General Data Protection Regulation (GDPR) compliance
Use the IBM® QRadar® Content Extension for GDPR to closely monitor for GDPR compliance. Baseline Maintenance 1.09 or higher is required for the GDPR Content Extension to perform correctly.
Install Baseline Maintenance before you install the GDPR Content Extension.
- Data obfuscation (see
Protect Sensitive Data
in the IBM QRadar Administration Guide). - QRadar Network Insights, to detect personal data on flows.
- QRadar Pulse app.
IBM Security QRadar Content Extensions for GDPR
IBM Security QRadar Content Extension for GDPR 1.0.5
The following table shows the rules with updated descriptions in IBM Security QRadar Content Extension for GDPR 1.0.5.
| Type | Name | Description |
|---|---|---|
| Rule | Large Outbound Transfer High Rate of Transfer | Detects a single host that is sending more data out of the network than received. This rule detects over 500 MB of data transferred over a 12 minute period. |
| Rule | Large Outbound Transfer Slow Rate of Transfer | Detects a single host that is sending more data out of the network than received. This rule detects over 500 MB of data transferred over a 2 hour period. This is fairly slow and could indicated stealthy data leakage. |
IBM Security QRadar Content Extension for GDPR 1.0.4
Removed a duplicate expression from the Birth Date custom property.
IBM Security QRadar Content Extension for GDPR 1.0.3
Saved searches are now shared with all users.
The following table shows the custom properties in IBM Security QRadar Content Extension for GDPR 1.0.3.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Policy Name | Yes | 1 | LEEF:[0-9\.]+\|IBM\|Guardium\|[^\|]+\|([^\|]+) |
The following table shows the rules and building blocks in IBM Security QRadar Content Extension for GDPR 1.0.3.
| Type | Name | Description |
|---|---|---|
| Building Block | BB:CategoryDefinition: SIEM User and Role Modifications | Identifies SIEM user and role modifications events. |
| Building Block | BB:DeviceDefinition: DLP Devices | Defines all data loss prevention (DLP) devices on the system. |
| Rule | Suspicious Activity on Personal Data Detected by DLP Devices | Detects suspicious activity on personal data from a DLP Device. The DLP devices are defined in the BB:DeviceDefinition: DLP Devices building block. |
IBM Security QRadar Content Extension for GDPR 1.0.2
The following table shows the rules removed in IBM Security QRadar Content Extension for GDPR 1.0.2.
| Type | Name | Description |
|---|---|---|
| Rule | Load Basic Building Blocks | This rule loads building blocks that need to be run to assist with reporting. This rule has no actions or responses. |
IBM Security QRadar Content Extension for GDPR 1.0.1
The following table shows the custom properties in IBM Security QRadar Content Extension for GDPR 1.0.1.
| Name | Optimized | Capture Group | Regex | Notes |
|---|---|---|---|---|
| API Search ID | True | 1 | PathInfo=\/ariel\/searches\/(\S{36})\/results | Log source type: SIM Audit Event name: API request successful |
| Birth Date | False | 1 | ((?:0[1-9]|[12]\d|3[01])([\/.-])(?:0[1-9]|1[12])\2(?:(?:19|20)?\d{2})) ((?:0[1-9]|1[12])([\/.-])(?:0[1-9]|[12]\d|3[01])\2(?:(?:19|20)?\d{2})) |
Log source type: SIM Generic Log DSM Edit the regex for this custom property as needed for your business use cases. |
| Element | False | 1 | Name=\"([^\"]+)\" \'([\w\s]+) Retention\' from \'\d+\' to \'\d+\' |
Log source type: SIM Audit Event names:
|
| True | 1 | ([a-zA-Z0-9._%-]+@[a-zA-Z0-9.-]+.[a-zA-Z]{2,4}) | Log source type: SIM Generic Log DSM Edit the regex for this custom property as needed for your business use cases. |
|
| IBAN | False | 1 | ([a-zA-Z]{2}[0-9]{2}[a-zA-Z0-9]{4}[0-9]{7}([a-zA-Z0-9]?){0,16}) | Log source type: SIM Generic Log DSM Edit the regex for this custom property as needed for your business use cases. |
| Passport Number | True | 1 | ([A-Z0-9<]{9}[0-9]{1}[A-Z]{3}[0-9]{7}[A-Z]{1}[0-9]{7}[A-Z0-9<]{14}[0-9]{2}) | Log source type: SIM Generic Log DSM Edit the regex for this custom property as needed for your business use cases. |
| Retention Period | False | 1 | TimeToLive="([^\"]+)" \'[\w\s]+ Retention\' from \'\d+\' to \'(\d+)\' |
Log source type: SIM Audit Event names:
|
| Role | True | 1 | Role Name:\s+([^|]+)\s+ Current® state:.+Role Name:\s+([^\|]+)\s+ Name:\s+([^|]+)\s+ Current state:.+Name:\s+\'([^\']+)\' |
Log source type: SIM Audit Event names:
|
| Search Executed | True | 1 | Filters:(.*?)\,\s+Columns | Log source type: SIM Audit Event name: Search Executed |
| User Account | True | 1 | Username:\s+([^|]+)\s+ | Log source type: SIM Audit Category: SIM Configuration Change |
The following table shows the rules and building blocks in IBM Security QRadar Content Extension for GDPR 1.0.1.
