ArcSight ESM CIP for GDPR

Software Version: 1.0

Solutions Guide

Document Release Date: November 2021

Software Release Date: January 2022
Solutions Guide

Legal Notices
Open Text Corporation
275 Frank Tompa Drive, Waterloo, Ontario, Canada, N2L 0A1

Copyright Notice
Copyright 2021 Open Text.
The only warranties for products and services of Open Text and its affiliates and licensors (“Open Text”) are as may be
set forth in the express warranty statements accompanying such products and services. Nothing herein should be
construed as constituting an additional warranty. Open Text shall not be liable for technical or editorial errors or
omissions contained herein. The information contained herein is subject to change without notice.

Trademark Notices
“OpenText” and other Open Text trademarks and service marks are the property of Open Text or its affiliates. All other
trademarks or service marks are the property of their respective owners.

Support
Contact Information
Phone A list of phone numbers is available on the Technical Support
Page: https://softwaresupport.softwaregrp.com/support-contact-information

Support Web Site https://softwaresupport.softwaregrp.com/

ArcSight Product Documentation https://www.microfocus.com/documentation/arcsight/

About this PDF Version of Online Help

This document is a PDF version of the online help. This PDF file is provided so you can easily print multiple topics from
the help information or read the online help in PDF format. Because this content was originally created to be viewed as
online help in a web browser, some topics may not be formatted properly. Some interactive topics may not be present
in this PDF version. Those topics can be successfully printed from within the online help.

OpenText ESM CIP for GDPR (1.0) Page 2 of 91

Solutions Guide

Contents
Chapter 1: Compliance Insight Package for GDPR Overview and Architecture 4
CIP for GDPR 4
Solution Architecture 4
GDPR Rules Overview 7
Risk Score Overview Dashboard 8
Solution for GDPR CIP Device Coverage 10
Chapter 2: Solution Installation and Configuration 11
Prepare for Installation 11
Prepare Environment 11
Verify Environment 11
Install Solution for GDPR CIP 12
Assign User Permissions 13
Configure CIP for GDPR Solution 14
Model Assets (Assign Asset Categories) 15
CIP for GDPR Categorization 15
Categorizing Assets and Zones 16
Configure Active Lists 17
Active Lists that Require Configuration 19
Configure Active Lists Using Console Active List Editor 21
Configure Active Lists by Importing a CSV File 22
Configure My Filters 22
After Hours Filter 23
Limit Regulation Filter 23
Deploy the CIP for GDPR Rules 24
Enable Data Monitors 24
Configure Additional Resources 24
Build FlexConnector(s) for Physical Access Devices 25
Chapter 3: CIP for GDPR Use Cases 27
General Use Cases 28
Appendix A: GDPR Resource Reference 46
Appendix B: GDPR Categories 88

Send Documentation Feedback 91

OpenText ESM CIP for GDPR (1.0) Page 3 of 91

Chapter 1: Compliance Insight Package for GDPR
Overview and Architecture
The General Data Protection Regulation (GDPR) provides a single set of rules for protecting the
personal data of all European Union (EU) residents and visitors.
GDPR consists of two components: the articles (99) and recitals (173). The articles constitute
the legal requirements organizations must follow to demonstrate compliance.
The recitals provide additional information and supporting context to supplement the articles.

CIP for GDPR

Compliance Insight Package for GDPR (CIP for GDPR) provides an essential foundation for your
GDPR compliance program. CIP for GDPR uses ArcSight™ ESM features, such as event and asset
categorization, threat prioritization, real time monitoring, to easily identify and address
activities and anomalies involving systems that are subject to GDPR. compliance CIP for GDPR is
made up of a comprehensive and easily customizable set of ArcSight ESM resources (rules,
dashboards, data monitors, active channels, and so on), which enable you to measure and
report on your compliance with GDPR by addressing the following objectives:
l Compliance reporting: Supports the presentation of requirements to internal and external
audit teams, as well as upper management.
l Real-time detection of compliance breaches: Pro-actively addresses compliance violations.
l Security best practices: Due diligence in complying with GDPR standard, as well as security
policies and best practices.
l Automation of Monitoring-IT control: CIP for GDPR follows and adapts to changes in the IT
environment. More than 90 correlation rules can be used to monitor policy compliance
violations in real-time.
l Harmful User and Machine Monitoring: Tracks potentially harmful users and machines.
l Visualizing Security Events: Displaying security events graphically which allows analysts to
quickly analyze situations
l Vulnerabilities and Configuration Changes Monitoring: Tracking vulnerabilities and
configuration changes

Solution Architecture
CIP for GDPR helps ensure compliance with GDPR requirements by providing a set of use cases
that address and support the GDPR security controls as listed in Chapter 3‚ CIP for GDPR Use
Cases‚

Chapter 1: Compliance Insight Package for GDPR Overview and Architecture Page 4 of 91
Solutions Guide

Resources are organized into use cases by security purpose or area such as Audit Log Cleared
or Personal identifiable information monitoring. These use cases are represented in ArcSight
ESM as use case resources and provide a central location for managing content. The CIP for
GDPR use cases are listed in the Use Case tab of the Navigator panel as shown in the following
figure

Solution Architecture Page 5 of 91

Solutions Guide

For example, the following figure shows the resources that make up the Data Flow between
GDPR Systems and non EU Countries use case resource.

Solution Architecture Page 6 of 91

Solutions Guide

For instructions on viewing the resources associated with a use case, see “View Use Case
Resources” on chapter 2.
In addition to the resources supplied to help address specific GDPR Article there are a common
set of filters and active lists that support the entire solution. These common resources are
described in "Solution Installation and Configuration" , These resources require configuration
to tailor the content for your environment, such as privileged account names or the DMZ
Assets in your organization.

GDPR Rules Overview

GDPR Rules Overview dashboard summarize the compliance state determined by correlation
rules for whole GDPR regulation. The GDPR Rules Overview dashboards are available from the
GDPR/Overview group as shown in the following figure.

GDPR Rules Overview Page 7 of 91

Solutions Guide

The dashboard presents:

l An event graph to show the relationships of the non-compliant systems with other systems
on the network
l A bar chart that shows the top the 10 triggered rules.
l A bar chart that shows the top 10 targets of the triggered rules.
l A bar chart that shows the top 10 attackers of the triggered rules.
The following figure shows the GDPR Rules Overview dashboard

Risk Score Overview Dashboard

In addition to the GDPR Rules overview dashboard, GDPR for ESM provides Compliance Risk
Score dashboard which provides high-level overview of the risk associated with each ARTICLE

Risk Score Overview Dashboard Page 8 of 91

Solutions Guide

on the GDPR regulation in your environment.

The Compliance Risk Score Overview dashboard summarizes your environment’s overall state
of compliance with the GDPR standard as determined by correlation rules triggered for each
ARTICLE as shown in the following figure.
The following figure shows the compliance risk score overview dashboard:

The dashboard is populated when a possible violation or an actual violation occurs. A yellow or
red data
monitor can be turned to green manually when the situation is remedied by right-clicking the
data
monitor and selecting Override Status
The colors of the traffic lights indicate the current state as described in the following table:

Color State Description

Red Violation This situation occurs when one or more rules are triggered by event activity that violates
compliance for this GDPR ARTICLE section

Yellow Possible This situation occurs when one or more marginal events occur that could indicate a
Violation
policy problem, or is a borderline compliance violation

Risk Score Overview Dashboard Page 9 of 91

Solutions Guide

Color State Description

Green Compliant Systems are considered compliant when any events related to this GDPR
Remain under the threshold of Yellow.

Before running the Compliance Risk Score Overview dashboard make sure of the following:
l Data monitor Compliance Risk Score Overview which available also from GDPR/Overview
should be enabled refer to chapter 2 “Enabling data monitors”.
l Rule Compliance Score Update which available also from GDPR/Overview should be
enabled. Refer to chapter 2 “Enabling GPDR Rules."
l Rule Manual Status Change which available also from GDPR/Overview should be enabled.
Refer to chapter 2 “Enabling GPDR Rules."

Solution for GDPR CIP Device Coverage

Solution for GDPR CIP leverages event feeds from multiple sources. For a list of devices that are
capable of generating events to populate the Solution for GDPR resources, see "CIP for GDPR
Use Cases" in Chapter 3.
To gather events from physical access devices, such as badge readers, you must build
FlexConnectors tailored to the type of physical access devices you use. For instructions about
how to build and configure a FlexConnector for a physical access device, see "Build
FlexConnector(s) for Physical Access Devices" in chapter 2

Solution for GDPR CIP Device Coverage Page 10 of 91

Chapter 2: Solution Installation and Configuration
This chapter contains information on installing and configuring the Compliance Insight Package
for GDPR (CIP for GDPR).

Prepare for Installation

Before installing CIP for GDPR, complete the following preparation tasks:
1. "Prepare Environment" below
2. "Verify Environment" below

Prepare Environment
Before installing, prepare your environment for the CIP for GDPR:
1. Install and configure the appropriate SmartConnectors for the devices found in your
environment.
2. Model your network to include devices that supply events that help satisfy the GDPR
Requirements. Verify that zones and networks are defined for your environment and that
networks are assigned to the connectors reporting GDPR-relevant events into your
ArcSight Manager. Learn more about the ArcSight network modeling process in ArcSight
ESM 101. Find instructions for how to configure zones and networks in the ArcSight
Console User's Guide or the ArcSight Console User's Guide online help.

Note: RFC 1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) are automatically

categorized as protected because their zones already are categorized as protected.

Verify Environment
Before installing, verify your ArcSight ESM installation. Compliance Insight Package for GDPR is
supported on ArcSight ESM. Refer to the ESM technical requirements for operating system
requirements. Refer also to the applicable release notes for the version in question.
Verify that your system has the supported ArcSight Console connected to the Manager.

Note: CIP for GDPR is a self-contained solution that does not rely on any other ArcSight solution.
You can install CIP for GDPR alongside other solutions on the same ArcSight Manager. Before
installing new solutions, Micro Focus recommends that you back up any existing solutions
installed on the Manager.

Chapter 2: Solution Installation and Configuration Page 11 of 91

Solutions Guide

Install Solution for GDPR CIP

The solution is supplied in a single ArcSight package bundle file called ArcSight-
ComplianceInsightPackage-GDPR.1.0.<nnnn>.arb, where <nnnn> is the 4 character build
number.

To install the CIP for GDPR package:

1. Using the login credentials supplied to you, download the CIP for GDPR bundle from the
software download site to the machine where you plan to launch the ArcSight Console:
ArcSight_ESM_Compliance_Pack_GDPR.v1.0.0.0.arb

Caution: If you use Internet Explorer to download the ARB file, it may convert the ARB file to a
ZIP file. If this occurs, rename the ZIP file back to an ARB file before importing.

