NERC Script 1

Summary:

This document outlines a script for investigating potential cybersecurity violations within an organization's identity and access management system. It starts by examining a "Possible Violation" under CIP-004 in the ArcSight Console and then investigates this through the Active Channel view of the event. The script also covers detecting a worm outbreak using an IP address, which triggers a correlation engine for statistical analysis and detection within the NERC solution. Transitioning to the IdentityView solution, it focuses on identifying potential malicious insider activity by analyzing the Threat Score Overview for user rjackson (Robert Jackson). This involves investigating unsafe activities such as role violations, failed database access, and shared account usage that suggest malicious intent. The document concludes with demonstrating how integrated compliance and security systems can leverage the same data to identify threats more efficiently than manual investigation processes.

Details:

The script involves navigating through an ArcSight Console, specifically focusing on the NERC solution for identifying potential violations in identity and access management. It begins with observing a "Possible Violation" under CIP-004, which is then investigated by drilling down into the Active Channel view of the event. Another violation noted under CIP-007 involves investigating an IP address associated with a Worm Outbreak Detected event, highlighting the use of correlation engine for statistical analysis and detection. The script then transitions to the IdentityView solution where it focuses on identifying potential malicious insider activity by analyzing the Threat Score Overview for user rjackson (Robert Jackson). Through this process, multiple types of unsafe activities are highlighted such as role violations, failed database access, and shared account usage, indicating clear malicious intent. The final step emphasizes the integration of compliance and security using the same data, showcasing how automated systems can identify threats more efficiently than manual investigation.