Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

General Data Protection Regulation (GDPR) Compliance

 

Use the JSA Content Extension for GDPR to closely monitor for GDPR compliance. Baseline Maintenance V1.09 or higher is required for the GDPR Content Extension to perform correctly.

Install Baseline Maintenance before you install the GDPR Content Extension.

The JSA Content Extension for GDPR can be used with:

  • Data obfuscation (see Protect Sensitive Data in the Juniper Secure Analytics Administration Guide).

  • Resilient JSA Integration, to send offenses to IBM Resilient.

  • JSA Pulse app, to see the GDPR dashboard. Download the GDPR dashboard from IBM Security Community (https://ibm.biz/BdZt8Q).

JSA Content Extensions for GDPR

JSA Content Extension for GDPR V1.0.3

Saved searches are now shared with all users.

The following table shows the custom properties in JSA Content Extension for GDPR V1.0.3.

Table 1: Custom Properties in JSA Content Extension for GDPR V1.0.3

Name

Optimized

Capture Group

Regex

Policy Name

Yes

1

LEEF:[0-9\.]+\|IBM\|Guardium\|[^\|]+\|([^\|]+)

The following table shows the rules and building blocks in JSA Content Extension for GDPR V1.0.3.

Table 2: Rules and Building Blocks in JSA Content Extension for GDPR V1.0.3

Type

Name

Description

Building Block

BB:CategoryDefinition: SIEM User and Role Modifications

Identifies SIEM user and role modifications events.

Building Block

BB:DeviceDefinition: DLP Devices

Defines all data loss prevention (DLP) devices on the system.

Rule

Suspicious Activity on Personal Data Detected by DLP Devices

Detects suspicious activity on personal data from a DLP Device. The DLP devices are defined in the BB:DeviceDefinition: DLP Devices building block.

JSA Content Extension for GDPR V1.0.2

The following table shows the rules removed in JSA Content Extension for GDPR V1.0.2.

Table 3: Rules Removed in JSA Content Extension for GDPR V1.0.2

Type

Name

Description

Rule

Load Basic Building Blocks

This rule loads building blocks that need to be run to assist with reporting. This rule has no actions or responses.

Note

In JSA Content Extension for GDPR V1.0.2, all custom properties that were previously linked to the SIM Generic Log DSM log source type are linked to the IBM Custom DSM log source type.

JSA Content Extension for GDPR V1.0.1

The following table shows the custom properties in JSA Content Extension for GDPR V1.0.1.

Table 4: Custom Properties in JSA Content Extension for GDPR V1.0.1

Name

Optimized

Capture Group

Regex

Notes

API Search ID

True

1

PathInfo=\/ariel\/searches\/(\S{36})\/results

Log source type: SIM Audit

Event name: API request successful

Birth Date

False

1

((?:0[1-9]|[12]\d|3[01])([\/.-])(?:0[1-9]|1[12])\2(?:(?:19|20)?\d{2}))

((?:0[1-9]|1[12])([\/.-])(?:0[1-9]|[12]\d|3[01])\2(?:(?:19|20)?\d{2}))

Log source type: SIM Generic Log DSM

Edit the regex for this custom property as needed for your business use cases.

Element

False

1

Name=\"([^\"]+)\"

\'([\w\s]+) Retention\' from \'\d+\' to \'\d+\'

Log source type: SIM Audit

Event names:

  • Reference Data Created

  • Reference Data Removed

  • Reference Data Updated

Email

True

1

([a-zA-Z0-9._%-]+@[a-zA-Z0-9.-]+.[a-zA-Z]{2,4})

Log source type: SIM Generic Log DSM

Edit the regex for this custom property as needed for your business use cases.

IBAN

False

1

([a-zA-Z]{2}[0-9]{2}[a-zA-Z0-9]{4}[0-9]{7}([a-zA-Z0-9]?){0,16})

Log source type: SIM Generic Log DSM

Edit the regex for this custom property as needed for your business use cases.