2. Log into the ArcSight Console as an ArcSight Administrator.

3. Click the Packages tab in the Navigator panel.
4. Click Import ( ).
5. In the Open dialog, browse and select the package bundle file and select Open.
The progress of the import of the package bundle is displayed in the Progress tab of the
Importing Packages dialog.
When the import is complete, the Results tab of the Importing Packages dialog is displayed
as well as the Packages for Installation dialog as shown in the following figure.

Install Solution for GDPR CIP Page 12 of 91

Solutions Guide

6. Leave the GDPR checkbox selected and in the Packages for Installation dialog, click Next.
The progress of the install is displayed in the Progress tab of the Installing Packages dialog.
When the install is complete, the Results tab of the Installing Packages dialog displays the
Summary Report.
7. In the Installing Packages dialog, click OK.
8. In the Importing Packages dialog, click OK.
9. To verify that the installation was successful and the content is accessible in the Navigator
panel, expand the ArcSight Solutions/GDPR group.

Assign User Permissions

By default, users in the Default user group can view CIP for GDPR content, and users in the
ArcSight Administrators and Analyzer Administrators user groups have read and write
access to the solution content. Depending on how you have set up user access controls within
your organization, you may need to adjust those controls to make sure the new content is
accessible to the right users in your organization.

Assign User Permissions Page 13 of 91

Solutions Guide

The following process assumes that you have user groups set up and users assigned to them.
In the following procedure, assign user permissions to all the following resource types:
l Active channels
l Active lists
l Dashboards
l Data monitors
l Field Sets
l Filters
l Queries
l Rules

To assign user permissions:

1. Log into the Console as ArcSight Administrator.
2. For all the resource types listed above, change the user permissions:
a. In the Navigator panel, go to the resource type and navigate to ArcSight
Solutions/GDPR.
b. Right-click the GDPR group and select Edit Access Control to open the ACL editor in the
Inspect/Edit panel.
c. In the ACL editor in the Inspect/Edit panel, select which user groups you want to have
permissions to the CIP for GDPR resources and click OK.

Configure CIP for GDPR Solution

Several of the CIP for GDPR resources should be configured with values specific to your
environment. Some features also require some additional SmartConnector configuration. This
section describes these configuration processes.
Depending on the features you want to implement and how your network is set up, some
configuration is required and some are optional. The list below shows all the configuration
tasks involved with the CIP for GDPR and where to find instructions for performing the
configuration.
This section contains the instructions required to enable content for the CIP for GDPR and
contains the following topics:
l "Model Assets (Assign Asset Categories)" on the next page
l "Configure Active Lists" on page 17

Configure CIP for GDPR Solution Page 14 of 91

Solutions Guide

l "Configure My Filters" on page 22

l "Deploy the CIP for GDPR Rules" on page 24
The configuration processes outlined in this section apply to resources that feed the CIP for
GDPR.

Model Assets (Assign Asset Categories)

Asset modeling is essential to enable CIP for GDPR content. Classifying assets in one or more of
the solution asset categories is essential for the following reasons:
l Some of the CIP for GDPR content requires assets to be modeled in order to function
correctly.
l In some cases, modeling assets adds valuable business context to the events evaluated by
the CIP for GDPR.

CIP for GDPR Categorization

CIP for GDPR uses the asset categories under the /ArcSight Solutions/Compliance
Insight Package/ group shown below.

Model Assets (Assign Asset Categories) Page 15 of 91

Solutions Guide

Categorizing Assets and Zones

CIP for GDPR solution relies on ArcSight asset and zone categorization to define your
environment. Certain content does not display unless assets or zones are categorized. For
detailed information about which assets and zones need to be categorized for each resource,
refer to "Appendix A: CIP for GDPR Resource Reference" on page 103.
l For a list of all use cases and which assets and zones need to be categorized for each use
case refer to "CIP for GDPR Use Cases" on page 46.
l For a list of all categorization used and the resources which use those categorizations, see
"Appendix B: Asset and Zones Categories" on page 104.
You can assign the solution asset categories with the following methods:

Categorizing Assets and Zones Page 16 of 91

Solutions Guide

One-by-one using the ArcSight Console

Use this method if you have only a few assets to categorize. One asset can be categorized in
more than one asset category. To categorize your assets one-by-one:
1. In the Navigator panel, go to Assets and select the Assets tab.
2. On the Asset tab, expand the groups listed.
3. For each asset you want to classify with an asset category, repeat the following steps:
a. Right-click the asset you want to categorize and select Edit Asset.
b. In the Inspect/Edit panel, click the Categories tab. Click the add icon (+) at the top of the
screen to select new resources.
c. In the Asset Categories Selector pop-up window, navigate to the appropriate network
domain category and click OK.
After you assign your assets to the CIP asset categories, you can also assign them to other asset
categories, either within the solution package or the general ArcSight categories, or those you
have created yourself.

Using the Network Model Wizard

A Network Model wizard is provided on the ArcSight Console (menu option Tools > Network
Model). The Network Model wizard enables you to quickly populate the ESM network model
by batch loading asset and zone information from comma-separated value (CSV) files. For more
information, see the ArcSight Console User’s Guide.

Using the ArcSight Asset Import File Connector

If you have many assets that you want to track, you can configure them in a batch using the
ArcSight Asset Import File Connector. This connector can also create new assets as part of the
batch function. The ArcSight Asset Import File Connector is available as part of the ArcSight
SmartConnector download. For instructions on how to use this connector to configure your
assets for CIP GDPR, see the ArcSight Asset Import File SmartConnector Configuration Guide.

Configure Active Lists

CIP for GDPR contains numerous active lists that retain specific data that is cross-referenced
dynamically during run-time by ArcSight resources that use conditions, such as filters, rules,
and query viewers..
You can populate the GDPR active lists using any of the following processes:

Configure Active Lists Page 17 of 91

Solutions Guide

l Add entries to active lists, one-by-one, using the Active List editor in the ArcSight Console.
For detailed instructions, see "Configure Active Lists Using Console Active List Editor" on
page 21. This method can be used to populate active lists with one, two, or more columns.
l Add entries in batch to active list from a comma separated value (CSV) file. For detailed
instructions see "Configure Active Lists by Importing a CSV File" on page 22. This method
can be used to populate active lists with one, two, or more columns.
Active Lists Requiring Configuration defines the active lists that require configuration for the
CIP for GDPR. Some active lists are intended to be populated by rules. Also, there are Active
Lists requiring manual Configuration for the CIP GDPR. For a complete listing (with
descriptions) of all active lists provided with CIP for GDPR that require configuration, see the
table below.

Configure Active Lists Page 18 of 91

Solutions Guide

Active Lists that Require Configuration

Active Lists that Require Configuration Page 19 of 91

Solutions Guide

Expected Input
Active List Description Per Entry

Administrative This active list should be populated with the User name, in
lowercase.
Accounts usernames that have administrative privileges in your
domain. Admins (those responsible for managing
administrative users) populate this list manually
whenever a new administrative user is added. Entries
to this list are read by reports supplied in the content
pack, but the list can also be added to or referenced in
new content built around the provided infrastructure.
This active list should be populated with the
usernames that have administrative privileges in your
domain. Entries in this list should be in all lower case.
For example, the user Administrator should be added
as "administrator".

Badges to This list contains the computer account and employee type for every physical Badge ID,
device badge.
Accounts primary
computer
account for
Populate this active list with the badge ID, primary computer account for the
badgeholder (in case its a visitor use the vistor user name), and the employee the
type for users in your organization (in lowercase). Specifically, ensure that badgeholder
contractors and visitors are identified with the word “Contractor” (case (in case its a
insensitive) in the employee type field. visitor use the
vistor user
name),
the employee
type
(in lowercase).
Specifically,
ensure that
Contractors
and vistors are
identified with
the word
“Contractor”
“Vistor” (case
insensitive) in
the
employee type
field.

Active Lists that Require Configuration Page 20 of 91

Solutions Guide

Expected Input
Active List Description Per Entry

DMZ Assets This List should contains DMZ assets on the organization like DNS,WEB,SMTP IP Address of
servers. authorized
DNS,WEB,
SMTP servers
it contains 2 fields : IPAddres and AssetType where the IPAddress is the IP on your
Address of the asset and the AssetType is the type of the asset on lower case organization,
(by default supported 3 types dns,web,smtp).
Asset Type one
of the
following dns
for example if your web server ip is x.y.z.w you should add it as
,web smtp on
IPAddress=x.y.z.w ,AssetType=web lower case.

Important This list stores important emails of high-profile targets on the organization like Email and
Emails C-lever executives which could be targeted by spear phishing attacks. UserName , in
lowercase
entries in this list should be in all lower case.

Insecure Ports This active list includes ports related to unencrypted Port Number
and thus insecure communication services.

Insecure This active list includes the names of processes that Process name,
Processes in lowercase
provide unencrypted and thus insecure communications.

Configure Active Lists Using Console Active List Editor

You can add entries to active lists, one-by-one, using the Active List editor of the ArcSight
Console.
1. In the Navigator panel, go to Lists and navigate to ArcSight Solutions/GDPR.
2. Right-click the active list you wish to populate and select Show Entries. The active list
details are displayed in the Viewer panel.
3. For each entry you wish to add to the active list, repeat the following steps:
a. To add an entry to the list, click the add icon ( ) in the active list header.
b. In the Active List Entry editor of the Inspect/Edit panel, enter values for each column in
the list except for the dynamic columns listed in the following table and click Add.

Configure Active Lists Using Console Active List Editor Page 21 of 91

Solutions Guide

Name Value

Creation This field is reserved for active lists that are populated dynamically by rule actions. Leave
Time this field blank.

Last Seen This field is reserved for active lists that are populated dynamically by rule actions. Leave
Time this field blank.

Count This field is reserved for active lists that are populated dynamically by rule actions. Leave
this field unchanged.

Configure Active Lists by Importing a CSV File

Active lists can be populated in a single step, by importing entries from an existing CSV file. The
number of columns in the active list must match the number of comma separated values in the
CSV file. For example, if the active list has two columns of data, the imported CSV file must
have two comma-separated fields.
1. In the Active Lists resource tree of the ArcSight Console, right-click an active list and
choose Import CSV File.
A file browser opens.
2. Browse to find the CSV file you want to import, select it, and click Open. The Import
Preview dialog displays the data from the CSV file to be imported into the active list.
3. To add the entries from the selected file into the active list, in the Import Preview dialog,
click OK. The new entries from the file are appended to the existing entries in the active
list.
4. To verify that your entries were imported as expected, right-click the active list you just
populated with the CSV file and select Show Entries.
This displays the newly-added data from the CSV file in the Viewer panel as active list
details.

