire Defense Center and Cisco FirePower | CIP-007 R6.2, CIP-007-5 R4.2 |
| 45 | NERC: Attackers by Signature | Not Applicable | Displays all attack source IP address and signatures. | CIP-007 R6.2, CIP-007-5 R4.2 |
| 46 | NERC: Attackers by Signature - Cisco IOS | NERC_Attackers_by_Signature_Cisco_IOS | Displays all attack source IP address and signatures by Cisco IOS. | CIP-007 R6.2, CIP-007-5 R4.2 |
| 47 | NERC: Attackers by Signature - ISS SiteProtector | NERC_Attackers_by_Signature_ISS_SiteProtector | Displays all attack source IP address and signatures by ISS SiteProtector. | CIP-007 R6.2, CIP-007-5 R4.2 |
| 48 | NERC: Attackers by Signature - FireEye MPS | NERC_Attackers_by_Signature_FireEye_MPS | Displays all attack source IP address and signatures by FireEye MPS. | CIP-007 R4, CIP-007-5 R3 |
| 49 | NERC: Attackers by Signature - SiteProtector | NERC_Attackers_by_Signature_SiteProtector | Displays all attack source IP address and signatures by SiteProtector. | CIP-007 R6.2, CIP-007-5 R4.2 |
| 50 | NERC: Attackers by Signature - Sourcefire Defense Center | NERC_Attackers_by_Signature_Cisco_FirePower | Displays all attack source IP address and signatures by Sourcefire Defense Center and Cisco FirePower | CIP-007 R6.2, CIP-007-5 R4.2 |
| 51 | NERC: Attacks Detected | Not Applicable | Displays all IDS attacks detected to servers and applications. | CIP-007 R6.2, CIP-007-5 R4.2 |
| 52 | NERC: Attacks Detected - Cisco IOS | NERC_Attacks_Detected_Cisco_IOS | Displays all IDS attacks detected to servers and applications by Cisco IOS. | CIP-007 R6.2, CIP-007-5 R4.2 |
| 53 | NERC: Attacks Detected - ISS SiteProtector | NERC_Attacks_Detected_ISS_SiteProtector | Displays all IDS attacks detected to servers and applications by ISS SiteProtector. | CIP-007 R6.2, CIP-007-5 R4.2 |
| 54 | NERC: Attacks Detected - SiteProtector | NERC_Attacks_Detected_SiteProtector | Displays all IDS attacks detected to servers and applications by SiteProtector. | CIP-007 R6.2, CIP-007-5 R4.2 |
| 55 | NERC: Attacks Detected - Sourcefire Defense Center | NERC_Attacks_Detected_Sourcefire_Defense_Center | Displays all IDS attacks detected to servers and applications by Cisco FirePower and Sourcefire Defense Center. | CIP-007 R6.2, CIP-007-5 R4.2 |
| 56 | NERC: Attacks Detected - HIPS | NERC_Attacks_Detected_McAfee_HIPS | Displays all IPS attacks detected to servers and applications. | CIP-007 R6.2, CIP-007-5 R4.2 |
| 57 | NERC: Bandwidth Usage by User | Not Applicable | Displays users who are using the most bandwidth. | CIP-007 R5.1.2, CIP-007-5 R4.1 |
| 58 | NERC: Blocked URLs by Source IPs | Not Applicable | Displays URLs that have been blocked by source IP addresses. | CIP-005-1 R2.2, CIP-005-1 R4.2 |
| 59 | NERC: Blocked URLs by Source IPs - F5 BIG-IP TMOS |
NERC_Blocked_URLs_by_Source_IPs_F5_BIG-IP_TMOS | Displays URLs that have been blocked by source IP addresses on F5 BIG-IP TMOS. | CIP-005-1 R2.2, CIP-005-1 R4.2 |
| 60 | NERC: Blocked URLs by Source IPs - Microsoft IIS | Not Applicable | Displays URLs that have been blocked by source IP addresses on Microsoft IIS. | CIP-005-1 R2.2, CIP-005-1 R4.2 |
| 61 | NERC: Blocked URLs by Source Users | Not Applicable | Displays URLs that have been blocked by source users. | CIP-005-1 R2.2, CIP-005-1 R4.2 |
| 62 | NERC: Blocked URLs by Source Users - F5 BIG-IP TMOS | NERC_Blocked_URLs_by_Source_Users_F5_BIG-IP_TMOS | Displays URLs that have been blocked by source users on F5 BIG-IP TMOS. | CIP-005-1 R2.2, CIP-005-1 R4.2 |
| 63 | NERC: Blocked URLs by Source Users - Microsoft IIS | Not Applicable | Displays URLs that have been blocked by source users on Microsoft IIS. | CIP-005-1 R2.2, CIP-005-1 R4.2 |
| 64 | NERC: Check Point Configuration Changes | NERC_Check_Point_Configuration_Changes | Displays all Check Point audit events related to configuration changes. | CIP-003-1 R5.3, CIP-003-1 R6 |
| 65 | NERC: Cisco ESA: Attacks by Event ID | NERC_Cisco_ESA_Attacks_by_Event_ID | Displays Cisco ESA attacks by Event ID. | CIP-007 R4, CIP-007-5 R3 |
| 66 | NERC: Cisco ESA: Attacks Detected | NERC_Cisco_ESA_Attacks_Detected | Displays attacks detected by Cisco ESA. | CIP-007 R4, CIP-007-5 R3 |
| 67 | NERC: Cisco ESA: Attacks by Threat Name | NERC_Cisco_ESA_Attacks_by_Threat_Name | Displays Cisco ESA attacks by threat name. | CIP-007 R4, CIP-007-5 R3 |
| 68 | NERC: Cisco ESA: Scans | NERC_Cisco_ESA_Scans | Displays scans using Cisco ESA. | CIP-007 R4, CIP-007-5 R3 |
| 69 | NERC: Cisco ESA: Updated | NERC_Cisco_ESA_Updated | Displays updates to Cisco ESA. | CIP-007 R4, CIP-007-5 R2, CIP-007-5 R3 |
| 70 | NERC: Cisco ISE, ACS Accounts Created | NERC_Cisco_ISE_ACS_Accounts_Created | Displays all accounts created on Cisco ISE and Cisco SecureACS to ensure authorized and appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1 |
| 71 | NERC: Cisco ISE, ACS Accounts Removed | NERC_Cisco_ISE_ACS_Accounts_Removed | Displays all accounts removed on Cisco ISE and Cisco SecureACS to ensure authorized and appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1 |
| 72 | NERC: Cisco ISE, ACS Configuration Changes | NERC_Cisco_ISE_ACS_Configuration_Changes | Displays Cisco ISE and Cisco SecureACS configuration changes. | CIP-003-1 R5.3, CIP-003-1 R6 |
| 73 | NERC: Cisco ISE, ACS Password Changes | NERC_Cisco_ISE_ACS_Password_Changes | Displays all password change activities on Cisco ISE and Cisco SecureACS to ensure authorized and appropriate access. | CIP-005-1 R3, CIP-007 R5.3.3, CIP-007-5 R5.6 |
| 74 | NERC: Cisco ASA, FWSM Failover Disabled | NERC_Cisco_ASA_FWSM_Failover_Disabled | Displays all logs related to disabling Cisco ASA and FWSM failover capability. | CIP-003-1 R5.3, CIP-003-1 R6 |
| 75 | NERC: Cisco ASA, FWSM Failover Performed | NERC_Cisco_ASA_FWSM_Failover_Performed | Displays all logs related to performing a Cisco ASA and FWSM failover. | CIP-003-1 R5.3, CIP-003-1 R6 |
| 76 | NERC: Cisco ASA, FWSM Policy Changed | NERC_Cisco_ASA_FWSM_Policy_Changed | Displays all configuration changes made to the Cisco ASA and FWSM devices. | CIP-003-1 R5.3, CIP-003-1 R6 |
| 77 | NERC: Cisco ASA, FWSM Restarted | NERC_Cisco_ASA_FWSM_Restarted | Displays all Cisco ASA or FWSM restart activities to detect unusual activities. | CIP-003-1 R5.3, CIP-003-1 R6 |
| 78 | NERC: Cisco Switch Policy Changes | NERC_Cisco_Switch_Policy_Changes | Displays all configuration changes to the Cisco router and switch policies. | CIP-003-1 R5.3, CIP-003-1 R6 |
| 79 | NERC: DB2 Database Configuration Changes | NERC_DB2_Database_Configuration_Changes | Displays DB2 database configuration changes. | CIP-003-1 R5.3, CIP-003-1 R6 |
| 80 | NERC: DB2 Database Failed Logins | NERC_DB2_Database_Failed_Logins | Displays all failed login attempts to review any access violations or unusual activity. | CIP-003-1 R5.3, CIP-003-1 R6, CIP-005-1 R3, CIP-007-5 R3, CIP-007 R5 |
| 81 | NERC: DB2 Database Successful Logins | NERC_DB2_Database_Successful_Logins | Displays successful DB2 database logins. | CIP-003-1 R5.2, CIP-005-1 R2.4, CIP-005-1 R3, CIP-007-5 R3, CIP-007 R5, CIP-007 R5.2, CIP-007-5 R5.3 |
| 82 | NERC: DB2 Database User Additions and Deletions | NERC_DB2_Database_User_Additions_and_Deletions | Displays IBM DB2 Database events related to creation and deletion of database users. | CIP-005-1 R2.4 |
