GDPR Access Monitoring Rules With SureLog SIEM -1
GDPR mandates access monitoring. SureLog SIEM has many built in access monitoring rules and also it is easy yo develop that kind of rules.
Example of those kind of rules:
- A user changed more than 10 users access rights in each day for more than 10 days in the last 30 days and this user is not in access management team,
- Multiple VPN Accounts Logged In From Single IP,
- Email alert when a user does not log on for x number of days,
- Monitor for specific usernames logging into unapproved hostnames,
- A user VPNs to the network and then accesses a DB which holds PI data, notify,
- Monitor logins against terminated employee users,
As a development sample:
We want to get alert “when A user changed more than 10 users access rights in each day for more than 10 days in the last 30 days and this user is not in access management team”
We will implement this rule with SureLog SIEM. The order of rules (steps) important and managed by “Rule Priority” parameter by SureLog
Step 1: Create a rule to add USER to the User change monitor behavior list if USER is not in access management team
There is special operators for behavior analysis like
- Count Daily for Week
- Count Daily for Month
Step 2: Create a rule to alert when “when A user changed more than 10 users access rights in each day for more than 10 days in the last 30 days and this user is not in access management team”
There is also additional special operators for behavior analysis
There is additional special operators for behavior analysis like
- Add for Count