Tip: By default, the active list displays 2000 entries at a time. To view entries outside the
range shown, create an active list filter that specifies a different range (click Filter in the
active list header).

Configure My Filters
Configure the following common filters stored in the My Filters group to reflect your
organization:
l "After Hours Filter" on the next page
l "Limit Regulation Filter" on the next page

Configure Active Lists by Importing a CSV File Page 22 of 91

Solutions Guide

After Hours Filter

The After Hours filter defines the time period which is considered to be after business hours.
The default after hours time period is set to 8:00 p.m. to 6:00 a.m. on weekdays, and all day
Saturday and Sunday.
The filter uses two variables:
l DayOfWeek
l HourOfDay
You can change this filter to match what is considered to be after hours for your organization.

Tip: The DayOfWeek variable returns an integer value that is displayed on the ArcSight Console as
a string value of the current day: Saturday, Sunday, Monday, Tuesday, Wednesday, Thursday, or
Friday . Since the DayOfWeek variable is an integer, you can specify a range of days such as
(DayOfWeek >= Monday AND DayOfWeek <= Friday).
The HourOfDay variable returns a numerical value for the current hour in 24-hour format ranging
from 12 AM = 0 to 11 PM = 23.
For example, to redefine the after business hours from 6:00 PM to 8:00 AM on all weekdays and
all of Saturday and Sunday use the filter show in the following figure.

Limit Regulation Filter

The Limit Regulation filter limits event processing to only those events addressed by the GDPR
regulation. Customize it to reflect your environment.
For example, you could configure it to specify the following conditions:
l The source machine is an asset under the GDPR
l The source machine’s zone is categorized as GDPR

After Hours Filter Page 23 of 91

Solutions Guide

l The destination machine is an asset categorized as GDPR

l The destination machine is an asset under the GDPR group
l The destination machine’s zone is categorized as GDPR
l The device machine is an asset categorized as GDPR
l The device machine is an asset under the GDPR group
l The device machine’s zone is categorized as GDPR
By default, the CIP for GDPR processes all incoming events.

Deploy the CIP for GDPR Rules

In order for the CIP for GDPR to process GDPR-related events, the solution rules have to be
enabled By default, CIP for GDPR rules are disabled.

To enable a rule:
1. In the Navigator panel, go to Rules and navigate to the Real-time Rules/GDPR group.
2. Navigate to the rule you want to enable.
3. Right-click the rule and select Enable Rule. To select multiple rules, press the Ctrl key and
click each rule. To select a range of rules, press the Ctrl and Shift keys and click the first and
last rule in the range.
For more information about working with rules, see the Rules Authoring topic in the ArcSight
Console User's Guide.

Enable Data Monitors

All of the CIP's data monitors for GDPR must be enabled to display data in the dashboards that
use them.

To enable the data monitors:

1. In the Navigator panel, go to Dashboards and click the Data Monitors tab.
2. Navigate to the /All Data Monitors/ArcSight Solutions/GDPR group.
3. Right-click the CIP group and select Enable Data Monitor to enable all the data monitors in
the group.

Configure Additional Resources

Additional configuration may be required or desired for the individual resources provided to
address a specific GDPR Requirements. For more information, see "Appendix A: CIP for GDPR

Deploy the CIP for GDPR Rules Page 24 of 91

Solutions Guide

Resource Reference" on page 103.

Build FlexConnector(s) for Physical Access Devices

The Compliance Insight Package for GDPR contains resources that make use of feeds from
physical access systems, such as badge readers. This process is only required if you want to
activate the CIP for GDPR content that leverages feeds from physical access systems. If you do
not complete this process, the content that leverages feeds from physical access systems will
remain dormant.
To enable these scenarios, develop a FlexConnector according to the instructions in the
ArcSight FlexConnector Developer's Guide with the following field mappings to map the key
event data into the ArcSight event schema:
Field Mappings
ArcSight Field Physical Access System Value

deviceEventClassId Unique value for event type used for categorization

deviceReceiptTime Access Time

destinationUserId Users badge Id

deviceCustomString1 Location Accessed / Building

Use the following event categories for the following event types:
Event Categories
Device
Event type Object Behavior Technique Group Outcome Significance

Successful building /Location /Authentication/Veri /Physical /Success /Normal

access fy Access
System

Building access rejected /Location /Authentication/Veri /Physical /Failure /Information/

fy Access Warning
System

Badge-out (someone is /Location /Access/Stop /Physical /Success /Normal

leaving a building) [not Access
all badge reader System
systems support this]

Build FlexConnector(s) for Physical Access Devices Page 25 of 91

Solutions Guide

Event Categories, continued

Device
Event type Object Behavior Technique Group Outcome Significance

Account /Actor/User /Authentication/ /Physical /Success /Informationa

created/deleted/modifi Access l
[Add|Delete|Modify
ed - [Success assumed; System
in case of a failure, the
Outcome needs to
reflect that and the
significance is
/Informational/Error]

Giving someone access /Actor/User /Authorization/Modi /Physical /Success /Informationa

to another fy Access l
room/building - System
[Success assumed; in
case of a failure, the
Outcome needs to
reflect that and the
significance is
/Informational/Error]

Granting access to a /Actor/Grou /Authorization/Modi /Physical /Success /Informationa

room/building for an p fy Access l
entire group of users System

Build FlexConnector(s) for Physical Access Devices Page 26 of 91

Chapter 3: CIP for GDPR Use Cases
The Compliance Insight Package for GDPR contains different use case resources. A use case
resource provides a way to group and view a set of resources that help you to measure and
report on compliance with the GDPR regulation.

To view the resources associated with a use case resource:

1. In the Navigator panel select the Use Cases tab.
2. Browse for the use case resource (such as ArcSight Solutions/GDPR/Data Flow between
GDPR Systems and non EU Countries).
3. Right click the use case resource and select the Open Use Case option.
The resources that make up a use case resource are displayed as shown in Figure 4-1. The use
case resource tables listed below contain all the resources that have been explicitly assigned to
the use case.

Chapter 3: CIP for GDPR Use Cases Page 27 of 91

Solutions Guide

General Use Cases

General Use Cases Page 28 of 91

Solutions Guide

Resource Description Supported Devices Special Configuration

Account Lockouts This use case monitor account
lockout events.
Relevant to the following GDPR
Articles 24,25,28,32 and Recital 49.
Operating Systems Edit the Account Lockouts filter
to
add conditions for lockout
events
from other devices in your
environment. By default, the
Account
Lockouts filter identifies account
lockouts on Microsoft Windows
and
UNIX systems. Verify that the
Account Lockouts filter detects
events in your environment that
match the expected behaviour.

General Use Cases Page 29 of 91

Solutions Guide
Resource Description
Assets not This use case provide resources to
Scanned for monitor assets not scanned for
Longer than Policy Longer than organization Policy
Standard Standard . organization policy
standard time limit is defined by the
TTL in the active list of this use case
(default 60 days).
Relevant to GDPR Articles 32, 35, 83
and Recitals 76, 77, 78, 83
Attacks and This use case provides information
Suspicious Activity about events that are identified as
attacks or suspicious activity based
on Arcsight categorization.
Relevant to GDPR Article 30, 32 and
Recital 49.
General Use Cases
Supported Devices Special Configuration
Vulnerability When a vulnerability scan event
Assessments is
detected on specific asset the
scan
are placed on the "Vulnerability
Scanned Assets" active list. An
entry expiring from this active
list indicates that the there was
no vulnerability scan for this
asset for longer than allowed by
policy (as indicated by the TTL of
the active list). In that case,
vulnerability scan not conducted
for Longer than Policy Standard
a rule will detect the event.
If a vulnerability scan on specific
asset conducted on time
defined by the policy, a rule will
detect this event and update the
entry on the active list so it will
not expire. This use case
requires the following
configuration for your
environment:
In the" Vulnerability Scanned
Assets" active list, edit the TTL
to
reflect the maximum amount of
time allowed to conduct
vulnerability scan.
Enable the following rules :
1. Vulnerability Scans
2. Asset not Scanned for Longer
than Policy Standard
for Longer than Policy Standard
Intrusion Detection
Systems
Intrusion Prevention
Systems
Network Based
Anomaly Detection
Firewalls
Network Equipment
Content Security
Web Filtering
Antivirus
Wireless
Applications
Page 30 of 91
Solutions Guide
Resource Description
Audit Log Cleared This use case provides information
about events that occur when an
audit log is cleared or modified
manually.
Relevant to the following GDPR
Articles 5, 25 and Recital 49.
Audit Log Failures This use case provides resources to
monitor audit log failure.
Relevant to the following GDPR
Articles 5, 25 and Recital 49.
Botnet Activity This use case provides information
about possible botnet activity on the
organization.
Relevant to GDPR Article 30, 32 and
Recital 49.
CRM and ERP This use case provides resources for
Flaws monitoring flaws and vulnerabilities
on customer relation management
and enterprise resource planning
products.
Relevant to GDPR Articles 32, 35, 83
and Recitals 76, 77, 78, 83.
Clear Text This use case provides resources to monitor password transmitted on clear text.
Password
Transmission
Covert Channel This use case provides information
Activity about covert channel activity.
Relevant to GDPR Article 32,33,34
and Recital 49,85,86.
General Use Cases
Supported Devices Special Configuration
Operating Systems By default, the Audit Log
Cleared
filter returns events indicating
that
audit logs have been cleared on
Microsoft Windows or detected
by
Symantec HostID systems. Edit
this
filter to add conditions for
additional
events known to indicate audit
log
clearing in your environment
Operating Systems
Proxy 1. Make Sure the active list :
“DMZ
Assets” is configured
2. Make sure the following rule
“Possible Botnet Activity” is
enabled
and deployed before using other
resources for this use case.
Vulnerability Assessments
Intrusion Detection
Systems
Intrusion Prevention
Systems
Page 31 of 91
Solutions Guide

Resource Description Supported Devices Special Configuration

Critical This use case includes resources to Operating System Database assets should be
Configuration monitor critical configuration Database categorized with this category
Changes changes. "/All Asset Categories/Site Asset
Categories/Business Impact
Relevant to the following GDPR Analysis/Business
Articles 32. Role/Service/Database".

PII assets should be categorized

with the /All Assets
Categories/Compliance Insight
Package/Network
Domains/Electronic PII.

Data Flow This use case includes resources to Proxy

between GDPR monitor data flow between GDPR Firewall
Systems and non Systems and non EU countries.
EU Countries
Relevant to the following GDPR
articles 30, 46, 32, 45, 46, 49 and
recital 82.

