North American Electric Reliability Corp (NERC)

Use the IBM® QRadar® NERC Content Extension to closely monitor your deployment for NERC regulations.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar NERC Content Extension V1.0.2

The following content is removed in IBM Security QRadar NERC Content Extension V1.0.2.

Table 1. Content Removed in IBM Security QRadar NERC Content Extension V1.0.2
Type	Name
Custom Property	AccountName
Saved Search	User Account Added By User
Saved Search	User Account Modified By User
Saved Search	User Account Removed By User

IBM Security QRadar NERC Content Extension V1.0.1

Saved searches are now shared by default, and assigned to the correct groups.

IBM Security QRadar NERC Content Extension V1.0.0

The following building blocks are included in IBM Security QRadar NERC Content Extension V1.0.0.

BB:CategoryDefinition: Authentication Failures
BB:CategoryDefinition: Authentication Success

The following reports are included in IBM Security QRadar NERC Content Extension V1.0.0.

Daily NERC-CIP-005-R3 - Successful Login Attempts by NetworkGroup
Daily NERC-CIP-005-R3 - Unsuccessful Logins Summary
Daily NERC-CIP-005-R3 - Unsuccessful Mail Logins
Daily NERC-CIP-005-R3 - Unsuccessful Mail Logins by Network Group
Daily NERC-CIP-005-R3 - Unsuccessful Miscellaneous Logins
Daily NERC-CIP-005-R3 - Unsuccessful Miscellaneous Logins by Network Group
Daily NERC-CIP-005-R3 - Unsuccessful SSH Logins
Daily NERC-CIP-005-R3 - Unsuccessful SSH Logins by Network Group
Daily NERC-CIP-005-R3 - Unsuccessful Telnet Logins
Daily NERC-CIP-005-R3 - Unsuccessful Telnet Logins by Network Group
Daily NERC-CIP-005-R3 - Unsuccessful Web Services Logins
Daily NERC-CIP-005-R3 - Unsuccessful Web Services Logins by Network Group
Monthly NERC-CIP-003-R5 - Added User Accounts
Monthly NERC-CIP-003-R5 - Deleted User Accounts
Remote Access Activity Summary
Top Users by Remote Access Activity
Weekly NERC-CIP-002-R2/R3 - Newly Discovered Operating Systems
Weekly NERC-CIP-005-R3 - Successful Login Attempts by NetworkGroup
Weekly NERC-CIP-005-R3 - Unsuccessful Logins Summary
Weekly NERC-CIP-005-R3 - Unsuccessful Mail Logins
Weekly NERC-CIP-005-R3 - Unsuccessful Mail Logins by Network Group
Weekly NERC-CIP-005-R3 - Unsuccessful Misc. Logins by Network Group
Weekly NERC-CIP-005-R3 - Unsuccessful Miscellaneous Logins
Weekly NERC-CIP-005-R3 - Unsuccessful SSH Logins
Weekly NERC-CIP-005-R3 - Unsuccessful SSH Logins by Network Group
Weekly NERC-CIP-005-R3 - Unsuccessful Telnet Logins by Network Group
Weekly NERC-CIP-005-R3 - Unsuccessful Web Services Logins
Weekly NERC-CIP-005-R3 - Unsuccessful Web Services Logins by Network Group
Weekly NERC-CIP-005-R3.2 - Detect Attempts at or Actual Unauthorized Access - Failed Login Attempts

The following saved searches are included in IBM Security QRadar NERC Content Extension V1.0.0.

Login Failures By Low Level Category
Login Failures by User
Mail Service Login Failures
Mail Service Login Failures by Network
Misc. Login Failures
Misc. Login Failures by Network
New Discovered OS by Category
Remote Access Failures (VPN and Others)
Remote Access Success (VPN and Other)
SSH Login Failures
SSH Login Failures by Network
SSH Login Failures TopN Users
Successful Logins by Network
Telnet Login Failures
Telnet Login Failures by Network
Top User by Mail Service Login Failure
Top Users by failed Misc. Logins
Top Users by Successful Logins
User Account Added By User
User Account Removed By User
Web Services Login Failures
Web Services Login Failures by Network