| 83 | NERC: Denied Connections - Cisco IOS | NERC_Denied_Connections_Cisco_IOS | Displays all connections that have been denied by the Cisco IOS devices. | CIP-005-1 R1.6, CIP-005-1 R2.4, CIP-005-1 R3.2 |
| 84 | NERC: Denied Connections - Cisco NXOS | NERC_Denied_Connections_Cisco_NXOS | Displays all connections that have been denied by the Cisco NXOS devices. | CIP-005-1 R1.6, CIP-005-1 R2.4, CIP-005-1 R3.2 |
| 85 | NERC: Denied Connections - Cisco Router | Not Applicable | Displays all connections that have been denied by the Cisco Router devices. | CIP-005-1 R1.6, CIP-005-1 R2.4, CIP-005-1 R3.2 |
| 86 | NERC: Denied Connections - F5 BIG-IP TMOS | NERC_Denied_Connections_F5_BIG-IP_TMOS | Displays all connections that have been denied by the F5 BIG-IP TMOS devices. | CIP-005-1 R1.6, CIP-005-1 R2.4, CIP-005-1 R3.2 |
| 87 | NERC: Denied Connections by IP Addresses | Not Applicable | Displays remote IP addresses with the most denied connections. | CIP-005-1 R1.6, CIP-005-1 R2.4, CIP-005-1 R3.2 |
| 88 | NERC: Denied Inbound Connections - Check Point | Not Applicable | Displays all inbound connections that have been denied by the Check Point devices. | CIP-005-1 R1.6, CIP-005-1 R2.4, CIP-005-1 R3.2 |
| 89 | NERC: Denied Inbound Connections - Cisco ASA | NERC_Denied_Inbound_Connections_Cisco_ASA | Displays all inbound connections that have been denied by the Cisco ASA devices. | CIP-005-1 R1.6, CIP-005-1 R2.4, CIP-005-1 R3.2 |
| 90 | NERC: Denied Inbound Connections - Cisco FWSM | NERC_Denied_Inbound_Connections_Cisco_FWSM | Displays all inbound connections that have been denied by the Cisco FWSM devices. | CIP-005-1 R1.6, CIP-005-1 R2.4, CIP-005-1 R3.2 |
| 91 | NERC: Denied Outbound Connections - Check Point | Not Applicable | Displays all outbound connections that have been denied by the Check Point. | CIP-005-1 R1.6, CIP-005-1 R2.4, CIP-005-1 R3.2 |
| 92 | NERC: Denied Outbound Connections - Cisco ASA | NERC_Denied_Outbound_Connections_Cisco_ASA | Displays all outbound connections that have been denied by the Cisco ASA. | CIP-005-1 R1.6, CIP-005-1 R2.4, CIP-005-1 R3.2 |
| 93 | NERC: Denied Outbound Connections - Cisco FWSM | NERC_Denied_Outbound_Connections_Cisco_FWSM | Displays all outbound connections that have been denied by the Cisco FWSM. | CIP-005-1 R1.6, CIP-005-1 R2.4, CIP-005-1 R3.2 |
| 94 | NERC: DHCP Activities on Microsoft DHCP | NERC_DHCP_Granted_Renewed_Activities_on_Microsoft_DHCP | Displays all DHCP Granted/Renewed activities on Microsoft DHCP Server. | CIP-005-1 R1.4,CIP-005-1 R3.2 |
| 95 | NERC: DNS Server Error | NERC_DNS_Server_Error | Displays all events when DNS Server has errors. | CIP-005-1 R3 |
| 96 | NERC: Domain activities on Symantec Endpoint Protection |
NERC_Domain_activities_on_Symantec_Endpoint_Protection | Displays all domain activities on Symantec Endpoint Protection. | CIP-007 R5.2, CIP-007-5 R5.3 |
| 97 | NERC: Escalated Privilege Activities on Servers | Not Applicable | Displays all privilege escalation activities performed on servers to ensure appropriate access. | CIP-003-1 R3.2 |
| 98 | NERC: ESX Accounts Activities | NERC_ESX_Accounts_Activities | Displays all accounts activities on VMware ESX servers to ensure authorized and appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1, CIP-007 R5.1.2, CIP-007-5 R4.1 |
| 99 | NERC: ESX Accounts Created | NERC_ESX_Accounts_Created | Displays all accounts created on VMware ESX servers to ensure authorized and appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1 |
| 100 | NERC: ESX Accounts Deleted | NERC_ESX_Accounts_Deleted | Displays all accounts deleted on VMware ESX servers to ensure authorized and appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1 |
| 101 | NERC: ESX Failed Logins | NERC_ESX_Failed_Logins | Failed VMware ESX logins for known user. | CIP-003-1 R5.3, CIP-003-1 R6, CIP-005-1 R3, CIP-007-5 R3, CIP-007 R5 |
| 102 | NERC: ESX Group Activities | NERC_ESX_Group_Activities | Displays all group activities on VMware ESX servers to ensure authorized and appropriate access. | CIP-007 R5.1.2, CIP-007-5 R4.1 |
| 103 | NERC: ESX Kernel log daemon terminating | NERC_ESX_Kernel_log_daemon_terminating | Displays all VMware ESX Kernel log daemon terminating. | CIP-007 R5.1.2, CIP-007-5 R4.1 |
| 104 | NERC: ESX Kernel logging Stop | NERC_ESX_Kernel_logging_Stop | Displays all VMware ESX Kernel logging stops. | CIP-007 R5.1.2, CIP-007-5 R4.1 |
| 105 | NERC: ESX Logins Failed Unknown User | NERC_ESX_Logins_Failed_Unknown_User | Failed VMware ESX logins for unknown user. | CIP-003-1 R5.3, CIP-003-1 R6, CIP-005-1 R3, CIP-007-5 R3, CIP-007 R5 |
| 106 | NERC: ESX Logins Succeeded | NERC_ESX_Logins_Succeeded | Displays successful logins to VMware ESX to ensure only authorized personnel have access. | CIP-003-1 R5.2, CIP-005-1 R2.4, CIP-005-1 R3, CIP-007-5 R3, CIP-007 R5, CIP-007 R5.2, CIP-007-5 R5.3 |
| 107 | NERC: ESX Syslogd Restart | NERC_ESX_Syslogd_Restart | Displays all VMware ESX syslogd restarts. | CIP-007 R5.1.2, CIP-007-5 R4.1 |
| 108 | NERC: F5 BIG-IP TMOS Login Failed | NERC_F5_BIG-IP_TMOS_Login_Failed | Displays all F5 BIG-IP TMOS login events which have failed. | CIP-003-1 R5.3, CIP-003-1 R6, CIP-005-1 R3, CIP-007-5 R3, CIP-007 R5 |
| 109 | NERC: F5 BIG-IP TMOS Login Successful | NERC_F5_BIG-IP_TMOS_Login_Successful | Displays all F5 BIG-IP TMOS login events which have succeeded. | CIP-003-1 R5.2, CIP-005-1 R2.4, CIP-005-1 R3, CIP-007-5 R3, CIP-007 R5, CIP-007 R5.2, CIP-007-5 R5.3 |
| 110 | NERC: F5 BIG-IP TMOS Password Changes | NERC_F5_BIG-IP_TMOS_Password_Changes | Displays all password change activities on F5 BIG-IP TMOS to ensure authorized and appropriate access. | CIP-005-1 R3, CIP-007 R5.3.3, CIP-007-5 R5.6 |
| 111 | NERC: F5 BIG-IP TMOS Restarted | NERC_F5_BIG-IP_TMOS_Restarted | Displays all events when the F5 BIG-IP TMOS has been restarted. | CIP-007 R5.1.2, CIP-007-5 R4.1 |
| 112 | NERC: Failed Logins | Not Applicable | Displays all failed login attempts to review any access violations or unusual activity. | CIP-003-1 R5.3, CIP-003-1 R6, CIP-005-1 R3, CIP-007-5 R3, CIP-007 R5 |
| 113 | NERC: Files Accessed on NetApp Filer Audit | NERC_Files_Accessed_on_NetApp_Filer_Audit | Displays all files accessed on NetApp Filer Audit to ensure appropriate access. | CIP-005-1 R2.4, CIP-007-5 R3, CIP-007 R5 |
| 114 | NERC: Files Accessed on Servers | Not Applicable | Displays all files accessed on servers to ensure appropriate access. | CIP-005-1 R2.4, CIP-007-5 R3, CIP-007 R5 |
| 115 | NERC: Files Accessed through
Juniper SSL VPN (Secure Access) |
NERC_Files_Accessed_through_Juniper_SSL_VPN_Secure_Access | Displays all files accessed through Juniper SSL VPN (Secure Access). | CIP-005-1 R2.4, CIP-007-5 R3, CIP-007 R5, CIP-012-1 R1.1 |
| 116 | NERC: Files Accessed through PANOS | NERC_Files_Accessed_through_PANOS | Displays all files accessed through Palo Alto Networks. | CIP-005-1 R2.4, CIP-007-5 R3, CIP-007 R5, CIP-012-1 R1.1 |
| 117 | NERC: Files Accessed Through Pulse Connect Secure | NERC_Files_Accessed_Through_Pulse_Connect_Secure | Displays all files accessed through Pulse Connect Secure. | CIP-005-1 R2.4, CIP-007-5 R3, CIP-007 R5, CIP-012-1 R1.1 |
| 118 | NERC: Files Downloaded via Proxy | Not Applicable | Displays all proxy-based downloads ensure authorized and appropriate access. | CIP-005-1 R1.6, CIP-007-5 R3, CIP-007 R5 |