Database Flaws This use case provides resources for Vulnerability Assessments
monitoring different database flaws
and vulnerabilities.

Relevant to GDPR Articles 32, 35, 83

and Recitals 76, 77, 78, 83.

Directory This use case identifies and reports Intrusion Detection

Traversal Attacks on possible kinds of directory Systems
traversal attacks. Intrusion Prevention
Systems
Web Servers

Relevant to GDPR Article 32 and

Recital 49.

DoS Activity This use case provides overview of Network Equipment

Denial of Service activity on the Intrusion Detection
organization. Systems
Relevant to GDPR Article 32 and Intrusion Prevention
Recital 49. Systems
Firewalls
Network Based
Anomaly Detection
Content Security
Web Filtering

General Use Cases Page 32 of 91

Solutions Guide

Resource Description Supported Devices Special Configuration

Email Activity This use case provides resources for
monitoring email attacks.
Relevant to GDPR Article 32 Recital
49.
Email Servers Before deploying "Potential
(Microsoft Spear Phishing Attack" rule
Exchange) please make sure to add high
Intrusion Detection profile email addresses to the
Systems “Important Emails” active list.
Intrusion Prevention
Systems This list stores
important emails of high-profile
targets on the organization like
C- level executives which could
be
targeted by spear phishing
attacks.
Entries in this list should be in all
lower case.

Encrypted This use case provides resources for Intrusion Detection

Communication monitoring encrypted Systems
Information Leak communication for information Intrusion Prevention
leakage on the organization. Systems
Relevant to GDPR Article 32,33,34 Network Based
and Recital 49,85,86 Anomaly Detection
Firewalls
Network Equipment
Content Security
Web Filtering
Antivirus
Wireless
Applications

Exploit Executed This use case contains resources for Intrusion Detection Database assets should be
on Databases monitoring exploits executed against Systems categorized with this category
databases. Intrusion Prevention "/All Asset Categories/Site Asset
Systems Categories/Business Impact
Relevant to GDPR Article 32 and Anti-Virus Analysis/Business
Recital 49. Content Security Role/Service/Database".

Exploit Executed This use case contains resources for Intrusion Detection PII assets should be categorized
on PII Assets monitoring exploits executed against Systems with the /All Assets
PII Assets. Intrusion Prevention Categories/Compliance Insight
Systems Package/Network
Relevant to GDPR Article 32 and Anti-Virus Domains/Electronic PII.
Recital 49. Content Security

Failed Anti-Virus This use case provides information Anti-Virus

Signature Updates about failed anti-virus signature
updates on the organization.

Relevant to GDPR Article 32 and

Recital 49.

General Use Cases Page 33 of 91

Solutions Guide

Resource Description Supported Devices Special Configuration

Failed Login This use case contains resources to Operating Systems

Overview monitor failed login activity across
the organization.

Relevant to the following GDPR

Articles 24,25,28,32 and Recital 49.

Firewall Blocked This use case provides resources for Firewall

Events monitoring firewall blocked events.

Relevant to the following GDPR

article 32 and recital 49.

Format String This use case provides information Vulnerability Assessments

Vulnerabilities about format string vulnerabilities
on the organization.

Relevant to GDPR Articles 32, 35, 83

and Recitals 76, 77, 78, 83.

Frequent This use case contains resources for Operating Systems

Unsuccessful monitoring frequent unsuccessful
Logins by User ogins by user name.
Name
Relevant to the following GDPR
Articles 24,25,28,32 and Recital 49.

Frequent This use case contains resources for Operating Systems

Unsuccessful monitoring frequent unsuccessful
Logins from logins from attacker host.
Attacker Host
Relevant to the following GDPR
Articles 24,25,28,32 and Recital 49.

Frequent This use case contains resources for Operating Systems PII assets should be categorized
Unsuccessful monitoring frequent unsuccessful with the /All Assets
Logins from non user login from non EU countries to Categories/Compliance Insight
EU Countries to PII PII Asset. Package/Network
Asset Domains/Electronic PII.
Relevant to the following GDPR
Articles 24,25,28,32 and Recital 49.

Frequent This use case contains resources for Operating Systems

Unsuccessful monitoring frequent unsuccessful
Logins to Target logins to target host.
Host
Relevant to the following GDPR
Articles 24,25,28,32 and Recital 49.

General Use Cases Page 34 of 91

Solutions Guide

Resource Description Supported Devices Special Configuration

High Risk Events This use case includes resources for Intrusion Detection
monitoring high risk events. Systems
Intrusion
Relevant to GDPR Articles 32, 83 and PreventionSystems
Recital 49. Databases
Operating Systems
Firewalls
Virtual Private
Networks (VPN)
Vulnerability
Assessments
Identity
Management
Policy Management
Network Equipment
Content Security
Web Filtering
Anti-Virus
Physical Security
Systems
Wireless
Applications
Network Based
Anomaly Detection

High Risk This use case provides resources for Vulnerability Assessments
Vulnerabilities monitoring high risk vulnerabilities
on the organization.

Relevant to GDPR Articles 32, 35, 83

and Recitals 76, 77, 78, 83.

Information This use case provides resources for Vulnerability Assessments

Disclosure monitoring information disclosure
Vulnerabilities vulnerabilities on the organization.

Relevant to GDPR Articles 32, 35, 83

and Recitals 76, 77, 78, 83.

Information This use case identifies and reports Intrusion Detection

Interception on possible kinds of information Systems
interception events incidents such Intrusion Prevention
as spoofing attempts, man-in-the- Systems
middle attacks or instant messaging. Network Based
Anomaly Detection
Relevant to GDPR Article 32,33,34
and Recital 49,85,86.

General Use Cases Page 35 of 91

Solutions Guide

Resource Description Supported Devices Special Configuration

Insecure This use case provides resources for Vulnerability Assessments

Cryptographic monitoring flaws on cryptographic
Storages storage devices.

Relevant to Article 35.

Internal Insecure This use case provides information Firewall 1. In the Insecure Processes
Communications about unencrypted and thus Proxy active list,
insecure communications inside the Intrusion add any processes that your
network. Detection Systems organization knows to be
Intrusion insecure.
Relevant to the following GDPR Prevention 2. In the Insecure Ports active
Article 32 and Recital 49. Systems lists,
add the ports that your
organization
knows to be insecure.
3. Verify that the Inbound
Events,
Outbound Events, Insecure
Services
filters detects events in your
environment that match the
expected behavior.
4.Internal Assets should be
categorized as with the /All
Assets Categories/Compliance
Insight Package/Address
Spaces/Protected.

Invalid or Expired This use case contains resources for Intrusion Detection
Certificate monitoring invalid or expired System
certificates. Intrusion Prevention
System
Relevant to GDPR Article 32 and Vulnerability
Recital 49. Assessments

MITRE ATT&CK This use case provides different Security Information PII assets should be categorized
Activity on PII resources for monitoring MITRE Managers with the /All Assets
Assets ATT&CK activity on PII assets. Operating System Categories/Compliance Insight
Intrusion Detection Package/Network
Relevant to GDPR Article 32 and System Domains/Electronic PII.
Recital 49. Intrusion Prevention
Systems
Vulnerability
Assessments
Network
Equipments
Anti-Virus
EDR

General Use Cases Page 36 of 91

Solutions Guide

Resource Description Supported Devices Special Configuration

MITRE ATT&CK This use case provides resources to Security Information

Overview monitor MITRE ATT&CK reported Managers
techniques on the organization. Operating System
Intrusion Detection
System
Intrusion Prevention
Systems
Vulnerability
Assessments
Network
Equipments
Anti-Virus
EDR

Malware This use case provides resources for Anti-Virus

Monitoring monitoring malware. Intrusion Detection
Systems
Relevant to GDPR Articles 32, 33, 34 Intrusion Prevention
and Recitals 49, 83. Systems

Non EU Login This use case provides an overview Operating Systems

Activity of login activity from non EU Intrusion Detection
countries. Systems
Intrusion Prevention
Relevant to the following GDPR Systems
articles 5,25,30, 46, 32, 45, 46, 49
and recital 49,82.

Organizational This use case provides different Intrusion Detection

Information resources for monitoring Systems
monitoring organizational information. Intrusion Prevention
Systems
Relevant to GDPR Article 32,33,34 Network Based
and Recital 49,85,86. Anomaly Detection
Firewalls
Network Equipment
Content Security
Web Filtering
Antivirus
Wireless
Applications

Overflow This use case provides information Vulnerability Assessments

Vulnerabilities about overflow vulnerabilities on
the organization.

Relevant to GDPR Articles 32, 35, 83

and Recitals 76, 77, 78, 83.

General Use Cases Page 37 of 91

Solutions Guide

Resource Description Supported Devices Special Configuration

Password Spray This use case provides resources to OperatingSystems (Windows)

Attacks monitor password spray attacks.

Relevant to the following GDPR

Articles 24,25,28,32 and Recital 49.

Password and This use case provides resources for Vulnerabilit Assessments
Authentication monitoring password and
Weaknesses authentication weaknesses on the
organization.

Relevant to GDPR Articles 32, 35, 83

and Recitals 76, 77, 78, 83.

