Free Resource · Splunk & Cribl
Data Onboarding Checklist for NERC CIP Environments
A one-page field checklist for onboarding any new data source into a Splunk or Cribl pipeline that touches BES Cyber Systems. Clean parsing and right-sized volume, with the logging and audit evidence that CIP asks for, built into every stage.
What's inside
Six stages, from first request to production hand-off, with the NERC CIP control mapped to the step where it applies:
- Intake & scoping · capture source facts, verify volume, define the use case, classify the asset (CIP-002).
- Authorization & change control · need-to-know access, baseline, dev-first, keep the path inside the ESP (CIP-004, 005, 010, 011).
- Source type config: the “Great Eight” · the props.conf settings that get event breaking and timestamps right the first time.
- Validation · format, completeness, standards, CIM mapping, required security events (CIP-007 R4.1).
- Retention, alerting & audit · 90-day retention, real-time alerts, 15-day review, version control (CIP-007 R4, CIP-010).
- Communicate & hand off · publish the details, update the catalog, close the change record.
Go deeper: the data onboarding series
- Data Onboarding Without the Rework: A Field Checklist for Splunk
- The Great Eight: props.conf Settings Every Splunk Source Type Needs
- Onboarding Data Under NERC CIP: Turn Log Hygiene Into Compliance Evidence
Configuration practices per Splunk Lantern. Reference aid only, not legal advice. Validate against your registered entity's compliance program and Regional Entity guidance.