| 119 | NERC: Files Downloaded via Proxy - Blue Coat | NERC_Files_Downloaded_via_Proxy_Blue_Coat | Displays all proxy-based downloads to ensure authorized and appropriate access on Blue Coat. | CIP-005-1 R1.6, CIP-007-5 R3, CIP-007 R5 |
| 120 | NERC: Files Downloaded via Proxy - Cisco WSA | NERC_Files_Downloaded_via_Proxy_Cisco_WSA | Displays all proxy-based downloads to ensure authorized and appropriate access on Cisco WSA. | CIP-005-1 R1.6, CIP-007-5 R3, CIP-007 R5 |
| 121 | NERC: Files Downloaded via Proxy - Microsoft IIS | Not Applicable | Displays all proxy-based downloads to ensure authorized and appropriate access on Microsoft IIS. | CIP-005-1 R1.6, CIP-007-5 R3, CIP-007 R5 |
| 122 | NERC: Files Downloaded via the Web | Not Applicable | Displays all web-based downloads ensure authorized and appropriate access. | CIP-005-1 R1.6, CIP-007-5 R3, CIP-007 R5 |
| 123 | NERC: Files Downloaded via the Web - F5 BIG-IP TMOS | NERC_Files_Downloaded_via_the_Web_F5_BIG-IP_TMOS | Displays all web-based downloads ensure authorized and appropriate access on F5 BIG-IP TMOS. | CIP-005-1 R1.6, CIP-007-5 R3, CIP-007 R5 |
| 124 | NERC: Files Downloaded via the Web - Microsoft IIS | Not Applicable | Displays all web-based downloads ensure authorized and appropriate access on Microsoft IIS. | CIP-005-1 R1.6, CIP-007-5 R3, CIP-007 R5 |
| 125 | NERC: Files Uploaded via Proxy | Not Applicable | Displays all proxy-based uploads to ensure only authorized data can be uploaded. | CIP-005-1 R1.6, CIP-007-5 R3, CIP-007 R5 |
| 126 | NERC: Files Uploaded via Proxy - Blue Coat | NERC_Files_Uploaded_via_Proxy_Blue_Coat | Displays all proxy-based uploads to ensure only authorized data can be uploaded on Blue Coat. | CIP-005-1 R1.6, CIP-007-5 R3, CIP-007 R5 |
| 127 | NERC: Files Uploaded via Proxy - Cisco WSA | NERC_Files_Uploaded_via_Proxy_Cisco_WSA | Displays all proxy-based uploads to ensure only authorized data can be uploaded on Cisco WSA. | CIP-005-1 R1.6, CIP-007-5 R3, CIP-007 R5 |
| 128 | NERC: Files Uploaded via Proxy - Microsoft IIS | Not Applicable | Displays all proxy-based uploads to ensure only authorized data can be uploaded on Microsoft IIS. | CIP-005-1 R1.6, CIP-007-5 R3, CIP-007 R5 |
| 129 | NERC: Files Uploaded via the Web | Not Applicable | Displays all web-based uploads to ensure only authorized data can be uploaded. | CIP-005-1 R1.6, CIP-007-5 R3, CIP-007 R5 |
| 130 | NERC: Files Uploaded via the Web - F5 BIG-IP TMOS | NERC_Files_Uploaded_via_the_Web_F5_BIG-IP_TMOS | Displays all web-based uploads to ensure only authorized data can be uploaded on F5 BIG-IP TMOS. | CIP-005-1 R1.6, CIP-007-5 R3, CIP-007 R5 |
| 131 | NERC: Files Uploaded via the Web - Microsoft IIS | Not Applicable | Displays all web-based uploads to ensure only authorized data can be uploaded on Microsoft IIS. | CIP-005-1 R1.6, CIP-007-5 R3, CIP-007 R5 |
| 132 | NERC: FireEye MPS: Attacks by Event ID | NERC_FireEye_MPS_Attacks_by_Event_ID | Displays FireEye MPS attacks by Event ID. | CIP-007 R4, CIP-007-5 R3 |
| 133 | NERC: FireEye MPS: Attacks by Threat Name | NERC_FireEye_MPS_Attacks_by_Threat_Name | Displays FireEye MPS attacks by threat name. | CIP-007 R4, CIP-007-5 R3 |
| 134 | NERC: FireEye MPS: Attacks Detected | NERC_FireEye_MPS_Attacks_Detected | Displays attacks detected by FireEye MPS. | CIP-007 R4, CIP-007-5 R3 |
| 135 | NERC: FortiOS: Attacks Detected | NERC_FortiOS_Attacks_Detected | Displays FortiOS attacks by Event ID. | CIP-007 R4, CIP-007-5 R3 |
| 136 | NERC: FortiOS: Attacks by Event ID | NERC_FortiOS_Attacks_by_Event_ID | Displays FortiOS attacks by threat name. | CIP-007 R4, CIP-007-5 R3 |
| 137 | NERC: FortiOS: Attacks by Threat Name | NERC_FortiOS_Attacks_by_Threat_Name | Displays attacks detected by FortiOS. | CIP-007 R4, CIP-007-5 R3 |
| 138 | NERC: FortiOS DLP Attacks Detected | NERC_FortiOS_DLP_Attacks_Detected | Displays all DLP attacks detected by FortiOS. | CIP-007 R4, CIP-007-5 R3 |
| 139 | NERC: Group Activities on NetApp Filer Audit | NERC_Group_Activities_on_NetApp_Filer_Audit | Displays all group activities on NetApp Filer Audit to ensure authorized and appropriate access. | CIP-007 R5.1.2, CIP-007-5 R4.1 |
| 140 | NERC: Group Activities on Symantec Endpoint Protection |
NERC_Group_Activities_on_Symantec_Endpoint_Protection | Displays all group activities on Symantec Endpoint Protection to ensure authorized and appropriate access. | CIP-007 R5.1.2, CIP-007-5 R4.1 |
| 141 | NERC: Group Activities on TIBCO ActiveMatrix Administrator | Not Applicable | Displays all group activities on TIBCO ActiveMatrix Administrator to ensure authorized and appropriate access. | CIP-007 R5.1.2, CIP-007-5 R4.1 |
| 142 | Not Applicable | NERC_Group_Activities_on_TIBCO_Spotfire | Displays all accounts added to groups to ensure appropriate access. | CIP-007 R5.1.2, CIP-007-5 R4.1 |
| 143 | NERC: Group Activities on UNIX Servers | NERC_Group_Activities_on_UNIX_Servers | Displays all group activities on UNIX servers to ensure authorized and appropriate access. | CIP-007 R5.1.2, CIP-007-5 R4.1 |
| 144 | NERC: Group Activities on Windows Servers | NERC_Group_Activities_on_Windows_Servers | Displays all group activities on Windows servers to ensure authorized and appropriate access. | CIP-007 R5.1.2, CIP-007-5 R4.1 |
| 145 | NERC: Guardium SQL Guard Audit Configuration Changes | NERC_Guardium_SQL_Guard_Audit_Configuration_Changes | Displays all configuration changes on the Guardium SQL Guard Audit database. | CIP-003-1 R5.3, CIP-003-1 R6 |
| 146 | NERC: Guardium SQL Guard Audit Logins | NERC_Guardium_SQL_Guard_Audit_Logins | Displays all login attempts to the Guardium SQL Server Audit database. | CIP-003-1 R5.2, CIP-005-1 R2.4, CIP-005-1 R3, CIP-007-5 R3, CIP-007 R5, CIP-007 R5.2, CIP-007-5 R5.3 |
| 147 | NERC: Guardium SQL Guard Configuration Changes | NERC_Guardium_SQL_Guard_Configuration_Changes | Displays all configuration changes on the Guardium SQL Guard database. | CIP-003-1 R5.3, CIP-003-1 R6 |
| 148 | NERC: Guardium SQL Guard Logins | NERC_Guardium_SQL_Guard_Logins | Displays all login attempts to the Guardium SQL Server database. | CIP-003-1 R5.2, CIP-005-1 R2.4, CIP-005-1 R3, CIP-007-5 R3, CIP-007 R5, CIP-007 R5.2, CIP-007-5 R5.3 |
| 149 | NERC: HP NonStop Audit Configuration Changes | NERC_HP_NonStop_Audit_Configuration_Changes | Displays all audit configuration changes on HP NonStop. | CIP-003-1 R5.3, CIP-003-1 R6 |
| 150 | NERC: HP NonStop Audit Login Failed | NERC_HP_NonStop_Audit_Login_Failed | Displays all HP NonStop Audit login events which have failed. | CIP-003-1 R5.3, CIP-003-1 R6, CIP-005-1 R3, CIP-007-5 R3, CIP-007 R5 |
| 151 | NERC: HP NonStop Audit Login Successful | NERC_HP_NonStop_Audit_Login_Successful | Displays all HP NonStop Audit login events which have succeeded. | CIP-003-1 R5.2, CIP-005-1 R2.4, CIP-005-1 R3, CIP-007-5 R3, CIP-007 R5, CIP-007 R5.2, CIP-007-5 R5.3 |
| 152 | NERC: HP NonStop Audit Object Access | NERC_HP_NonStop_Audit_Object_Access | Displays HP NonStop Audit events related to object access. | CIP-005-1 R2.4 |
| 153 | NERC: HP NonStop Audit Object Changes | NERC_HP_NonStop_Audit_Object_Changes | Displays HP NonStop Audit events related to object changes. | CIP-003-1 R5.3, CIP-003-1 R6 |
| 154 | NERC: HP NonStop Audit Permissions Changed | NERC_HP_NonStop_Audit_Permissions_Changed | Displays all permission modification activities on HP NonStop Audit to ensure authorized access. | CIP-005-1 R3, CIP-007 R5.2, CIP-007-5 R5.3 |