General Use Cases Page 38 of 91

Solutions Guide

Resource Description Supported Devices Special Configuration

Password not This use case provide resources to
Changed for monitor password not changed for
Longer than Policy Longer than organization Policy
Standard Standard . organization policy
standard time limit is defined by the
TTL in the active list of this use case
(default 90 days).
Relevant to the following GDPR
Articles 24,25,28,32 and Recital 49.
Operating Systems 1. When a successful password
change event is detected, the
user
name for whom the password
was
changed and the device that
reported the event are placed
on the
Password Changes active list. An
entry expiring from this active
list
indicates that the user has not
changed the password on that
device
for longer than allowed by
policy (as
indicated by the TTL of the
active
list). In that case, Password not
Changed for Longer than Policy
Standard rule will detect the
event.
If the user changes his/her
password within the time
defined by the policy, a rule will
detect this event and update the
entry on the active list so it will
not
expire. The Password
Management
use case requires the following
configuration for your
environment.
a. In the Password Changes
active, edit
the TTL to reflect the maximum
amount of time allowed
between
password changes according to
your
organization’s policy.
b· Edit the Password Change
Attempts
filter to identify all password
change
attempts from devices on your
system. By default, the filter
detects

General Use Cases Page 39 of 91

Solutions Guide

Resource Description Supported Devices Special Configuration

only password change attempts

on
Microsoft Windows. Verify that
the
Password Change Attempts
filter
detects events in your
environment
that match the expected
behaviour.
c. Enable the following rules :
“Password not Changed for
Longer
than Policy Standard”
and “Successful Password
Change”

Personal This use case provides different Intrusion Detection

identifiable resources for monitoring personal Systems
information identifiable information assets. Intrusion Prevention
monitoring Systems
Relevant to GDPR Article 32,33,34 Network Based
and Recital 49,85,86. Anomaly Detection
Firewalls
Network Equipment
Content Security
Web Filtering
Antivirus
Wireless
Applications

General Use Cases Page 40 of 91

Solutions Guide
Resource Description
Physical Access This use case detects violations on
events related to physical security
devices such as badge readers.
Specifically, it detects after hour
building access by contractors.
Relevant to the following Articles
24,32 and Recital 46.
Policy Violations This use case provides information
about policy violations.
Relevant to GDPR Articles 32, 83 and System
Recital 49.
General Use Cases
Supported Devices Special Configuration
Physical Security 1.Before enabling and deploying
Systems this rule “After Hours Building
Access by Contractors” Populate
the Badges to Accounts active
list with the badge ID, primary
computer
account for the badge holder,
and the employee type for users
in your organization (in
lowercase). Specifically, ensure
that contractors are identified
with the words
“Contractor” (case insensitive)
in the employee type field.
2.Modify the After Hours filter
to specify the appropriate after-
business-hours window
for your organization.
3,Before enabling and deploying
this rule “Failed Access by the
Same User to Multiple
Buildings” please make sure the
following
rule: "Failed Building Access" is
enabled and deployed
Intrusion Detection
Systems
Intrusion Prevention
Firewalls Operating
Systems
Assessment Tools
Applications
Security Information
Managers
Identity
Management
Virtual Private
Networks (VPN)
Policy Management
Wireless
Applications
Page 41 of 91
Solutions Guide

Resource Description Supported Devices Special Configuration

Privileged Account This use case monitors changes to Operating Systems In the Administrative Accounts
Changes privileged accounts. active list, define usernames
that
have administrative privileges in
your environment.

Reconnaissance This use case provides overview of Intrusion Detection

Activities recon activity. Systems
Intrusion Prevention
System
Network Based
Relevant to GDPR Article 30, 32 and Anomaly Detection
Recital 49. Firewalls
Network Equipment
Content Security
Web Filtering
Antivirus
Wireless
Applications

Removal of Access This use case provides resources to Operating Systems

Rights monitor when an access right of a
user is removed.

Relevant to GDPR Articles

5,18,24,29,32 and Recital 39.

SQL Injection This use case provides resources for Vulnerability Assessments
Vulnerabilities monitoring SQL injection
vulnerabilities.

Relevant to GDPR Articles 32, 35, 83

and Recitals 76, 77, 78, 83.

SSL and TLS This use case provides overview Vulnerability Assessments
Vulnerabilities about SSL and TLS vulnerabilities.

Relevant to GDPR Articles 32, 35, 83

and Recitals 76, 77, 78, 83.

Security This use case provides overview of Operating Systems

Application security application stopped or
Stopped or paused (it focuses on Anti-Virus
Paused products).

Relevant to GDPR Article 32 and

Recital 49.

General Use Cases Page 42 of 91

Solutions Guide

Resource Description Supported Devices Special Configuration

Security Patches This Use Case provides information Vulnerability Assessments

about missing security patches.

Relevant to GDPR Articles 32, 35, 83

and Recitals 76, 77, 78, 83.

Shell Code Attacks This use case provides resources to

detect shell code attacks. Intrusion Detection
Relevant to GDPR Article 32 and Systems
Recital 49. Intrusion Prevention
Systems

Successful Login This use case contains resources to Operating Systems

Overview monitor successful login activity
across the organization.

Relevant to the following GDPR

Articles 24,25,28,32 and Recital 49.

Threats Geo This use case provides geographical Intrusion Detection

Overview view of events that identified as Systems
threats against the organization. Intrusion Prevention
Systems
Network Based
Anomaly Detection
Relevant to GDPR Article 30, 32 and Firewalls
Recital 49. Network Equipment
Content Security
Web Filtering
Antivirus
Wireless
Applications
Security Information
Managers

Threats from non Thise use case contains resources Intrusion Detection
EU Countries for monitoring threats from non EU Systems
countries. Intrusion Prevention
Systems
Relevant to GDPR Articles 32, 35, 83 Network Based
and Recitals 76, 77, 78, 83. Anomaly Detection
Firewalls
Network Equipment
Content Security
Web Filtering
Antivirus
Wireless
Applications
Security Information
Managers

General Use Cases Page 43 of 91

Solutions Guide

Resource Description Supported Devices Special Configuration

User Logged In This use case shows login attempts Operating Systems
From Two with the same user name from two
Countries different countries.

Relevant to the following GDPR

Articles 24,25,28,32 and Recital 49.

User Logged in This use case provides resources for Operating Systems
from different IP monitoring single user names that
Addresses have been used to login from
different IP addresses on short
period of time.

Relevant to the following GDPR

Articles 24,25,28,32 and Recital 49.

User Logged in This use case shows logins from non Operating Systems PII assets should be categorized
from non EU EU countries to PII assets. with the /All Assets
Countries to PII Categories/Compliance Insight
Asset Relevant to the following GDPR Package/Network
Articles 24,25,28,32 and Recital 49. Domains/Electronic PII.

User Logged in to This use case provides resources for Operating Systems
different Host monitoring single user names that
Names have been used to login to different
host names on short period of time.

Relevant to the following GDPR

Articles 24,25,28,32 and Recital 49.

Wordpress GDPR This use case monitor both exploits Vulnerability

Plugin Exploits and and vulnerabilities targeting Assessments
Vulnerabilities WordPress GDPR Plugin. Intrusion Detection
Systems
Relevant to GDPR Articles 32, 35, 83 Intrusion
and Recitals 49, 76, 77, 78, 83. PreventionSystems

General Use Cases Page 44 of 91

Solutions Guide

Resource Description Supported Devices Special Configuration

Worm Activity This use case provides overview of Antivirus

Worm activity on the organization. Intrusion Detection
Relevant to GDPR Articles 32, 35, 83 Systems
and Recitals 76, 77, 78, 83. Intrusion Prevention
Systems
Network Based
Anomaly Detection
Firewalls
Content Security
Web Filtering

XSRF This use case provides overview of Vulnerability Assessments

Vulnerabilities XSRF vulnerabilities on the
organization.

Relevant to GDPR Articles 32, 35, 83

and Recitals 76, 77, 78, 83.

XSS Vulnerabilities This use case provides overview of Vulnerability Assessments

XSS vulnerabilities on the
organization.

Relevant to GDPR Articles 32, 35, 83

and Recitals 76, 77, 78, 83.

General Use Cases Page 45 of 91

Appendix A: GDPR Resource Reference
Resource Type URI Description

Removal of ActiveChannel /All Active Channels/ArcSight Shows a live feed of events reflecting the
Access Rights Solutions/GDPR/GDPR removal of a user's access privileges.
Access Activity/Access
Activity/

Data Flow from ActiveChannel /All Active Channels/ArcSight Shows a live feed of reported events
GDPR Systems to Solutions/GDPR/GDPR reflecting data flow from GDPR Systems to
non EU Countries Regulatory non EU Countries.
Exposure/Composite
Regulatory Exposure/

Data Flow from ActiveChannel /All Active Channels/ArcSight Shows a live feed of reported events
non EU Countries Solutions/GDPR/GDPR reflecting data flow fro non EU Countries to
to GDPR Systems Regulatory GDPR Systems.
Exposure/Composite
Regulatory Exposure/

Personal ActiveChannel /All Active Channels/ArcSight Shows a live feed of events of personal
Information Leak Solutions/GDPR/GDPR information leaks.
Threat Analysis/Internet
Threat Analysis/

Vulnerability ActiveList /All Active Lists/ArcSight This active list stores all the assets that
Scanned Assets Solutions/GDPR/ scanned by vulnerability scanners on the last x
days. The default is 60 days.

Do not manually update this active list.

Password ActiveList /All Active Lists/ArcSight This active is updated with the user and
Changes Solutions/GDPR/ product information when a successful
password change occurs.

Missing Security ActiveList /All Active Lists/ArcSight This active list stores all the missing security
Patches Solutions/GDPR/ patches reported on the environment. By
default, the active list TTL is set to zero which
means it will hold all of the unfixed security
patches indefinitely.

Note: User can manually remove the fixed

issues or set a custom reasonable TTL so that
the removal is done automated.

Insecure ActiveList /All Active Lists/ArcSight This active list includes the names of
Processes Solutions/GDPR/ processes that provide unencrypted and thus
insecure communications.

Appendix A: GDPR Resource Reference Page 46 of 91

Solutions Guide

Resource Type URI Description

Insecure Ports ActiveList /All Active Lists/ArcSight This active list includes ports related to
Solutions/GDPR/ unencrypted and thus insecure
communication services.

DMZ Assets ActiveList /All Active Lists/ArcSight This List should contain DMZ assets of the
Solutions/GDPR/ organization like DNS, WEB, SMTP servers.

It contains 2 fields: IPAddress and AssetType

where the IPAddress is the IP Address of the
asset and the AssetType is the type of the
asset in lower case (by default supported 3
types dns, web, smtp).

For example, if your web server IP is x.y.z.w

you should add it as

IPAddress=x.y.z.w, AssetType=web.

Compliance Risk ActiveList /All Active Lists/ArcSight This active list maintains the compliance risk
Score Solutions/GDPR/ score for each regulation section. The
compliance risk score is calculated based on
the triggered rules in the solution package.
You can manually change the score as
required. This change will be reflected in the
Compliance Risk Score dashboard.

Badges to ActiveList /All Active Lists/ArcSight This list contains the computer account and
Accounts Solutions/GDPR/ employee type for every physical device
badge.

Populate this active list with the badge ID,

primary computer

account for the badgeholder (in case its a

visitor use the vistor user name), and the
employee type for users in your organization
(in lowercase). Specifically, ensure that
contractors and visitors are identified with the
word “Contractor†, "Visitor" (case
insensitive) in the employee type field.

Appendix A: GDPR Resource Reference Page 47 of 91

Solutions Guide

Resource Type URI Description

Administrative ActiveList /All Active Lists/ArcSight This active list should be populated with the
Accounts Solutions/GDPR/ usernames that have administrative privileges
in your domain. Admins (those responsible
for managing administrative users) populate
this list manually whenever a new
administrative user is added. Entries to this
list are read by reports supplied in the content
pack, but the list can also be added to or
referenced in new content built around the
provided infrastructure.