Passport Number

True

1

([A-Z0-9<]{9}[0-9]{1}[A-Z]{3}[0-9]{7}[A-Z]{1}[0-9]{7}[A-Z0-9<]{14}[0-9]{2})

Log source type: SIM Generic Log DSM

Edit the regex for this custom property as needed for your business use cases.

Retention Period

False

1

TimeToLive="([^\"]+)"

\'[\w\s]+ Retention\' from \'\d+\' to \'(\d+)\'

Log source type: SIM Audit

Event names:

  • Reference Data Created

  • Reference Data Updated

  • System Setting Change

Role

True

1

Role Name:\s+([^|]+)\s+

Current state:.+Role Name:\s+([^\|]+)\s+

Name:\s+([^|]+)\s+

Current state:.+Name:\s+\'([^\']+)\'

Log source type: SIM Audit

Event names:

  • User Role Added

  • User Role Modified

  • User Account Added

  • User Account Modified

Search Executed

True

1

Filters:(.*?)\,\s+Columns

Log source type: SIM Audit

Event name: Search Executed

User Account

True

1

Username:\s+([^|]+)\s+

Log source type: SIM Audit

Category: SIM Configuration Change

The following table shows the rules and building blocks in JSA Content Extension for GDPR V1.0.1.

Table 5: Rules and Building Blocks in JSA Content Extension for GDPR V1.0.1

Type

Name

Description

Building Block

BB:CategoryDefinition: Authentication Failures

Includes all events that indicate an unsuccessful attempt to access the network.

Building Block

BB:CategoryDefinition: Authentication Successes

Includes all events that indicate successful attempts to access the network.

Building Block

BB:CategoryDefinition: Data Transfer Event Categories

Edit this building block to define data transfer categories on events.

Building Block

BB:CategoryDefinition: Data Transfer Flow Categories

Edit this building block to define data transfer categories on flows.

Building Block

BB:CategoryDefinition: Destination IP is a Third Country/Region

Edit this BB to include any geographic location that would be classified as a third country.

After configuration, you can enable the following rules:

  • Personal Data Transferred to a Third Country

  • Personal Data Transferred to a Third Country for Users

Building Block

BB:CategoryDefinition: SIEM User and Role Modifications

Checks the QID specific to JSA user and role creation and modification.

Building Block

BB:CategoryDefinition: Source IP is a Third Country/Region

Edit this building block to include any geographic location that would be classified as a third country.

After configuration, you can enable the following rules:

  • Personal Data Transferred to a Third Country

  • Personal Data Transferred to a Third Country for Users

Building Block

BB:CategoryDefinition: Superuser Account

Lists the superuser accounts or usernames.

Building Block

BB:ComplianceDefinition: GDPR Personal Data Server

This building block defines the hosts that typically store and process personal data. Configure the Personal Data Server reference set to define these hosts in your environment.

Building Block

BB:ComplianceDefinition: Personal Data Detected on Events

Edit this building block to define custom properties that can contain personal data. The following custom properties are created by default and must be adapted to necessary log sources:

  • Birth Date

  • Email

  • International Bank Account Number (IBAN)

  • Passport Number

You can create other custom properties for personal data and add them to this building block.

Personal data is classified as having both the common (for example IP addresses, user names) and the sensitive (for example credit card numbers) identifier.

Building Block

BB:ComplianceDefinition: Processing Objected Users on Events

This building block defines the users who object to the collecting and processing of their personal data. Configure the GDPR Objected Users reference set to define the user names that apply in your environment.

Building Block

BB:ComplianceDefinition: Processing Objected Users on Flows

This building block defines the users who object to the collecting and processing of their personal data. Configure the GDPR Objected Users reference set to define the user names that apply in your environment.

Building Block

BB:ComplianceDefinition: Processing Restricted Users on Events

This building block defines the users who have obtained restrictions on the processing of their personal data. Configure the GDPR Restricted Users reference set to define the user names that apply in your environment.