| 155 | NERC: i5/OS Access Control List Modifications | NERC_i5_OS_Access_Control_List_Modifications | Displays i5/OS events related to access control list modification. | CIP-007-5 R3, CIP-007 R5 |
| 156 | NERC: i5/OS Audit Configuration Changes | NERC_i5_OS_Audit_Configuration_Changes | Displays all audit configuration changes on i5/OS. | CIP-003-1 R5.3, CIP-003-1 R6 |
| 157 | NERC: i5/OS DST Password Reset | NERC_i5_OS_DST_Password_Reset | Displays i5/OS events related to the reset of the DST (Dedicated Service Tools) password. | CIP-007 R5.3.3, CIP-007-5 R5.6 |
| 158 | NERC: i5/OS Object Access | NERC_i5_OS_Object_Access | Displays i5/OS events related to object access. | CIP-005-1 R2.4 |
| 159 | NERC: i5/OS Restore Events | NERC_i5_OS_Restore_Events | Displays i5/OS events related to object, program, and profile restoration. | CIP-005-1 R4.4 |
| 160 | NERC: i5/OS System Management Changes | NERC_i5_OS_System_Management_Changes | Displays i5/OS events related to system management changes. | CIP-003-1 R5.3, CIP-003-1 R6 |
| 161 | NERC: i5/OS User Profile Creation, Modification, or Restoration |
NERC_i5_OS_User_Profile_Creation_Modification_or_Restoration | Displays i5/OS events related to user profile creation, modification, or restoration. | CIP-003-1 R5.3, CIP-003-1 R6 |
| 162 | NERC: Last Activities Performed by Administrators | Not Applicable | Displays the latest activities performed by administrators and root users to ensure appropriate access. | CIP-007-5 R3, CIP-007 R5 |
| 163 | NERC: Last Activities Performed by All Users | Not Applicable | Displays the latest activities performed by all users to ensure appropriate access. | CIP-007-5 R3, CIP-007 R5 |
| 164 | NERC: Logins by Authentication Type | Not Applicable | Displays all logins categorized by the authentication type. | CIP-005-1 R2.3, CIP-007-5 R3, CIP-007 R5 |
| 165 | NERC: LogLogic Management
Center Account Activities |
NERC_LogLogic_Management_Center_Account_Activities | Displays all accounts activities on LogLogic management center to ensure authorized and appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1, CIP-007 R5.1.2, CIP-007-5 R4.1 |
| 166 | NERC: LogLogic Management Center Login | NERC_LogLogic_Management_Center_Login | Displays all login events to the LogLogic management center. | CIP-003-1 R5.2, CIP-005-1 R2.4, CIP-005-1 R3, CIP-007-5 R3, CIP-007 R5, CIP-007 R5.2, CIP-007-5 R5.3 |
| 167 | NERC: LogLogic Management
Center Password Changes |
NERC_LogLogic_Management_Center_Password_Changes | Displays all password change activities on LogLogic management center to ensure authorized and appropriate access. | CIP-005-1 R3, CIP-007 R5.3.3, CIP-007-5 R5.6 |
| 168 | NERC: LogLogic Management
Center Restore Activities |
NERC_LogLogic_Management_Center_Restore_Activities | Displays all restore activities on LogLogic management center. | CIP-005-1 R4.4 |
| 169 | NERC: LogLogic Universal Collector Configuration Changes | NERC_LogLogic_Universal_Collector_Configuration_Changes | Displays LogLogic universal collector configuration changes. | CIP-003-1 R5.3, CIP-003-1 R6 |
| 170 | NERC: McAfee AntiVirus: Attacks by Event ID | NERC_McAfee_AntiVirus_Attacks_by_Event_ID | Displays McAfee AntiVirus attacks by Event ID. | CIP-007 R4, CIP-007-5 R3 |
| 171 | NERC: McAfee AntiVirus: Attacks by Threat Name | NERC_McAfee_AntiVirus_Attacks_by_Threat_Name | Displays McAfee AntiVirus attacks by threat name. | CIP-007 R4, CIP-007-5 R3 |
| 172 | NERC: McAfee AntiVirus: Attacks Detected | NERC_McAfee_AntiVirus_Attacks_Detected | Displays attacks detected by McAfee AntiVirus. | CIP-007 R4, CIP-007-5 R3 |
| 173 | NERC: Microsoft Operations
Manager - Windows Accounts Activities |
NERC_Microsoft_Operations_Manager_Windows_Accounts_Activities | Displays all accounts activities on Windows servers to ensure authorized and appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1, CIP-007 R5.1.2, CIP-007-5 R4.1 |
| 174 | NERC: Microsoft Operations Manager - Windows Accounts Changed |
NERC_Microsoft_Operations_Manager_Windows_Accounts_Changed | Displays all accounts changed on Windows servers to ensure authorized and appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1, CIP-007 R5.2, CIP-007-5 R5.3 |
| 175 | NERC: Microsoft Operations
Manager - Windows Accounts Created |
NERC_Microsoft_Operations_Manager_Windows_Accounts_Created | Displays all accounts created on Windows servers to ensure authorized and appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1 |
| 176 | NERC: Microsoft Operations
Manager - Windows Accounts Enabled |
NERC_Microsoft_Operations_Manager_Windows_Accounts_Enabled | Displays all accounts enabled on Windows servers to ensure authorized and appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1 |
| 177 | NERC: Microsoft Operations
Manager - Windows Events by Users |
NERC_Microsoft_Operations_Manager_Windows_Events_by_Users | Displays a summary of access-related Windows events by source and target users. | CIP-007 R5.1.2, CIP-007-5 R4.1 |
| 178 | NERC: Microsoft Operations
Manager - Windows Password Changes |
NERC_Microsoft_Operations_Manager_Windows_Password_Changes | Displays all password change activities on Windows servers to ensure authorized and appropriate access. | CIP-007 R5.3.3, CIP-007-5 R5.6 |
| 179 | NERC: Microsoft Operations
Manager - Windows Permissions Modified |
NERC_Microsoft_Operations_Manager_Windows_Permissions_Modified | Displays all permission modification activities on Windows servers to ensure authorized access. | CIP-005-1 R3, CIP-007 R5.2, CIP-007-5 R5.3 |
| 180 | NERC: Microsoft Operations
Manager - Windows Policies Modified |
NERC_Microsoft_Operations_Manager_Windows_Policies_Modified | Displays all policy modification activities on Windows servers to ensure authorized and appropriate access. | CIP-007 R5.2, CIP-007-5 R5.3 |
| 181 | NERC: Microsoft Operations
Manager - Windows Servers Restarted |
NERC_Microsoft_Operations_Manager_Windows_Servers_Restarted | Displays all Windows server restart activities to detect unusual activities. | CIP-003-1 R5.3, CIP-003-1 R6 |
| 182 | NERC: Microsoft Sharepoint Content Deleted | NERC_Microsoft_Sharepoint_Content_Deleted | Displays all events when content has been deleted from Microsoft Sharepoint. | CIP-005-1 R2.4, CIP-005-1 R3 |
| 183 | NERC: Microsoft Sharepoint Content Updates | NERC_Microsoft_Sharepoint_Content_Updates | Displays all events when content is updated within Microsoft Sharepoint. | CIP-005-1 R2.4, CIP-005-1 R3, CIP-007-5 R3 |
| 184 | NERC: Microsoft Sharepoint Permissions Changed | NERC_Microsoft_Sharepoint_Permissions_Changed | Displays all user/group permission events to Microsoft Sharepoint. | CIP-005-1 R3, CIP-007 R5.2, CIP-007-5 R5.3 |
| 185 | NERC: Microsoft Sharepoint Policy Add, Remove, or Modify |
NERC_Microsoft_Sharepoint_Policy_Add_Remove_or_Modify | Displays all events when a Microsoft Sharepoint policy is added, removed, or modified. | CIP-003-1 R5.3, CIP-003-1 R6, CIP-005-1 R3 |
| 186 | NERC: Microsoft SQL Server Configuration Changes | NERC_Microsoft_SQL_Server_Configuration_Changes | Displays Microsoft SQL database configuration changes. | CIP-003-1 R5.3, CIP-003-1 R6 |
| 187 | NERC: Microsoft SQL Server Database Failed Logins | NERC_Microsoft_SQL_Server_Database_Failed_Logins | Displays failed Microsoft SQL Server database logins. | CIP-003-1 R5.3, CIP-003-1 R6, CIP-005-1 R3, CIP-007-5 R3, CIP-007 R5 |