This active list should be populated with the

usernames that have administrative privileges
in your domain. Entries in this list should be in
all lower case.

For example, the user Administrator should

be added as "administrator".

Important Emails ActiveList /All Active Lists/ArcSight This list stores important emails addresses of
Solutions/GDPR/ high-profile targets on the organization like C-
level executives which could be targeted by
spear phishing attacks.

entries in this list should be in all lower case.

Physical Access Dashboard /All Dashboards/ArcSight Displays information around physical access.
Activity Solutions/GDPR/GDPR
Access Activity/Access
Activity/
In order for this dashboard component to
allow contractor access after hours to
populate data, please make sure the following
rule : "After Hours Building Access by
Contractors" is enabled and deployed.

Coordinated Dashboard /All Dashboards/ArcSight This Dashboard provides overview of possible

Failed Logins Solutions/GDPR/GDPR coordinated failed login events reported on
Access Activity/Access the organization.
Activity/

Failed Login Dashboard /All Dashboards/ArcSight This dashboard provides overview of failed
Activity Solutions/GDPR/GDPR login activity.
Access Activity/Access
Activity/

Appendix A: GDPR Resource Reference Page 48 of 91

Solutions Guide

Resource Type URI Description

Non EU Login Dashboard /All Dashboards/ArcSight This dashboard provides an overview of

Activity Solutions/GDPR/GDPR successful login activity from non EU
Access Activity/Access countries.
Activity/

Successful Login Dashboard /All Dashboards/ArcSight This dashboard provides an overview of

Activity Solutions/GDPR/GDPR successful login activity.
Access Activity/Access
Activity/

DoS Activity Dashboard /All Dashboards/ArcSight This dashboard provides an overview of

Solutions/GDPR/GDPR events associated with denial of service and
Attack Surface availability attacks.
Analysis/Security Controls
Risk Identification/

Data Flow Dashboard /All Dashboards/ArcSight This dashboard displays data flow between
between GDPR Solutions/GDPR/GDPR GDPR systems and non EU countries.
Systems and non Regulatory
EU Countries Exposure/Composite
Regulatory Exposure/

Data Flow from Dashboard /All Dashboards/ArcSight This dashboard displays data flow from GDPR
GDPR Systems to Solutions/GDPR/GDPR systems and non EU countries.
non EU Countries Regulatory
Exposure/Composite
Regulatory Exposure/

Data Flow from Dashboard /All Dashboards/ArcSight This dashboard displays data flow from non
non EU Countries Solutions/GDPR/GDPR EU countries to GDPR Systems.
to GDPR Systems Regulatory
Exposure/Composite
Regulatory Exposure/

High Risk Events Dashboard /All Dashboards/ArcSight This dashboard provides real-time overview of
Solutions/GDPR/GDPR high risk events reported on the organization.
Regulatory
Exposure/Composite
Regulatory Exposure/

Policy Violations Dashboard /All Dashboards/ArcSight Displays information about policy violations
Solutions/GDPR/GDPR and violators.
Regulatory
Exposure/Composite
Regulatory Exposure/

Threats Overview Dashboard /All Dashboards/ArcSight This dashboard provides an overview of

Solutions/GDPR/GDPR threats reported on the organization.
Regulatory
Exposure/Composite
Regulatory Exposure/

Appendix A: GDPR Resource Reference Page 49 of 91

Solutions Guide

Resource Type URI Description

Worm Activity Dashboard /All Dashboards/ArcSight This dashboard provides overview of worm
Solutions/GDPR/GDPR activity on the organization.
Threat Analysis/Internet
Threat Analysis/

Personal Dashboard /All Dashboards/ArcSight This Dashboard provides overview of personal

Information Solutions/GDPR/GDPR information leakage events.
Leakage Threat Analysis/Internet
Threat Analysis/

Recon Activity Dashboard /All Dashboards/ArcSight This dashboard provides an overview of

Solutions/GDPR/GDPR reconnaissance activity reported on the
Threat Analysis/Internet organization.
Threat Analysis/

MITRE ATT&CK Dashboard /All Dashboards/ArcSight This dashboard provides overview of MITRE
Overview Solutions/GDPR/GDPR ATT&CK related events reported on the
Threat Analysis/Internet organization.
Threat Analysis/

Attacks and Dashboard /All Dashboards/ArcSight This dashboard provides overview of attacks
Suspicious Solutions/GDPR/GDPR and suspicious related events reported on the
Activity Threat Analysis/Internet organization based on ArcSight
Threat Analysis/ Categorization.

Compliance Risk Dashboard /All Dashboards/ArcSight This dashboard displays information about
Score Overview Solutions/GDPR/Overview/ the compliance risk score for each GDPR
article.

Note: In case you need to override the risk

score status of a specific article, just right click
on the article and choose the Override Status
option.

Before using this dashboard make sure the

following rules are enabled and deployed :

All Rules/ArcSight
Solutions/GDPR/Overview/Compliance Score
Update
All Rules/ArcSight
Solutions/GDPR/Overview/Manual Status
Change

GDPR Rules Dashboard /All Dashboards/ArcSight This dashboard shows high-level information
Overview Solutions/GDPR/Overview/ about GDPR rule firings.

Appendix A: GDPR Resource Reference Page 50 of 91

Solutions Guide
Resource Type URI
Coordinated DataMonitor /All Data Monitors/ArcSight
Failed Logins Solutions/GDPR/GDPR
Target IPs - Event Access Activity/Access
Graph Activity/Coordinated Failed
Logins/
Coordinated DataMonitor /All Data Monitors/ArcSight
Failed Logins Solutions/GDPR/GDPR
Target Users - Access Activity/Access
Event Graph Activity/Coordinated Failed
Logins/
GeoView - Failed DataMonitor /All Data Monitors/ArcSight
Logins Solutions/GDPR/GDPR
Access Activity/Access
Activity/Coordinated Failed
Logins/
Last 10 Failed DataMonitor /All Data Monitors/ArcSight
Logins Solutions/GDPR/GDPR
Access Activity/Access
Activity/Coordinated Failed
Logins/
Frequent Failed DataMonitor /All Data Monitors/ArcSight
Login per 10 Solutions/GDPR/GDPR
Minutes Access Activity/Access
Activity/Failed Login
Activity/
Failed Login per DataMonitor /All Data Monitors/ArcSight
10 Minutes Solutions/GDPR/GDPR
Access Activity/Access
Activity/Failed Login
Activity/
Failed Login - Top DataMonitor /All Data Monitors/ArcSight
Attacker IPs Solutions/GDPR/GDPR
Access Activity/Access
Activity/Failed Login
Activity/
Failed Login - Top DataMonitor /All Data Monitors/ArcSight
Target IPs Solutions/GDPR/GDPR
Access Activity/Access
Activity/Failed Login
Activity/
Appendix A: GDPR Resource Reference
Description
This data monitor shows coordinated failed
logins between attacker IP, attacker countries,
target IPs as they appear in failed login
events.
This data monitor shows coordinated failed
logins between attacker IP, attacker countries,
target user as they appear in failed login
events.
This data monitor shows failed login events
on a map.
This data monitor displays the last 10 failed
login events.
Shows a moving average of frequent failed
login events. It displays data for the last 10
minutes and will generate a correlation event
if the moving average is increased by 300%.
Shows a moving average of failed login
events. It displays data for the last 10 minutes
and will generate a correlation event if the
moving average is increased by 300%.
Shows the top 10 attacker addresses involved
in failed login activity.
Shows the top 10 target addresses involved in
failed login activity.
Page 51 of 91
Solutions Guide

Resource Type URI Description

Failed Login - Top DataMonitor
Users
/All Data Monitors/ArcSight Shows the top 10 users involved in failed login
Solutions/GDPR/GDPR activity.
Access Activity/Access
Activity/Failed Login
Activity/

GeoView - Non DataMonitor /All Data Monitors/ArcSight This data monitor shows login activity from
EU Login Activity Solutions/GDPR/GDPR non EU countries on a map.
Access Activity/Access
Activity/Non EU Login
Activity/

Non EU Login DataMonitor /All Data Monitors/ArcSight Shows the top 10 attacker addresses involved
Activity - Top Solutions/GDPR/GDPR in successful login activity from non EU
Attacker IPs Access Activity/Access countries.
Activity/Non EU Login
Activity/

Non EU Login DataMonitor /All Data Monitors/ArcSight Shows the top 10 target addresses involved in
Activity - Top Solutions/GDPR/GDPR successful login activity from non EU
Target IPs Access Activity/Access countries.
Activity/Non EU Login
Activity/

Non EU Login DataMonitor /All Data Monitors/ArcSight Shows the top 10 users involved in successful
Activity - Top Solutions/GDPR/GDPR login activity from non EU countries.
Users Access Activity/Access
Activity/Non EU Login
Activity/

Building Access - DataMonitor /All Data Monitors/ArcSight Used to show the hour of day that users are
Event Graph Solutions/GDPR/GDPR accessing buildings.
Access Activity/Access
Activity/Physical Access
Activity/

Last 10 Building DataMonitor /All Data Monitors/ArcSight Shows the last 10 physical access events.
Access Events Solutions/GDPR/GDPR
Access Activity/Access
Activity/Physical Access
Activity/

Top Users DataMonitor /All Data Monitors/ArcSight Shows the top 10 users accessing buildings.
Accessing Solutions/GDPR/GDPR
Buildings Access Activity/Access
Activity/Physical Access
Activity/

Appendix A: GDPR Resource Reference Page 52 of 91

Solutions Guide

Resource Type URI Description

Contractor DataMonitor /All Data Monitors/ArcSight Shows the top contractors accesses after
Access After Solutions/GDPR/GDPR hours.
Hours Access Activity/Access
Activity/Physical Access
Activity/

Successful Login DataMonitor /All Data Monitors/ArcSight
Activity - Login Solutions/GDPR/GDPR
per 10 Minutes Access Activity/Access
Activity/Succesful Login
Activity/
Shows a moving average of successful login
events. It displays data for the last 10 minutes
and will generate a correlation event if the
moving average is increased by 300%.

Successful Login DataMonitor /All Data Monitors/ArcSight Shows the top 10 attacker addresses involved
Activity - Top Solutions/GDPR/GDPR in successful login activity.
Attacker IPs Access Activity/Access
Activity/Succesful Login
Activity/

Successful Login DataMonitor /All Data Monitors/ArcSight Shows the top 10 target addresses involved in
Activity - Top Solutions/GDPR/GDPR successful login activity.
Target IPs Access Activity/Access
Activity/Succesful Login
Activity/

Successful Login DataMonitor /All Data Monitors/ArcSight Shows the top 10 users involved in successful
Activity - Top Solutions/GDPR/GDPR login activity.
Users Access Activity/Access
Activity/Succesful Login
Activity/

Suspicious Logins DataMonitor /All Data Monitors/ArcSight
per 10 Minutes Solutions/GDPR/GDPR
Access Activity/Access
Activity/Succesful Login
Activity/
Shows a moving average of suspicious login
events. It displays data for the last 10 minutes
and will generate a correlation event if the
moving average is increased by 300%.