Building Block

BB:ComplianceDefinition: Processing Restricted Users on Flows

This building block defines the users who have obtained restrictions on the processing of their personal data. Configure the GDPR Restricted Users reference set to define the user names that apply in your environment.

Rule

Data Exfiltration Detected from GDPR Personal Data Server

This rule implements GDPR 2016/679, which focuses on data exfiltration detection from the Personal Data Server reference set, where hosts that store or process personal data are listed. Edit this rule to refine on specific data transfer events or building blocks.

Define file transfer on events and flows in the following rules and building blocks:

  • BB:CategoryDefinition: Data Transfer Categories on Events

  • BB:CategoryDefinition: Data Transfer Categories on Flows

  • Large Outbound Transfer High Rate of Transfer

  • Large Outbound Transfer Slow Rate of Transfer

Rule

Large Outbound Transfer High Rate of Transfer

Detects a single host that is sending more data out of the network than received. This rule detects over 2 MB of data transferred over a 12 minute period.

Rule

Large Outbound Transfer Slow Rate of Transfer

Detects a single host that is sending more data out of the network than received. This rule detects over 2 MB of data transferred over a 2 hour period. This is fairly slow and could indicated stealthy data leakage.

Rule

Load Basic Building Blocks

This rule loads building blocks that need to be run to assist with reporting. This rule has no actions or responses.

Rule

Personal Data Processed for Objected Users on Events

This rule implements GDPR 2016/679, which focuses on personal data collected on users who object to the collection and processing of their personal data. Edit this rule to monitor specific events such as data transfer or data modifications with personal data.

Define personal data detection in the BB:ComplianceDefinition: Personal Data Detected on Events building block.

Define objected users in the BB:ComplianceDefinition: Processing Objected Users on Events building block.

Rule

Personal Data Processed for Objected Users on Flows

This rule implements GDPR 2016/679, which focuses on personal data collected on users who object to the collection and processing of their personal data. Edit this rule to monitor specific events such as data transfer or data modifications with personal data.

Define personal data detection in the BB:ComplianceDefinition: Personal Data Detected on Flows building block.

Define objected users in the BB:ComplianceDefinition: Processing Objected Users on Flows building block.

Rule

Personal Data Transferred to Third Countries/Regions

This rule implements GDPR 2016/679, which focuses on personal data transferred to third countries/regions for any users. Edit this rule to monitor specific events such as data transfer or data modifications with personal data.

Define data transfer categories in the following building blocks:

  • BB:CategoryDefinition: Data Transfer Categories on Events

  • BB:CategoryDefinition: Data Transfer Categories on Flows

Define third countries in the BB:CategoryDefinition: Destination IP is a Third Country/Region building block.

Define personal data detection in the following building blocks:

  • BB:ComplianceDefinition: Personal Data Detected on Events

  • BB:ComplianceDefinition: Personal Data Detected on Flows

Rule

Personal Data Transferred to Third Countries/Regions for Users

This rule implements GDPR 2016/679, which focuses on personal data transfer to third countries/regions for users who either restrict or object. Edit this rule to monitor specific events such as data transfer or data modifications with personal data.

When you enable this rule, refine the Personal Data Transferred to a Third Country/Region rule to prevent both rules firing an offense.

Define restricted or objected users in the following building blocks:

  • BB:ComplianceDefinition: Processing Restricted Users on Events

  • BB:ComplianceDefinition: Processing Restricted Users on Flows

  • BB:ComplianceDefinition: Processing Objected Users on Events

  • BB:ComplianceDefinition: Processing Objected Users on Flows

Define personal data detection in the following building blocks:

  • BB:ComplianceDefinition: Personal Data Detected on Events

  • BB:ComplianceDefinition: Personal Data Detected on Flows

Rule

Possible Shared Accounts

Detects the use of a shared account. Edit the BB:CategoryDefinition: Superuser Accounts building block to exclude superuser accounts.