| Type | Name | Description |
|---|---|---|
| Building Block | BB:CategoryDefinition: Authentication Failures | Includes all events that indicate an unsuccessful attempt to access the network. |
| Building Block | BB:CategoryDefinition: Authentication Successes | Includes all events that indicate successful attempts to access the network. |
| Building Block | BB:CategoryDefinition: Data Transfer Event Categories | Edit this building block to define data transfer categories on events. |
| Building Block | BB:CategoryDefinition: Data Transfer Flow Categories | Edit this building block to define data transfer categories on flows. |
| Building Block | BB:CategoryDefinition: Destination IP is a Third Country/Region |
Edit this BB to include any geographic location that would be classified as a third country. After configuration, you can enable the following rules:
|
| Building Block | BB:CategoryDefinition: SIEM User and Role Modifications | Checks the QID specific to QRadar user and role creation and modification. |
| Building Block | BB:CategoryDefinition: Source IP is a Third Country/Region |
Edit this building block to include any geographic location that would be classified as a third country. After configuration, you can enable the following rules:
|
| Building Block | BB:CategoryDefinition: Superuser Account | Lists the superuser accounts or usernames. |
| Building Block | BB:ComplianceDefinition: GDPR Personal Data Server | This building block defines the hosts that typically store and process personal data. Configure the Personal Data Server reference set to define these hosts in your environment. |
| Building Block | BB:ComplianceDefinition: Personal Data Detected on Events |
Edit this building block to define custom properties that can contain personal data. The following custom properties are created by default and must be adapted to necessary log sources:
You can create other custom properties for personal data and add them to this building block. Personal data is classified as having both the common (for example IP addresses, user names) and the sensitive (for example credit card numbers) identifier. |
| Building Block | BB:ComplianceDefinition: Personal Data Detected on Flows |
Edit this building block to define custom properties or fields that can contain personal data. The following QRadar Network Insights fields are adapted by default:
Personal data is classified as having both the common (for example IP addresses, user names) and the sensitive (for example credit card numbers) identifier. |
| Building Block | BB:ComplianceDefinition: Processing Objected Users on Events | This building block defines the users who object to the collecting and processing of their personal data. Configure the GDPR Objected Users reference set to define the user names that apply in your environment. |
| Building Block | BB:ComplianceDefinition: Processing Objected Users on Flows | This building block defines the users who object to the collecting and processing of their personal data. Configure the GDPR Objected Users reference set to define the user names that apply in your environment. |
| Building Block | BB:ComplianceDefinition: Processing Restricted Users on Events | This building block defines the users who have obtained restrictions on the processing of their personal data. Configure the GDPR Restricted Users reference set to define the user names that apply in your environment. |
| Building Block | BB:ComplianceDefinition: Processing Restricted Users on Flows | This building block defines the users who have obtained restrictions on the processing of their personal data. Configure the GDPR Restricted Users reference set to define the user names that apply in your environment. |
| Rule | Data Exfiltration Detected from GDPR Personal Data Server |
This rule implements GDPR 2016/679, which focuses on data exfiltration detection from the Personal Data Server reference set, where hosts that store or process personal data are listed. Edit this rule to refine on specific data transfer events or building blocks. Define file transfer on events and flows in the following rules and building blocks:
|
| Rule | Large Outbound Transfer High Rate of Transfer | Detects a single host that is sending more data out of the network than received. This rule detects over 2 MB of data transferred over a 12 minute period. |
| Rule | Large Outbound Transfer Slow Rate of Transfer | Detects a single host that is sending more data out of the network than received. This rule detects over 2 MB of data transferred over a 2 hour period. This is fairly slow and could indicated stealthy data leakage. |
| Rule | Load Basic Building Blocks | This rule loads building blocks that need to be run to assist with reporting. This rule has no actions or responses. |
| Rule | Personal Data Processed for Objected Users on Events |
This rule implements GDPR 2016/679, which focuses on personal data collected on users who object to the collection and processing of their personal data. Edit this rule to monitor specific events such as data transfer or data modifications with personal data. Define personal data detection in the BB:ComplianceDefinition: Personal Data Detected on Events building block. Define objected users in the BB:ComplianceDefinition: Processing Objected Users on Events building block. |
| Rule | Personal Data Processed for Objected Users on Flows |