Top 10 DoS DataMonitor /All Data Monitors/ArcSight This data monitor shows the top 10 DoS
Targets Solutions/GDPR/GDPR targets.
Attack Surface
Analysis/Security Controls
Risk Identification/

Top 10 DoS DataMonitor /All Data Monitors/ArcSight This data monitor shows the top 10 DoS
Attackers Solutions/GDPR/GDPR Attackers.
Attack Surface
Analysis/Security Controls
Risk Identification/

Appendix A: GDPR Resource Reference Page 53 of 91

Solutions Guide

Resource Type URI Description

DoS Attacks DataMonitor /All Data Monitors/ArcSight This data monitor shows connection between
Event Ports - Solutions/GDPR/GDPR attacker and target machines and ports as
Event Graph Attack Surface they appear in denial of service attack events.
Analysis/Security Controls
Risk Identification/

DoS Attacks DataMonitor /All Data Monitors/ArcSight
Event Countries - Solutions/GDPR/GDPR
Event Graph Attack Surface
Analysis/Security Controls
Risk Identification/
This data monitor shows connection between
attacker, target countries, machines and ports
as they appear in denial of service attack
events.

GeoView - Data DataMonitor /All Data Monitors/ArcSight This data monitor shows Data Flow from
Flow from GDPR Solutions/GDPR/GDPR GDPR Systems to non EU countries on a map.
Systems to non Regulatory
EU Countries Exposure/Composite
Regulatory Exposure/Data
Flow from and to GDPR
Systems/

Data Flow from DataMonitor /All Data Monitors/ArcSight Shows the top 10 non EU source countries
non EU Countries Solutions/GDPR/GDPR involved on data flow from to GDPR Systems.
to GDPR Systems Regulatory
- Top non EU Exposure/Composite
Countries Regulatory Exposure/Data
Flow from and to GDPR
Systems/

Data Flow from DataMonitor /All Data Monitors/ArcSight Shows the top 10 non EU target countries
GDPR Systems to Solutions/GDPR/GDPR involved on data flow from GDPR systems.
non EU Countries Regulatory
- Top non EU Exposure/Composite
Countries Regulatory Exposure/Data
Flow from and to GDPR
Systems/

GeoView - Data DataMonitor /All Data Monitors/ArcSight This data monitor shows Data Flow from non
Flow from non Solutions/GDPR/GDPR EU countries to GDPR systems.
EU Countries to Regulatory
GDPR Systems Exposure/Composite
Regulatory Exposure/Data
Flow from and to GDPR
Systems/

Last 10 Events DataMonitor /All Data Monitors/ArcSight This data monitor displays the last 10 data
Solutions/GDPR/GDPR flow events from GDPR systems to non EU
Regulatory Countries.
Exposure/Composite
Regulatory Exposure/Data
Flow from GDPR Systems to
non EU Countries/

Appendix A: GDPR Resource Reference Page 54 of 91

Solutions Guide

Resource Type URI Description

Data Flow from DataMonitor /All Data Monitors/ArcSight
GDPR Systems to Solutions/GDPR/GDPR
non EU Countries Regulatory
per 10 Minutes Exposure/Composite
Regulatory Exposure/Data
Flow from GDPR Systems to
non EU Countries/
Shows a moving average of data flow from
GDPR systems events to non EU Countries. It
displays data for the last hour and will
generate a correlation event if the moving
average is increased by 500%.

Top Target IPs DataMonitor /All Data Monitors/ArcSight Shows the top 10 target addresses involved
Solutions/GDPR/GDPR on data flow from GDPR systems to non EU
Regulatory countries.
Exposure/Composite
Regulatory Exposure/Data
Flow from GDPR Systems to
non EU Countries/

Top Source IPs DataMonitor /All Data Monitors/ArcSight Shows the top 10 source addresses involved
Solutions/GDPR/GDPR on data flow from GDPR systems to non EU
Regulatory countries.
Exposure/Composite
Regulatory Exposure/Data
Flow from GDPR Systems to
non EU Countries/

Data Flow from DataMonitor /All Data Monitors/ArcSight
non EU Countries Solutions/GDPR/GDPR
to GDPR Systems Regulatory
per 10 Minutes Exposure/Composite
Regulatory Exposure/Data
Flow from non EU Countries
to GDPR Systems/
Shows a moving average of data flow from
non EU countries to GDPR system events. It
displays data for the last hour and will
generate a correlation event if the moving
average is increased by 500%.

Last 10 Events DataMonitor /All Data Monitors/ArcSight This data monitor displays the last 10 data
Solutions/GDPR/GDPR flow events from non EU Countries to GDPR
Regulatory Systems
Exposure/Composite
Regulatory Exposure/Data
Flow from non EU Countries
to GDPR Systems/

Top Source IPs DataMonitor /All Data Monitors/ArcSight Shows the top 10 source addresses involved
Solutions/GDPR/GDPR on data flow from non EU countries to GDPR
Regulatory systems.
Exposure/Composite
Regulatory Exposure/Data
Flow from non EU Countries
to GDPR Systems/

Appendix A: GDPR Resource Reference Page 55 of 91

Solutions Guide

Resource Type URI Description

Top Target IPs DataMonitor /All Data Monitors/ArcSight Shows the top 10 target addresses involved
Solutions/GDPR/GDPR on data flow from non EU countries to GDPR
Regulatory systems.
Exposure/Composite
Regulatory Exposure/Data
Flow from non EU Countries
to GDPR Systems/

Top 10 Attackers DataMonitor /All Data Monitors/ArcSight This data monitor shows the top 10 attackers
with High Risk Solutions/GDPR/GDPR involved on high risk events.
Events Regulatory
Exposure/Composite
Regulatory Exposure/High
Risk Events/

GeoView - High DataMonitor /All Data Monitors/ArcSight This data monitor shows high risk reported
Risk Events Solutions/GDPR/GDPR events on a map.
Regulatory
Exposure/Composite
Regulatory Exposure/High
Risk Events/

High Risk Events DataMonitor /All Data Monitors/ArcSight
per 10 Minutes Solutions/GDPR/GDPR
Regulatory
Exposure/Composite
Regulatory Exposure/High
Risk Events/
Shows a moving average of high risk event. It
displays data for the last 10 minutes and will
generate a correlation event if the moving
average is increased by 300%.

Last 10 High Risk DataMonitor /All Data Monitors/ArcSight This data monitor displays in real-time the last
Events Solutions/GDPR/GDPR 10 high risk events.
Regulatory
Exposure/Composite
Regulatory Exposure/High
Risk Events/

Top 10 Targets DataMonitor /All Data Monitors/ArcSight Provides an ordered list of the top 10 hosts
with High Risk Solutions/GDPR/GDPR with high priority events.
Events Regulatory
Exposure/Composite
Regulatory Exposure/High
Risk Events/

Top 10 Policy DataMonitor /All Data Monitors/ArcSight Shows the top 10 policy violators.
Violators Solutions/GDPR/GDPR
Regulatory
Exposure/Composite
Regulatory Exposure/Policy
Violations/

Appendix A: GDPR Resource Reference Page 56 of 91

Solutions Guide

Resource Type URI Description

Top 10 Policy DataMonitor /All Data Monitors/ArcSight Shows the top 10 policy violation events.
Violations Solutions/GDPR/GDPR
Regulatory
Exposure/Composite
Regulatory Exposure/Policy
Violations/

GeoView - DoS DataMonitor /All Data Monitors/ArcSight This data monitor shows geo view of DoS
Activity Solutions/GDPR/GDPR Activity.
Regulatory
Exposure/Composite
Regulatory
Exposure/Threats/

GeoView - MITRE DataMonitor /All Data Monitors/ArcSight This data monitor shows geo view of MITRE
ATT&CK Activity Solutions/GDPR/GDPR ATT&CK Activity.
Regulatory
Exposure/Composite
Regulatory
Exposure/Threats/

GeoView - DataMonitor /All Data Monitors/ArcSight This data monitor shows geo view of
Reconnaissance Solutions/GDPR/GDPR Reconnaissance Activity.
Activity Regulatory
Exposure/Composite
Regulatory
Exposure/Threats/

Last 10 Threats DataMonitor /All Data Monitors/ArcSight
Solutions/GDPR/GDPR
Regulatory
Exposure/Composite
Regulatory
Exposure/Threats/
This data monitor displays the last 10 events
that indicate compromise, reconnaissance,
hostile, or suspicious activity and MITRE
Attacks.

Worm DataMonitor /All Data Monitors/ArcSight This data monitor shows connection between
Propagation - Solutions/GDPR/GDPR attacker and target machines as they appear
Event Graph Threat Analysis/Internet in worm events.
Threat Analysis/

Personal DataMonitor /All Data Monitors/ArcSight Shows a moving average of personal

Information Solutions/GDPR/GDPR information leakage. It displays data for the
Leakage per 10 Threat Analysis/Internet last 10 minutes and will generate a
Minutes Threat Analysis/ correlation event if the moving average is
increased by 300%.

Appendix A: GDPR Resource Reference Page 57 of 91

Solutions Guide

Resource Type URI Description

Personal DataMonitor /All Data Monitors/ArcSight Shows the top 10 users involved on personal
Information Solutions/GDPR/GDPR information leakage activity by Agent Severity
Leakage - Top Threat Analysis/Internet Distribution.
Users by Agent Threat Analysis/
Severity
Distribution

Personal DataMonitor /All Data Monitors/ArcSight Shows the top 10 target addresses involved
Information Solutions/GDPR/GDPR on personal information leakage activity.
Leakage - Top 10 Threat Analysis/Internet
Target IPs Threat Analysis/

Personal DataMonitor /All Data Monitors/ArcSight Shows the top 10 attacker addresses involved
Information Solutions/GDPR/GDPR on personal information leakage activity.
Leakage - Top 10 Threat Analysis/Internet
Attacker IPs Threat Analysis/

Last 10 Worm DataMonitor /All Data Monitors/ArcSight This data monitor displays the last 10 worm
Events Solutions/GDPR/GDPR events.
Threat Analysis/Internet
Threat Analysis/

Worm Activity DataMonitor /All Data Monitors/ArcSight Shows a moving average of worm event. It
per 10 Minutes Solutions/GDPR/GDPR displays data for the last hour and will
Threat Analysis/Internet generate a correlation event if the moving
Threat Analysis/ average is increased by 500%.