| 188 | NERC: Microsoft SQL Server Database Successful Logins | NERC_Microsoft_SQL_Server_Database_Successful_Logins | Displays successful Microsoft SQL Server database logins. | CIP-003-1 R5.2, CIP-005-1 R2.4, CIP-005-1 R3, CIP-007-5 R3, CIP-007 R5, CIP-007 R5.2, CIP-007-5 R5.3 |
| 189 | NERC: Microsoft SQL Server Database Permission Events | NERC_Microsoft_SQL_Server_Database_Permission_Events | Displays events related to Microsoft SQL Server database permission modifications. | CIP-005-1 R2.4 |
| 190 | NERC: Microsoft SQL Server Database User Additions and Deletions |
NERC_Microsoft_SQL_Server_Database_User_Additions_and_Deletions | Displays Microsoft SQL Server events related to creation and deletion of database users. | CIP-005-1 R2.4 |
| 191 | NERC: Microsoft SQL Server Password Changes | NERC_Microsoft_SQL_Server_Password_Changes | Displays password changes for Microsoft SQL Server database accounts. | CIP-007 R5.3.3, CIP-007-5 R5.6 |
| 192 | NERC: Most Active Ports Through Firewall - Check Point | Not Applicable | Displays the most active ports used through the Check Point firewall. | CIP-005-1 R1.6 |
| 193 | NERC: Most Active Ports Through Firewall - Cisco ASA | Not Applicable | Displays the most active ports used through the Cisco ASA firewall. | CIP-005-1 R1.6 |
| 194 | NERC: Most Active Ports Through Firewall - Cisco FWSM | Not Applicable | Displays the most active ports used through the Cisco FWSM firewall. | CIP-005-1 R1.6 |
| 195 | NERC: Most Active Ports Through Firewall - Fortinet | Not Applicable | Displays the most active ports used through the Fortinet firewall. | CIP-005-1 R1.6 |
| 196 | NERC: Most Active Ports Through Firewall - Nortel | Not Applicable | Displays the most active ports used through the Nortel firewall. | CIP-005-1 R1.6 |
| 197 | NERC: NetApp Filer Accounts Locked | NERC_NetApp_Filer_Accounts_Locked | Displays all accounts locked out of NetApp Filer to detect access violations or unusual activities. | CIP-005-1 R1.6, CIP-007 R2.1 |
| 198 | NERC: NetApp Filer File Activity | NERC_NetApp_Filer_File_Activity | Displays all file activities on NetApp Filer. | CIP-005-1 R2.4, CIP-007-5 R3, CIP-007 R5 |
| 199 | NERC: NetApp Filer Login Failed | NERC_NetApp_Filer_Login_Failed | Displays all NetApp Filer login events which have failed. | CIP-003-1 R5.3, CIP-003-1 R6, CIP-005-1 R3, CIP-007 R5, CIP-007-5 R3 |
| 200 | NERC: NetApp Filer Login Successful | NERC_NetApp_Filer_Login_Successful | Displays all NetApp Filer login events which have succeeded. | CIP-003-1 R5.2, CIP-005-1 R2.4, CIP-005-1 R3, CIP-007-5 R3, CIP-007 R5, CIP-007 R5.2, CIP-007-5 R5.3 |
| 201 | NERC: NetApp Filer Password Changes | NERC_NetApp_Filer_Password_Changes | Displays all password change activities on NetApp Filer to ensure authorized and appropriate access. | CIP-005-1 R3, CIP-007 R5.3.3, CIP-007-5 R5.6 |
| 202 | NERC: NetApp Filer Audit Login Failed | NERC_NetApp_Filer_Audit_Login_Failed | Displays all NetApp Filer Audit login events which have failed. | CIP-003-1 R5.3, CIP-003-1 R6, CIP-005-1 R3, CIP-007-5 R3, CIP-007 R5 |
| 203 | NERC: NetApp Filer Audit Accounts Enabled | NERC_NetApp_Filer_Audit_Accounts_Enabled | Displays all accounts enabled on NetApp Filer Audit to ensure authorized and appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1 |
| 204 | NERC: NetApp Filer Audit Group Members Added | NERC_NetApp_Filer_Audit_Group_Members_Added | Displays all accounts added to groups on the NetApp Filer Audit to ensure appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1, CIP-007 R5.2, CIP-007-5 R5.3 |
| 205 | NERC: NetApp Filer Audit Group Members Deleted | NERC_NetApp_Filer_Audit_Group_Members_Deleted | Displays all accounts removed from groups on the NetApp Filer Audit to ensure appropriate access. | CIP-003-1 R5.2, CIP-005-1 R2.4, CIP-007 R5.1.1, CIP-007 R5.2, CIP-007-5 R5.3 |
| 206 | NERC: NetApp Filer Audit Login Successful | NERC_NetApp_Filer_Audit_Login_Successful | Displays all NetApp Filer Audit login events which have succeeded. | CIP-003-1 R5.2, CIP-005-1 R2.4, CIP-005-1 R3, CIP-007-5 R3, CIP-007 R5, CIP-007 R5.2, CIP-007-5 R5.3 |
| 207 | NERC: NetApp Filer Audit Policies Modified | NERC_NetApp_Filer_Audit_Policies_Modified | Displays all policy modification activities on NetApp Filer Audit to ensure authorized and appropriate access. | CIP-007 R5.2, CIP-007-5 R5.3 |
| 208 | NERC: Novell eDirectory Password Changes | Not Applicable | Password Changes on Novell eDirectory. | CIP-007 R5.3.3, CIP-007-5 R5.6 |
| 209 | NERC: Oracle Database Configuration Changes | NERC_Oracle_Database_Configuration_Changes | Displays Oracle database configuration changes. | CIP-003-1 R5.3, CIP-003-1 R6 |
| 210 | NERC: Oracle Database Failed Logins | NERC_Oracle_Database_Failed_Logins | Displays all failed login attempts to the Oracle database. | CIP-003-1 R5.3, CIP-003-1 R6, CIP-005-1 R3, CIP-007-5 R3, CIP-007 R5 |
| 211 | NERC: Oracle Database Successful Logins | NERC_Oracle_Database_Successful_Logins | Displays successful Oracle database logins. | CIP-003-1 R5.2, CIP-005-1 R2.4, CIP-005-1 R3, CIP-007-5 R3, CIP-007 R5, CIP-007 R5.2, CIP-007-5 R5.3 |
| 212 | NERC: Oracle Database Permission Events | NERC_Oracle_Database_Permission_Events | Displays events related to Oracle Server database role and privilege management. | CIP-005-1 R2.4 |
| 213 | NERC: Oracle Database User Additions and Deletions | NERC_Oracle_Database_User_Additions_and_Deletions | Displays Oracle database events related to creation and deletion of database users. | CIP-005-1 R2.4 |
| 214 | NERC: PANOS: Attacks by Event ID | NERC_PANOS_Attacks_by_Event_ID | Displays Palo Alto Networks attacks by Event ID. | CIP-007 R4, CIP-007-5 R3 |
| 215 | NERC: PANOS: Attacks by Threat Name | NERC_PANOS_Attacks_by_Threat_Name | Displays Palo Alto Networks attacks by threat name. | CIP-007 R4, CIP-007-5 R3 |
| 216 | NERC: PANOS: Attacks Detected | NERC_PANOS_Attacks_Detected | Displays attacks detected by Palo Alto Networks. | CIP-007 R4, CIP-007-5 R3 |
| 217 | NERC: Password Changes on Windows Servers | NERC_Password_Changes_on_Windows_Servers | Displays all password change activities on Windows servers to ensure authorized and appropriate access. | CIP-007 R5.3.3, CIP-007-5 R5.6 |
| 218 | NERC: Periodic Review of Log Reports | NERC_Periodic_Review_of_Log_Reports | Displays all review activities performed by administrators to ensure review for any access violations. | CIP-005-1 R3, CIP-007 R6.5, CIP-007-5 R4.4 |
| 219 | NERC: Periodic Review of User Access Logs | NERC_Periodic_Review_of_User_Access_Logs | Displays all review activities performed by administrators to ensure review for any access violations. | CIP-005-1 R3, CIP-007 R6.5, CIP-007-5 R4.4 |
| 220 | NERC: Permissions Modified on Windows Servers | NERC_Permissions_Modified_on_Windows_Servers | Displays all permission modification activities on Windows Servers to ensure authorized access. | CIP-005-1 R3, CIP-007 R5.2, CIP-007-5 R5.3 |
| 221 | NERC: Policies Modified on Windows Servers | NERC_Policies_Modified_on_Windows_Servers | Displays all policy modification activities on Windows servers to ensure authorized and appropriate access. | CIP-007 R5.2, CIP-007-5 R5.3 |
