Skip to main content
Splunk Lantern

New connection to device

You might need to need to be alerted when new systems connect in your environment when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

Your organization's Data Protection Officer (DPO) needs to know when new systems become involved in processing GDPR-scoped data. You want to pull this information from network communication logs so DPOs can ensure the systems are authorized and documented.

To optimize the search shown below, you should specify an index and a time range. In addition, this sample search uses Palo Alto Networks. You can replace this source with any other firewall data  used in your organization, such as Check Point OPSEC LEA or Cisco ASA.

  1. Identify all relevant IT assets from a data mapping exercise conducted by the Data Privacy Officer’s team. These are all IT assets that are relevant to the full audit trail of data processing activities. This includes not only data stores and repositories that house sensitive personal data (PD) and personally identifiable information (PII), but also any technologies that are involved in the processing, storage, transmission, receipt, rendering, encrypt/decrypt, relaying, and handling of such data in any capacity. 
  2. Ensure that those assets are configured properly to report logging activity to an appropriate central repository. 
  3. Use your data mapping results to build a lookup that associates systems to their system category.
  4. Run the following search:
sourcetype=pan*traffic src_ip=* dest_ip=*
|stats count min(_time) AS earliest max(_time) AS maxtime  BY src_ip, dest_ip
|lookup <name of lookup you created in step 3> host AS dest_ip 
|search category=*
|where earliest>relative_time(now(), "-1d@d")

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype=pan*traffic

Search only Palo Alto Networks data. 

Replace the specified source type with firewall data sources that are applicable to your environment or a search for Common Information Model tagged data, if applicable.

src_ip=* dest_ip=*

Filter events that have values in the source and destination IP address fields. 

|stats count min(_time) AS earliest max(_time) AS maxtime  BY src_ip, dest_ip

Calculate the earliest and the latest time that this combination of fields occurred. This constitutes a connection.

|lookup <name of lookup you created in step 3> host AS dest_ip 

Look up the host in the categorization lookup you created and output the category field into the event when the host field in the lookup  and dest_ip match. 

|search category=*

Filter for events that have a value in the category field.

|where earliest>relative_time(now(), "-1d@d")

Filter for events where the earliest time seen is within a day of the latest time seen, meaning this is the first time seen.

Result

When a new host connects to an in-scope GDPR system, check to make sure it is documented.

Additionally, you should monitor the mapped IT assets changes in logging status, adjust for known outages, and prioritize incident response for any failures to report by hosts that are not scheduled for downtime.

GDPR Relevance: In addition to the general security benefits, this detection will help the data privacy officer of an organization in their GDPR requirements to detect if any new applications or service providers have been connected to push or pull personal data without the proper documentation. Under Article 30, organizations are required to maintain a record of processing activities, including the name and contact details of the controller, the purposes of the processing, description of the categories of data subjects and personal data processed. Additionally, they must maintain a record of categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international. Detecting any new connected applications or service providers which might not be whitelisted or documented, can indicate a potential state of non-compliance, and the Data Privacy Officer will be required to follow up and document. This situation may not impact organizations who employ fewer than 250 persons and therefore may not have critical categories of personal data for processing.

  • Was this article helpful?