Your organization's Data Protection Officer (DPO) needs to know when new systems become involved in processing GDPR-scoped data. You want to pull this information from network communication logs so DPOs can ensure the systems are authorized and documented.
- Identify all relevant IT assets from a data mapping exercise conducted by the Data Privacy Officer’s team. These are all IT assets that are relevant to the full audit trail of data processing activities. This includes not only data stores and repositories that house sensitive personal data (PD) and personally identifiable information (PII), but also any technologies that are involved in the processing, storage, transmission, receipt, rendering, encrypt/decrypt, relaying, and handling of such data in any capacity.
- Ensure that those assets are configured properly to report logging activity to an appropriate central repository.
- Use your data mapping results to build a lookup that associates systems to their system category.
- Run the following search. You can adjust this query based on the specifics of your environment.
sourcetype=pan*traffic src_ip=* dest_ip=* |stats count min(_time) AS earliest max(_time) AS maxtime BY src_ip, dest_ip |lookup <name of lookup you created in step 3> host AS dest_ip |search category=* |where earliest>relative_time(now(), "-1d@d")
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Search only Palo Alto Networks data.
Replace the specified source type with firewall data sources that are applicable to your environment or a search for Common Information Model tagged data, if applicable.
Filter events that have values in the source and destination IP address fields.
|stats count min(_time) AS earliest max(_time) AS maxtime BY src_ip, dest_ip
Calculate the earliest and the latest time that this combination of fields occurred. This constitutes a connection.
|lookup <name of lookup you created in step 3> host AS dest_ip
Look up the host in the categorization lookup you created and output the category field into the event when the host field in the lookup and dest_ip match.
Filter for events that have a value in the category field.
|where earliest>relative_time(now(), "-1d@d")
Filter for events where the earliest time seen is within a day of the latest time seen, meaning this is the first time seen.
When a new host connects to an in-scope GDPR system, check to make sure it is documented.
Additionally, you should monitor the mapped IT assets changes in logging status, adjust for known outages, and prioritize incident response for any failures to report by hosts that are not scheduled for downtime.
GDPR Relevance: In addition to the general security benefits, this detection will help the data privacy officer of an organization in their GDPR requirements to detect if any new applications or service providers have been connected to push or pull personal data without the proper documentation. Under Article 30, organizations are required to maintain a record of processing activities, including the name and contact details of the controller, the purposes of the processing, description of the categories of data subjects and personal data processed. Additionally, they must maintain a record of categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international. Detecting any new connected applications or service providers which might not be whitelisted or documented, can indicate a potential state of non-compliance, and the Data Privacy Officer will be required to follow up and document. This situation may not impact organizations who employ fewer than 250 persons and therefore may not have critical categories of personal data for processing.
Finally, you might be interested in other processes associated with the Complying with General Data Protection Regulation use case.