| 222 | NERC: Ports Allowed Access - Check Point | NERC_Ports_Allowed_Access_Check_Point | Displays all connections passed through the Check Point by port. | CIP-005-1 R1.6, CIP-007-5 R1.1 |
| 223 | NERC: Ports Allowed Access - Cisco ASA | NERC_Ports_Allowed_Access_Cisco_ASA | Displays all connections passed through the Cisco ASA by port. | CIP-005-1 R1.6, CIP-007-5 R1.1 |
| 224 | NERC: Ports Allowed Access - Cisco FWSM | NERC_Ports_Allowed_Access_Cisco_FWSM | Displays all connections passed through the Cisco FWSM by port. | CIP-005-1 R1.6, CIP-007-5 R1.1 |
| 225 | NERC: Ports Allowed Access - Cisco IOS | NERC_Ports_Allowed_Access_Cisco_IOS | Displays all connections passed through the Cisco IOS by port. | CIP-005-1 R1.6, CIP-007-5 R1.1 |
| 226 | NERC: Ports Allowed Access - Cisco Netflow | NERC_Ports_Allowed_Access_Cisco_Netflow | Displays all connections passed through the Cisco Netflow by port. | CIP-005-1 R1.6, CIP-007-5 R1.1 |
| 227 | NERC: Ports Allowed Access - F5 BIG-IP TMOS | NERC_Ports_Allowed_Access_F5_BIG-IP_TMOS | Displays all connections passed through the F5 BIG-IP TMOS by port. | CIP-005-1 R1.6, CIP-007-5 R1.1 |
| 228 | NERC: Ports Allowed Access - Fortinet | NERC_Ports_Allowed_Access_Fortinet | Displays all connections passed through the Fortinet by port. | CIP-005-1 R1.6, CIP-007-5 R1.1 |
| 229 | NERC: Ports Allowed Access - Juniper JunOS | NERC_Ports_Allowed_Access_Juniper_JunOS | Displays all connections passed through the Juniper JunOS by port. | CIP-005-1 R1.6, CIP-007-5 R1.1 |
| 230 | NERC: Ports Allowed Access - Nortel | Not Applicable | Displays all connections passed through the Nortel by port. | CIP-005-1 R1.6, CIP-007-5 R1.1 |
| 231 | NERC: Ports Allowed Access - PANOS | NERC_Ports_Allowed_Access_PANOS | Displays all connections passed through the Palo Alto Networks by port. | CIP-005-1 R1.6, CIP-007-5 R1.1 |
| 232 | NERC: Ports Denied Access - Check Point | NERC_Ports_Denied_Access_Check_Point | Displays the applications that have been denied access the most by the Check Point. | CIP-005-1 R2.4, CIP-005-1 R4.2, CIP-007-5 R1.2 |
| 233 | NERC: Ports Denied Access - Cisco ASA | NERC_Ports_Denied_Access_Cisco_ASA | Displays the applications that have been denied access the most by the Cisco ASA. | CIP-005-1 R2.4, CIP-005-1 R4.2, CIP-007-5 R1.2 |
| 234 | NERC: Ports Denied Access - Cisco FWSM | NERC_Ports_Denied_Access_Cisco_FWSM | Displays the applications that have been denied access the most by the Cisco FWSM. | CIP-005-1 R2.4, CIP-005-1 R4.2, CIP-007-5 R1.2 |
| 235 | NERC: Ports Denied Access - Cisco IOS | NERC_Ports_Denied_Access_Cisco_IOS | Displays the applications that have been denied access the most by the Cisco IOS. | CIP-005-1 R2.4, CIP-005-1 R4.2, CIP-007-5 R1.2 |
| 236 | NERC: Ports Denied Access - Cisco Router | Not Applicable | Displays the applications that have been denied access the most by the Cisco Router. | CIP-005-1 R2.4, CIP-005-1 R4.2, CIP-007-5 R1.2 |
| 237 | NERC: Ports Denied Access - F5 BIG-IP TMOS | NERC_Ports_Denied_Access_F5_BIG-IP_TMOS | Displays the applications that have been denied access the most by the F5 BIG-IP TMOS. | CIP-005-1 R2.4, CIP-005-1 R4.2, CIP-007-5 R1.2 |
| 238 | NERC: Ports Denied Access - Fortinet | NERC_Ports_Denied_Access_Fortinet | Displays the applications that have been denied access the most by the Fortinet. | CIP-005-1 R2.4, CIP-005-1 R4.2, CIP-007-5 R1.2 |
| 239 | NERC: Ports Denied Access - Juniper JunOS | NERC_Ports_Denied_Access_Juniper_JunOS | Displays the applications that have been denied access the most by the Juniper JunOS. | CIP-005-1 R2.4, CIP-005-1 R4.2, CIP-007-5 R1.2 |
| 240 | NERC: Ports Denied Access - Nortel | Not Applicable | Displays the applications that have been denied access the most by the Nortel. | CIP-005-1 R2.4, CIP-005-1 R4.2, CIP-007-5 R1.2 |
| 241 | NERC: Ports Denied Access - PANOS | NERC_Ports_Denied_Access_PANOS | Displays the applications that have been denied access the most by the Palo Alto Networks. | CIP-005-1 R2.4, CIP-005-1 R4.2, CIP-007-5 R1.2 |
| 242 | NERC: RACF Accounts Created | NERC_RACF_Accounts_Created | Displays all accounts created on RACF servers to ensure authorized and appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1 |
| 243 | NERC: RACF Accounts Deleted | NERC_RACF_Accounts_Deleted | Displays all accounts deleted on RACF servers to ensure authorized and appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1 |
| 244 | NERC: RACF Accounts Modified | NERC_RACF_Accounts_Modified | Displays all events when a network user profile has been modified. | CIP-003-1 R5.2, CIP-007 R5.1.1, CIP-007 R5.2, CIP-007-5 R5.3 |
| 245 | NERC: RACF Failed Logins | NERC_RACF_Failed_Logins | Displays all failed login attempts to review any access violations or unusual activity. | CIP-003-1 R5.3, CIP-003-1 R6, CIP-005-1 R3, CIP-007-5 R3, CIP-007 R5 |
| 246 | NERC: RACF Files Accessed | NERC_RACF_Files_Accessed | Displays all files accessed on RACF servers to ensure appropriate access. | CIP-005-1 R2.4, CIP-007-5 R3, CIP-007 R5 |
| 247 | NERC: RACF Password Changed | NERC_RACF_Password_Changed | Displays all password change activities on RACF servers to ensure authorized and appropriate access. | CIP-007 R5.3.3, CIP-007-5 R5.6 |
| 248 | NERC: RACF Permissions Changed | NERC_RACF_Permissions_Changed | Displays all permission modification activities on RACF to ensure authorized access. | CIP-005-1 R3, CIP-007 R5.2, CIP-007-5 R5.3 |
| 249 | NERC: RACF Successful Logins | NERC_RACF_Successful_Logins | Displays successful logins to ensure only authorized personnel have access. | CIP-003-1 R5.2, CIP-005-1 R2.4, CIP-005-1 R3, CIP-007-5 R3, CIP-007 R5, CIP-007 R5.2, CIP-007-5 R5.3 |
| 250 | NERC: Root Logins | Not Applicable | Displays root logins. | CIP-005-1 R2.4, CIP-007-5 R3, CIP-007 R5 |
| 251 | NERC: Sensors Generating Alerts | Not Applicable | Displays the IDS sensors that generated the most alerts. | CIP-005-1 R3 |
| 252 | NERC: Sensors Generating Alerts - Cisco IOS | NERC_Sensors_Generating_Alerts_Cisco_IOS | Displays the IDS sensors that generated the most alerts by Cisco IOS. | CIP-005-1 R3 |
| 253 | NERC: Sensors Generating Alerts - ISS SiteProtector | NERC_Sensors_Generating_Alerts_ISS_SiteProtector | Displays the IDS sensors that generated the most alerts by ISS SiteProtector. | CIP-005-1 R3 |
| 254 | NERC: Sensors Generating Alerts - FireEye MPS | NERC_Sensors_Generating_Alerts_FireEye_MPS | Displays the IDS sensors that generated the most alerts by FireEye MPS. | CIP-007 R6.2, CIP-007-5 R4.2 |
| 255 | NERC: Sensors Generating Alerts - SiteProtector | NERC_Sensors_Generating_Alerts_SiteProtector | Displays the IDS sensors that generated the most alerts by SiteProtector. | CIP-005-1 R3 |
| 256 | NERC: Sensors Generating Alerts - Sourcefire Defense Center | NERC_Sensors_Generating_Alerts_Sourcefire_Defense_Center | Displays the IDS sensors that generated the most alerts by Cisco FirePower and Sourcefire Defense Center. | CIP-005-1 R3 |
| 257 | NERC: Successful Logins | Not Applicable | Displays successful logins to ensure only authorized personnel have access. | CIP-003-1 R5.2, CIP-005-1 R2.4, CIP-005-1 R3, CIP-007-5 R3, CIP-007 R5, CIP-007 R5.2, CIP-007-5 R5.3 |
| 258 | NERC: Sybase ASE Database Configuration Changes | NERC_Sybase_ASE_Database_Configuration_Changes | Displays configuration changes to the Sybase database. | CIP-003-1 R5.3, CIP-003-1 R6 |