This rule implements GDPR 2016/679, which focuses on personal data collected on users who object to the collection and processing of their personal data. Edit this rule to monitor specific events such as data transfer or data modifications with personal data. Define personal data detection in the BB:ComplianceDefinition: Personal Data Detected on Flows building block. Define objected users in the BB:ComplianceDefinition: Processing Objected Users on Flows building block. |
| Rule | Personal Data Transferred to Third Countries/Regions |
This rule implements GDPR 2016/679, which focuses on personal data transferred to third countries/regions for any users. Edit this rule to monitor specific events such as data transfer or data modifications with personal data. Define data transfer categories in the following building blocks:
Define third countries in the BB:CategoryDefinition: Destination IP is a Third Country/Region building block. Define personal data detection in the following building blocks:
|
| Rule | Personal Data Transferred to Third Countries/Regions for Users |
This rule implements GDPR 2016/679, which focuses on personal data transfer to third countries/regions for users who either restrict or object. Edit this rule to monitor specific events such as data transfer or data modifications with personal data. When you enable this rule, refine the Personal Data Transferred to a Third Country/Region rule to prevent both rules firing an offense. Define restricted or objected users in the following building blocks:
Define personal data detection in the following building blocks:
|
| Rule | Possible Shared Accounts | Detects the use of a shared account. Edit the BB:CategoryDefinition: Superuser Accounts building block to exclude superuser accounts. |
| Rule | Remote Connection on GDPR Personal Data Server |
This rule implements GDPR 2016/679, which focuses on data exfiltration detection from the Personal Data Server reference set, where hosts that store or process personal data are listed. Define successful communication flows in the BB:CategoryDefinition: Successful Communication building block. |
| Rule | Remote Inbound Communication from a Foreign Country/Region |
This rule implements GDPR 2016/679, which focuses on data exfiltration detection from the Personal Data Server reference set, where hosts that store or process personal data are listed. Define successful communication flows in the following building blocks:
|
The following table shows the reports in IBM Security QRadar Content Extension for GDPR 1.0.1.
| Report | Description |
|---|---|
| GDPR 2016/679 Personal Data Origin |
Provides an overview of where the personal data has been obtained. Report content is collated from the following searches:
Define the non-personal user name in the BB:CategoryDefinition: Superuser Accounts building block. |
| GDPR 2016/679 QRadar Data Retention Configuration |
Provides an overview of the data retention period changes in QRadar when the Reference Set Management and System Settings are configured. Report content is collated from the QRadar Data Retention Configuration search. The null retention value means it is set to unrestricted time. Edit this search and relevant search dependencies to refine the results. This reporting doesn't include data transmitted to a third party, such as:
|
| GDPR 2016/679 Personal Data Processed for a User |
Provides an overview of personal data processed for a user. The user name must be added to the search(es) before you generate the report. Report content is collated from the Personal Data Processed for a User search. Edit this search and relevant search dependencies to further refine results. |
| GDPR 2016/679 Record of Processing Activities |
Provides an overview of QRadar Processing Activities. Report content is collated from the following searches:
Edit this search and relevant search dependencies to further refine results. |
| GDPR 2016/679 User Authentication to GDPR Personal Data Server |
Provides an overview of authentication to a GDPR Personal Data Server. Report content is collated from the following searches:
Define authentication success events and Personal Data Server in the following building blocks:
|
| GDPR 2016/679 QRadar User and Role Modifications |
Provides an overview of QRadar user and role modifications. Report content is collated from the QRadar User and Role Modifications search. Define user and role events in the BB:CategoryDefinition: SIEM User and Role Modifications building block. |
| GDPR 2016/679 Personal Data Transferred to a Third Country |
Provides an overview of personal data transferred to a third country. Report content is collated from the Personal Data Transferred to a Third Country search. Edit this search and relevant search dependencies to further refine results. |
| QRadar Audit - User Authentication Activity | Shows the authentication successes and failures on QRadar. This includes the top user name usage and a detailed report on authentication
activity. Report content is collated through the following searches:
Edit this search and relevant search dependencies to further refine results. |
The following table shows the reference data in IBM Security QRadar Content Extension for GDPR 1.0.1.
| Type | Name |
|---|---|
| Reference Set | GDPR Objected Users |
| Reference Set | GDPR Restricted Users |
| Reference Set | Personal Data Server |
| Reference Set | QRadar Deployment |