Rule

Remote Connection on GDPR Personal Data Server

This rule implements GDPR 2016/679, which focuses on data exfiltration detection from the Personal Data Server reference set, where hosts that store or process personal data are listed.

Define successful communication flows in the BB:CategoryDefinition: Successful Communication building block.

Rule

Remote Inbound Communication from a Foreign Country/Region

This rule implements GDPR 2016/679, which focuses on data exfiltration detection from the Personal Data Server reference set, where hosts that store or process personal data are listed.

Define successful communication flows in the following building blocks:

  • BB:CategoryDefinition: Source IP is a Third Country

  • BB:CategoryDefinition: Successful Communication

The following table shows the reports in JSA Content Extension for GDPR V1.0.1.

Table 6: Reports in JSA Content Extension for GDPR V1.0.1

Report

Description

GDPR 2016/679 Personal Data Origin

Provides an overview of where the personal data has been obtained. Report content is collated from the following searches:

  • GDPR as Log Source Group

  • Log Source as Personal Data Server

Define the non-personal user name in the BB:CategoryDefinition: Superuser Accounts building block.

GDPR 2016/679 JSA Data Retention Configuration

Provides an overview of the data retention period changes in JSA when the Reference Set Management and System Settings are configured. Report content is collated from the JSA Data Retention Configuration search.

The null retention value means it is set to unrestricted time. Edit this search and relevant search dependencies to refine the results. This reporting doesn't include data transmitted to a third party, such as:

  • apps that integrate with a third party product or service

  • apps that share data with a cloud service managed by the app vendor

  • rule responses set to Email, Send to Local SysLog, Send to Forwarding Destinations or Execute Custom Action

GDPR 2016/679 Personal Data Processed for a User

Provides an overview of personal data processed for a user. The user name must be added to the search(es) before you generate the report.

Report content is collated from the Personal Data Processed for a User search.

Edit this search and relevant search dependencies to further refine results.

GDPR 2016/679 Record of Processing Activities

Provides an overview of JSA Processing Activities.

Report content is collated from the following searches:

  • User Processing Activities

  • User Processing Activities through API

Edit this search and relevant search dependencies to further refine results.

GDPR 2016/679 User Authentication to GDPR Personal Data Server

Provides an overview of authentication to a GDPR Personal Data Server. Report content is collated from the following searches:

  • Authentication Success to GDPR Personal Data Server

  • Authentication Failure to GDPR Personal Data Server

Define authentication success events and Personal Data Server in the following building blocks:

  • BB:CategoryDefinition: Authentication Success

  • BB:ComplianceDefinition: GDPR Personal Data Server This building block checks if the IP address is in the GDPR Personal Data Server reference set. Add IP addresses to this reference set to define the hosts that typically store and process personal data.

GDPR 2016/679 JSA User and Role Modifications

Provides an overview of JSA user and role modifications. Report content is collated from the JSA User and Role Modifications search.

Define user and role events in the BB:CategoryDefinition: SIEM User and Role Modifications building block.

GDPR 2016/679 Personal Data Transferred to a Third Country

Provides an overview of personal data transferred to a third country.

Report content is collated from the Personal Data Transferred to a Third Country search.

Edit this search and relevant search dependencies to further refine results.

JSA Audit - User Authentication Activity

Shows the authentication successes and failures on JSA. This includes the top user name usage and a detailed report on authentication activity. Report content is collated through the following searches:

  • SIEM Audit - Authentication Success by Username

  • SIEM Audit - Authentication Failure by Username

  • SIEM Audit - User Authentication Activity

Edit this search and relevant search dependencies to further refine results.

The following table shows the reference data in JSA Content Extension for GDPR V1.0.1.

Table 7: Reference Data in JSA Content Extension for GDPR V1.0.1

Type

Name

Reference Set

GDPR Objected Users

Reference Set

GDPR Restricted Users

Reference Set

Personal Data Server

Reference Set

JSA Deployment