| 259 | NERC: Sybase ASE Database User Additions and Deletions | NERC_Sybase_ASE_Database_User_Additions_and_Deletions | Displays Sybase database events related to creation and deletion of database users. | CIP-005-1 R2.4 |
| 260 | NERC: Sybase ASE Failed Logins | NERC_Sybase_ASE_Failed_Logins | Displays failed Sybase ASE database logins. | CIP-003-1 R5.3, CIP-003-1 R6, CIP-005-1 R3, CIP-007-5 R3, CIP-007 R5 |
| 261 | NERC: Sybase ASE Successful Logins | NERC_Sybase_ASE_Successful_Logins | Displays successful Sybase ASE database logins. | CIP-003-1 R5.2, CIP-005-1 R2.4, CIP-005-1 R3, CIP-007-5 R3, CIP-007 R5, CIP-007 R5.2, CIP-007-5 R5.3 |
| 262 | NERC: Symantec Endpoint Protection: Attacks Detected | NERC_Symantec_Endpoint_Protection_Attacks_Detected | Displays attacks detected by Symantec Endpoint Protection. | CIP-007 R4, CIP-007-5 R3 |
| 263 | NERC: Symantec Endpoint Protection: Attacks by Threat Name | NERC_Symantec_Endpoint_Protection_Attacks_by_Threat_Name | Displays Symantec Endpoint Protection attacks by threat name. | CIP-007 R4, CIP-007-5 R3 |
| 264 | NERC: Symantec Endpoint Protection: Scans | NERC_Symantec_Endpoint_Protection_Scans | Displays scans using Symantec Endpoint Protection. | CIP-007 R4, CIP-007-5 R3 |
| 265 | NERC: Symantec Endpoint Protection: Updated | NERC_Symantec_Endpoint_Protection_Updated | Displays updates to Symantec Endpoint Protection. | CIP-007 R4, CIP-007-5 R2, CIP-007-5 R3 |
| 266 | NERC: Symantec Endpoint Protection Configuration Changes | NERC_Symantec_Endpoint_Protection_Configuration_Changes | Displays Symantec Endpoint Protection configuration changes. | CIP-003-1 R5.3, CIP-003-1 R6 |
| 267 | NERC: Symantec Endpoint Protection Password Changes | NERC_Symantec_Endpoint_Protection_Password_Changes | Displays all password change activities on Symantec Endpoint Protection to ensure authorized and appropriate access. | CIP-005-1 R3, CIP-007 R5.3.3, CIP-007-5 R5.6 |
| 268 | NERC: Symantec Endpoint Protection Policy Add, Remove, or Modify | NERC_Symantec_Endpoint_Protection_Policy_Add_Remove_or_Modify | Displays all events when a Symantec Endpoint Protection policy is added, removed, or modified. | CIP-007 R5.2, CIP-007-5 R5.3 |
| 269 | Not Applicable | NERC_TIBCO_Spotfire_Failed_Logins | Failed logins to the TIBCO Spotfire. | CIP-003-1 R5.3, CIP-003-1 R6, CIP-005-1 R3, CIP-007-5 R3, CIP-007 R5 |
| 270 | Not Applicable | NERC_TIBCO_Spotfire_Group_Members_Deleted | Displays all accounts deleted to groups to ensure appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1 |
| 271 | Not Applicable | NERC_TIBCO_Spotfire_Password_Changes | Displays all password change activities on TIBCO Spotfire to ensure authorized and appropriate access. | CIP-005-1 R3, CIP-007 R5.3.3, CIP-007-5 R5.6 |
| 272 | Not Applicable | NERC_TIBCO_Spotfire_Successful_Logins | Successful logins to the TIBCO Spotfire. | CIP-003-1 R5.2, CIP-005-1 R2.4, CIP-005-1 R3, CIP-007-5 R3, CIP-007 R5, CIP-007 R5.2, CIP-007-5 R5.3 |
| 273 | Not Applicable | NERC_TIBCO_Spotfire_User_Permission_Change | A permission role has been added, changed, removed, or applied to a user on TIBCO Spotfire server. | CIP-005-1 R3, CIP-007 R5.2, CIP-007-5 R5.3 |
| 274 | NERC: TIBCO Administrator Password Changes | NERC_TIBCO_Administrator_Password_Changes | Displays all password change activities on TIBCO Administrator to ensure authorized and appropriate access. | CIP-005-1 R3, CIP-007 R5.3.3, CIP-007-5 R5.6 |
| 275 | NERC: TIBCO Administrator Permission Changes | NERC_TIBCO_Administrator_Permission_Changes | Displays events related to TIBCO Administrator permission modifications. | CIP-005-1 R3, CIP-007 R5.2, CIP-007-5 R5.3 |
| 276 | NERC: TIBCO ActiveMatrix Administrator Failed Logins | NERC_TIBCO_ActiveMatrix_Administrator_Failed_Logins | Displays all TIBCO ActiveMatrix Administrator login events which have failed. | CIP-003-1 R5.3, CIP-003-1 R6, CIP-005-1 R3, CIP-007-5 R3, CIP-007 R5 |
| 277 | NERC: TIBCO ActiveMatrix Administrator Permission Changes | NERC_TIBCO_ActiveMatrix_Administrator_Permission_Changes | Displays events related to TIBCO ActiveMatrix Administrator permission modifications. | CIP-005-1 R3, CIP-007 R5.2, CIP-007-5 R5.3 |
| 278 | NERC: TIBCO ActiveMatrix Administrator Successful Logins | NERC_TIBCO_ActiveMatrix_Administrator_Successful_Logins | Displays successful logins to TIBCO ActiveMatrix Administrator to ensure only authorized personnel have access. | CIP-003-1 R5.2, CIP-005-1 R2.4, CIP-005-1 R3, CIP-007-5 R3, CIP-007 R5, CIP-007 R5.2, CIP-007-5 R5.3 |
| 279 | NERC: TrendMicro Control
Manager : Attacks Detected |
NERC_TrendMicro_Control_Manager_Attacks_Detected | Displays attacks detected by TrendMicro Control Manager. | CIP-007 R4, CIP-007-5 R3 |
| 280 | NERC: TrendMicro Control
Manager: Attacks Detected by Threat Name |
NERC_TrendMicro_Control_Manager_Attacks_Detected_by_Threat_Name | Displays attacks detected by TrendMicro Control Manager by threat name. | CIP-007 R4, CIP-007-5 R3 |
| 281 | NERC: TrendMicro OfficeScan: Attacks Detected | NERC_TrendMicro_OfficeScan_Attacks_Detected | Displays attacks detected by TrendMicro OfficeScan. | CIP-007-5 R3 |
| 282 | NERC: TrendMicro OfficeScan:
Attacks Detected by Threat Name |
NERC_TrendMicro_OfficeScan_Attacks_Detected_by_Threat_Name | Displays attacks detected by TrendMicro OfficeScan by threat name. | CIP-007-5 R3 |
| 283 | NERC: Trusted Domain Created on Windows Servers |
NERC_Trusted_Domain_Created_on_Windows_Servers | Displays all trusted domains created on Windows servers to ensure authorized and appropriate access. | CIP-007 R5.2, CIP-007-5 R5.3 |
| 284 | NERC: Trusted Domain Deleted on Windows Servers | NERC_Trusted_Domain_Deleted_on_Windows_Servers | Displays all trusted domains deleted on Windows servers to ensure authorized and appropriate access. | CIP-007 R5.2, CIP-007-5 R5.3 |
| 285 | NERC: Unauthorized Logins | Not Applicable | Displays all logins from unauthorized users to ensure appropriate access to data. | CIP-005-1 R2.4, CIP-005-1 R3, CIP-005-1 R3.2, CIP-007 R5 |
| 286 | NERC: Unencrypted Logins | Not Applicable | Displays all unencrypted logins to ensure secure access to data. | CIP-007-5 R3, CIP-007 R5 |
| 287 | NERC: Unix Password Changes | Not Applicable | Password Changes on UNIX servers. | CIP-007 R5.3.3, CIP-007-5 R5.6 |
| 288 | NERC: Users Created on Servers | Not Applicable | Displays all users created on servers to ensure authorized and appropriate access. | CIP-007 R5.1.2, CIP-007-5 R4.1 |
| 289 | NERC: Users Removed from Servers | Not Applicable | Displays all users removed from servers to ensure timely removal of terminated users. | CIP-007 R5.1.2, CIP-007-5 R4.1 |
| 290 | NERC: Users Using the Proxies | Not Applicable | Displays users who have been surfing the web through the proxy servers. | CIP-007 R5, CIP-007 R5.1.2, CIP-007-5 R4.1 |
| 291 | NERC: Users Using the Proxies - Blue Coat | NERC_Users_Using_the_Proxies_Blue_Coat | Displays users who have been surfing the web through the proxy servers on Blue Coat. | CIP-007 R5, CIP-007 R5.1.2, CIP-007-5 R4.1 |
| 292 | NERC: Users Using the Proxies - Cisco WSA | NERC_Users_Using_the_Proxies_Cisco_WSA | Displays users who have been surfing the web through the proxy servers on Cisco WSA. | CIP-007 R5, CIP-007 R5.1.2, CIP-007-5 R4.1 |
| 293 | NERC: Users Using the Proxies - Microsoft IIS | Not Applicable | Displays users who have been surfing the web through the proxy servers on Microsoft IIS. | CIP-007 R5, CIP-007 R5.1.2, CIP-007-5 R4.1 |
