Pull-Based Monitoring Checklist Template

Structured checklist for weekly and monthly pull-based OSINT monitoring. This template supports the Module 5 workflow.

Download: Monitoring Checklist Template (Word) – includes checkboxes, finding log tables, and cycle summary tracking.

NRECA Example: NRECA Monitoring Checklist (Word) – pre-filled example showing what a completed checklist looks like.

Instructions: Copy this template and customize the queries, baseline references, and finding criteria for your organization. Use the checklist format during each monitoring cycle to ensure consistent execution.

Weekly Monitoring Checklist

Checks ordered by OT relevance – remote access and edge device checks first.

Check 1: Shodan/Censys Remote Access Review

• Tool: Shodan / Censys
• Query: [your exact query -- e.g., net:x.x.x.x/24 port:443,8443,10443]
• Baseline reference: Section 1, rows [X-Y] (remote access services)
• Time: ~5 min

OT-relevant finding: Any change to VPN login page, new port on firewall management IP, version change on edge device. Version downgrade or unexpected service warrants immediate investigation.

Expected noise: Minor HTTP header changes, certificate renewals on same service.

Check 2: CISA KEV Review

• Tool: CISA KEV Catalog
• Query: Review additions from past 7 days. Cross-reference against asset inventory
• Baseline reference: Module 4 vulnerability correlation table
• Time: ~5 min

OT-relevant finding: Any KEV entry matching a product/vendor in your asset inventory. P0 if the asset is internet-exposed.

Check 3: Certificate Transparency

• Tool: crt.sh
• Query: %.[your domain]
• Baseline reference: Section 1, subdomain list
• Time: ~5 min

OT-relevant finding: New subdomains suggesting remote access (vpn, ras, remote*), new OT-adjacent applications, or shadow IT.

Expected noise: Certificate renewals for existing subdomains (same name, new serial).

Check 4: Breach Database

• Tool: HaveIBeenPwned
• Query: Domain search for [your domain] or spot-check Tier 1 emails: [list]
• Baseline reference: Section 2, breach status column
• Time: ~5 min

OT-relevant finding: Tier 1 or Tier 2 personnel in new breach with password/hash exposure.

Check 5: Alert Backlog Processing

• Tool: Alert aggregation point ([email folder / Slack / shared inbox])
• Action: Review and close or investigate items deferred during daily triage
• Time: ~5 min

Rule: No item remains in backlog longer than one week.

Check 6: Baseline Update

• Action: If any weekly check surfaced changes, update baseline document
• Time: ~5 min

Monthly Monitoring Checklist

Check 1: Full Subdomain Re-enumeration (20 min)

• Tools: crt.sh, DNSDumpster, SecurityTrails
• Domains: [list all domains]
• Baseline reference: Section 1, complete subdomain inventory

Check 2: Deep Shodan/Censys Scan (15 min)

• Tools: Shodan, Censys
• Query: [broader queries – org name, ASN, netblocks]
• Focus: New management interfaces and remote access on OT boundary

Check 3: Vulnerability Re-correlation (20 min)

• Tools: NVD, CISA KEV, vendor PSIRTs, ICS Advisory Project
• Products: [list from Module 4 asset inventory]

Check 4: Personnel Exposure Refresh (15 min)

• Action: Re-check Tier 1/2 against breach databases. Review personnel changes

Check 5: Alert Configuration Review (10 min)

• Action: Verify all push alerts are active. Review query relevance

Cycle Summary

Complete this section at the end of each monitoring cycle.