| 294 | NERC: vCenter Change Attributes | NERC_vCenter_Change_Attributes | Modification of VMware vCenter and VMware ESX properties. | CIP-003-1 R5.3, CIP-003-1 R6, CIP-005-1 R3 |
| 295 | NERC: vCenter Datastore Events | NERC_vCenter_Datastore_Events | Displays create, modify, and delete datastore events on VMware vCenter. | CIP-005-1 R2.4, CIP-005-1 R3 |
| 296 | NERC: vCenter Data Move | NERC_vCenter_Data_Move | Entity has been moved within the VMware vCenter infrastructure. | CIP-005-1 R2.4, CIP-005-1 R3 |
| 297 | NERC: vCenter Failed Logins | NERC_vCenter_Failed_Logins | Failed logins to the VMware vCenter console. | CIP-003-1 R5.3, CIP-003-1 R6, CIP-005-1 R3, CIP-007-5 R3, CIP-007 R5 |
| 298 | NERC: vCenter Modify Firewall Policy | NERC_vCenter_Modify_Firewall_Policy | Displays changes to the VMware ESX allowed services firewall policy. | CIP-003-1 R5.3, CIP-003-1 R6, CIP-005-1 R3 |
| 299 | NERC: vCenter Restart ESX Services | NERC_vCenter_Restart_ESX_Services | VMware vCenter restarted services running on VMware ESX Server. | CIP-007 R5.1.2, CIP-007-5 R2.1, CIP-007-5 R4.1 |
| 300 | NERC: vCenter Resource Usage Change | NERC_vCenter_Resource_Usage_Change | Resources have changed on VMware vCenter. | CIP-003-1 R5.3, CIP-003-1 R6, CIP-005-1 R3 |
| 301 | NERC: vCenter Shutdown or
Restart of ESX Server |
NERC_vCenter_Shutdown_or_Restart_of_ESX_Server | VMware ESX Server is shutdown or restarted from VMware vCenter console. | CIP-005-1 R3 |
| 302 | NERC: vCenter Successful Logins | NERC_vCenter_Successful_Logins | Successful logins to the VMware vCenter console. | CIP-003-1 R5.2, CIP-005-1 R2.4, CIP-005-1 R3, CIP-007-5 R3, CIP-007 R5, CIP-007 R5.2, CIP-007-5 R5.3 |
| 303 | NERC: vCenter User Permission Change | NERC_vCenter_User_Permission_Change | A permission role has been added, changed, removed, or applied to a user on VMware vCenter server. | CIP-005-1 R3, CIP-007 R5.2, CIP-007-5 R5.3 |
| 304 | NERC: vCenter Virtual Machine Created | NERC_vCenter_Virtual_Machine_Created | Virtual machine has been created from VMware vCenter console. | CIP-003-1 R6, CIP-005-1 R3 |
| 305 | NERC: vCenter Virtual Machine Deleted | NERC_vCenter_Virtual_Machine_Deleted | Virtual machine has been deleted or removed from VMware vCenter console. | CIP-003-1 R6, CIP-005-1 R3 |
| 306 | NERC: vCenter Virtual Machine Shutdown | NERC_vCenter_Virtual_Machine_Shutdown | Virtual machine has been shutdown or paused from VMware vCenter console. | CIP-005-1 R3 |
| 307 | NERC: vCenter Virtual Machine Started | NERC_vCenter_Virtual_Machine_Started | Virtual machine has been started or resumed from VMware vCenter console. | CIP-005-1 R3 |
| 308 | NERC: vCenter vSwitch Added, Changed or Removed | NERC_vCenter_vSwitch_Added_Changed_or_Removed | vSwitch on VMware ESX server has been added, modified or removed from the VMware vCenter console. | CIP-003-1 R5.3, CIP-003-1 R6, CIP-005-1 R3 |
| 309 | NERC: VPN Connections by Users | Not Applicable | Displays users who are made the most connections. | CIP-007-5 R3, CIP-007 R5, CIP-007 R5.1.2, CIP-007-5 R4.1,CIP-012-1 R1.1 |
| 310 | NERC: VPN Denied Connections by Users | Not Applicable | Displays users with the most denied connections. | CIP-005-1 R1.6, CIP-005-1 R2.4, CIP-005-1 R3.2, CIP-012-1 R1.1 |
| 311 | NERC: VPN Sessions by Destination Ips | Not Applicable | Displays all VPN sessions categorized by destination IP addresses. | CIP-005-1 R3, CIP-005-1 R3.1, CIP-012-1 R1.1 |
| 312 | NERC: VPN Sessions by Source Ips | Not Applicable | Displays all VPN sessions categorized by source IP addresses. | CIP-005-1 R3, CIP-005-1 R3.1, CIP-012-1 R1.1 |
| 313 | NERC: VPN Sessions by Users | Not Applicable | Displays all VPN sessions categorized by authenticated users. | CIP-005-1 R3, CIP-005-1 R3.1, CIP-007 R5.1.2, CIP-007-5 R4.1, CIP-012-1 R1.1 |
| 314 | NERC: VPN Users Accessing Corporate Network | Not Applicable | Displays all users logging into the corporate network via Virtual Private Network to ensure appropriate access. | CIP-005-1 R2.4, CIP-005-1 R5.3, CIP-007 R5.1.2, CIP-007-5 R4.1, CIP-012-1 R1.1 |
| 315 | NERC: Web Access from All Users | Not Applicable | Displays all web-based access by all users for regular reviews and updates. | CIP-007-5 R3, CIP-007 R5 |
| 316 | NERC: Web Access from All Users - F5 BIG-IP TMOS |
NERC_Web_Access_from_All_Users_F5_BIG-IP_TMOS | Displays all web-based access by all users for regular reviews and updates on F5 BIG-IP TMOS. | CIP-007-5 R3, CIP-007 R5 |
| 317 | NERC: Web Access from All Users - Microsoft IIS | Not Applicable | Displays all web-based access by all users for regular reviews and updates on Microsoft IIS. | CIP-007-5 R3, CIP-007 R5 |
| 318 | NERC: Web Access from All Users - PANOS | NERC_Web_Access_from_All_Users_PANOS | Displays all web-based access by all users for regular reviews and updates on Palo Alto Networks. | CIP-007-5 R3, CIP-007 R5 |
| 319 | NERC: Web Access from All Users - Fortinet | NERC_Web_Access_from_All_Users_Fortinet | Displays all web-based access by all users for regular reviews and updates on Fortinet. | CIP-007-5 R3, CIP-007 R5 |
| 320 | NERC: Web Access to Applications | Not Applicable | Displays all web-based access to applications to ensure appropriate and authorized access. | CIP-007-5 R3, CIP-007 R5 |
| 321 | NERC: Web Access to Applications - F5 BIG-IP TMOS |
NERC_Web_Access_to_Applications_F5_BIG-IP_TMOS | Displays all web-based access to applications to ensure appropriate and authorized access on F5 BIG-IP TMOS. | CIP-007-5 R3, CIP-007 R5 |
| 322 | NERC: Web Access to Applications - Microsoft IIS | Not Applicable | Displays all web-based access to applications to ensure appropriate and authorized access on Microsoft IIS. | CIP-007-5 R3, CIP-007 R5 |
| 323 | NERC: Web Access to Applications - PANOS | NERC_Web_Access_to_Applications_PANOS | Displays all web-based access to applications to ensure appropriate and authorized access on Palo Alto Networks. | CIP-007-5 R3, CIP-007 R5 |
| 324 | NERC: Web Access to Applications - Fortinet | NERC_Web_Access_to_Applications_Fortinet | Displays all web-based access to applications to ensure appropriate and authorized access on Fortinet. | CIP-007-5 R3, CIP-007 R5 |
| 325 | NERC: Windows Accounts Enabled | NERC_Windows_Accounts_Enabled | Displays all accounts enabled on Windows servers to ensure authorized and appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1 |
| 326 | NERC: Windows Accounts Locked | NERC_Windows_Accounts_Locked | Displays all accounts locked out of Windows servers to detect access violations or unusual activities. | CIP-003-1 R5.2, CIP-007 R5.1.1 |
| 327 | NERC: Windows Events by Users | NERC_Windows_Events_by_Users | Displays a summary of access-related Windows events by source and target users. | CIP-007 R5.1.2, CIP-007-5 R4.1 |
| 328 | NERC: Windows Group Members Added | NERC_Windows_Group_Members_Added | Displays all accounts added to groups on the Windows servers to ensure appropriate access. | CIP-003-1 R5.2, CIP-007 R5.1.1, CIP-007 R5.2, CIP-007-5 R5.3 |
| 329 | NERC: Windows Group Members Deleted | NERC_Windows_Group_Members_Deleted | Displays all accounts removed from groups on the Windows servers to ensure appropriate access. | CIP-003-1 R5.2, CIP-005-1 R2.4, CIP-007 R5.1.1, CIP-007 R5.2, CIP-007-5 R5.3 |