Top 10 Target IPs DataMonitor /All Data Monitors/ArcSight Shows the top 10 target addresses involved
Solutions/GDPR/GDPR on attack and suspicious activity.
Threat Analysis/Internet
Threat Analysis/Attacks and
Suspicious Activity/

Top 10 Attacker DataMonitor /All Data Monitors/ArcSight Shows the top 10 attacker addresses involved
IPs Solutions/GDPR/GDPR on attack and suspicious activity.
Threat Analysis/Internet
Threat Analysis/Attacks and
Suspicious Activity/

Last 5 Attacks DataMonitor /All Data Monitors/ArcSight This data monitor displays the last 5 attack
and Suspicious Solutions/GDPR/GDPR and suspicious activity events.
Activity Events Threat Analysis/Internet
Threat Analysis/Attacks and
Suspicious Activity/

Attacks and DataMonitor /All Data Monitors/ArcSight Shows a moving average of attacks. It displays
Suspicious Solutions/GDPR/GDPR data for the last 10 minutes and will generate
Activity per 10 Threat Analysis/Internet a correlation event if the moving average is
Minutes Threat Analysis/Attacks and increased by 300%.
Suspicious Activity/

Appendix A: GDPR Resource Reference Page 58 of 91

Solutions Guide

Resource Type URI Description

Ports Used in DataMonitor /All Data Monitors/ArcSight This data monitor shows the ports used in
Attacks and Solutions/GDPR/GDPR attack and suspicious activity events. By
Suspicious Threat Analysis/Internet default the data monitor shows data from the
Activity Events Threat Analysis/Attacks and last 2 hours.
Suspicious Activity/

Last 20 MITRE DataMonitor /All Data Monitors/ArcSight This data monitor displays the last 20 MITRE
ATT&CK Attack Solutions/GDPR/GDPR ATT&CK events.
Events Threat Analysis/Internet
Threat Analysis/MITRE
ATT&CK/

Top 10 Attackers DataMonitor /All Data Monitors/ArcSight This data monitor shows the top 10 MITRE
Solutions/GDPR/GDPR ATT&CK Attackers.
Threat Analysis/Internet
Threat Analysis/MITRE
ATT&CK/

Top 10 Targets DataMonitor /All Data Monitors/ArcSight This data monitor shows the top 10 MITRE
Solutions/GDPR/GDPR ATT&CK targets.
Threat Analysis/Internet
Threat Analysis/MITRE
ATT&CK/

Last 20 MITRE DataMonitor /All Data Monitors/ArcSight This data monitor displays the last 20 MITRE
ATT&CK Attack Solutions/GDPR/GDPR ATT&CK events.
Events Threat Analysis/Internet
Threat Analysis/MITRE
ATT&CK/

Top 10 Users DataMonitor /All Data Monitors/ArcSight This data monitor shows the top 10 MITRE
Solutions/GDPR/GDPR ATT&CK users.
Threat Analysis/Internet
Threat Analysis/MITRE
ATT&CK/

Top 10 Attackers DataMonitor /All Data Monitors/ArcSight This data monitor shows the top 10
IPs Solutions/GDPR/GDPR reconnaissance activity attackers.
Threat Analysis/Internet
Threat Analysis/Recon
Activity/

Top 10 Target IPs DataMonitor /All Data Monitors/ArcSight This data monitor shows the top 10
Solutions/GDPR/GDPR reconnaissance activity targets.
Threat Analysis/Internet
Threat Analysis/Recon
Activity/

Appendix A: GDPR Resource Reference Page 59 of 91

Solutions Guide

Resource Type URI Description

Last 10 Recon DataMonitor /All Data Monitors/ArcSight This data monitor displays the last 10 of
Events Solutions/GDPR/GDPR reconnaissance events.
Threat Analysis/Internet
Threat Analysis/Recon
Activity/

Recon Activity DataMonitor /All Data Monitors/ArcSight
per 10 Minutes Solutions/GDPR/GDPR
Threat Analysis/Internet
Threat Analysis/Recon
Activity/
Shows a moving average of reconnaissance
activity. It displays data for the last 10
minutes and will generate a correlation event
if the moving average is increased by 300%.

Compliance Risk DataMonitor /All Data Monitors/ArcSight This data monitor displays an icon indicating
Score Overview Solutions/GDPR/Overview/ the compliance risk score for each regulation
section. The compliance score is maintained
in the Compliance Score active list, and is
calculated based on the severity of the rules
that were triggered in the solution package.

Rules Attackers DataMonitor /All Data Monitors/ArcSight Event graph to show attacker-target pair
and Targets Solutions/GDPR/Overview/ relationship for the various rule firings from
this regulation.

Top 10 Attackers DataMonitor /All Data Monitors/ArcSight This data monitor shows which attackers are
in Rule Firings Solutions/GDPR/Overview/ most frequently involved in rule firings for this
regulation. This may reveal a trend about
certain attackers.

Top 10 Rules DataMonitor /All Data Monitors/ArcSight This data monitor shows which rules are most
Fired Solutions/GDPR/Overview/ frequently fired for this regulation. This may
reveal a trend about certain attacks.

Top 10 Targets in DataMonitor /All Data Monitors/ArcSight This data monitor shows which targets are
Rule Firings Solutions/GDPR/Overview/ most frequently involved in rule firings for this
regulation. This may reveal a trend about
certain targets.

Attacks and FieldSet /All Field Sets/ArcSight This field set contains essential fields required
Suspicious Solutions/GDPR/ to investigate attacks and suspicious activity
Activity through active channels and data monitors.

Data Flow Events FieldSet /All Field Sets/ArcSight This field set shows data flow event fields.
Solutions/GDPR/

MITRE ATT&CK FieldSet /All Field Sets/ArcSight This field sets selects fields related Mitre
Solutions/GDPR/ Att&ck.

User FieldSet /All Field Sets/ArcSight This field set selects fields related to
Authentication Solutions/GDPR/ authentication events.

Appendix A: GDPR Resource Reference Page 60 of 91

Solutions Guide

Resource Type URI Description

Removal of Filter /All Filters/ArcSight Identifies events indicating user access right is
Access Rights Solutions/GDPR/GDPR removed.
Access Activity/Access
Activity/

Suspicious Logins Filter /All Filters/ArcSight This filter identifies Frequent Unsuccessful
Solutions/GDPR/GDPR logins by both administrative and non-
Access Activity/Access administrative users.
Activity/

Privileged Filter /All Filters/ArcSight Selects events where a change is attempted

Account Changes Solutions/GDPR/GDPR to a privileged account (as defined by the
Access Activity/Access referenced active list).
Activity/

Account Lockouts Filter /All Filters/ArcSight This filter is used to identify account lockouts.
Solutions/GDPR/GDPR By default it will recognize lockouts on
Access Activity/Access Microsoft Windows and Unix systems.
Activity/

Access Rights Filter /All Filters/ArcSight Selects events where a change was attempted
Changes Solutions/GDPR/GDPR for account access rights.
Access Activity/Access
Activity/

Frequent Filter /All Filters/ArcSight This filter identifies Frequent Unsuccessful

Unsuccessful Solutions/GDPR/GDPR logins by both administrative and non-
Logins Access Activity/Access administrative users.
Activity/

Building Access Filter /All Filters/ArcSight This filter selects all building access events.
Solutions/GDPR/GDPR
Access Activity/Physical
Access Activity/

Contractor Filter /All Filters/ArcSight Identifies contractors accessing buildings after

Access After Solutions/GDPR/GDPR hours.
Hours Access Activity/Physical
Access Activity/

Physical Access Filter /All Filters/ArcSight Selects all events sent to ArcSight ESM by
Events Solutions/GDPR/GDPR physical security systems.
Access Activity/Physical
Access Activity/

Successful After Filter /All Filters/ArcSight Selects all events indicating successful
Hours Building Solutions/GDPR/GDPR occurrences of physical access after business
Access Access Activity/Physical hours. The actual time definition is defined in
Access Activity/ the After Hours filter.

Appendix A: GDPR Resource Reference Page 61 of 91

Solutions Guide

Resource Type URI Description

Successful Badge Filter /All Filters/ArcSight Identifies a successful badge-in event.

In Solutions/GDPR/GDPR
Access Activity/Physical
Access Activity/

Unsuccessful Filter /All Filters/ArcSight Identifies an unsuccessful badge-in event.

Badge In Solutions/GDPR/GDPR
Access Activity/Physical
Access Activity/

XSRF Filter /All Filters/ArcSight Selects events indicating that an XSRF

Vulnerability Solutions/GDPR/GDPR vulnerability was detected.
Detected Attack Surface
Analysis/Attack Surface
Identification/

XSS Vulnerability Filter /All Filters/ArcSight Selects events indicating that an XSS
Detected Solutions/GDPR/GDPR vulnerability was detected.
Attack Surface
Analysis/Attack Surface
Identification/

Security Patch Filter /All Filters/ArcSight Selects events indicating that a security patch
Missing Solutions/GDPR/GDPR is missing.
Attack Surface
Analysis/Attack Surface
Identification/

SQL Injection Filter /All Filters/ArcSight Selects events indicating that SQL injection
Vulnerability Solutions/GDPR/GDPR vulnerability was detected.
Detected Attack Surface
Analysis/Attack Surface
Identification/

SSL|TLS Filter /All Filters/ArcSight Selects events indicating that an SSL/TLS

Vulnerability Solutions/GDPR/GDPR vulnerability was detected.
Detected Attack Surface
Analysis/Attack Surface
Identification/

Overflow Filter /All Filters/ArcSight Selects events indicating that an overflow

Vulnerability Solutions/GDPR/GDPR vulnerability was detected.
Detected Attack Surface
Analysis/Attack Surface
Identification/

Information Filter /All Filters/ArcSight Selects events indicating that an information

Disclosure Solutions/GDPR/GDPR disclosure vulnerability was detected.
Vulnerability Attack Surface
Detected Analysis/Attack Surface
Identification/

Appendix A: GDPR Resource Reference Page 62 of 91

Solutions Guide

Resource Type URI Description

Format String Filter /All Filters/ArcSight Selects events indicating that a format string
Vulnerability Solutions/GDPR/GDPR vulnerability was detected.
Detected Attack Surface
Analysis/Attack Surface
Identification/

Password and Filter /All Filters/ArcSight Selects events indicating that Password and
Authentication Solutions/GDPR/GDPR Authentication Weaknesses was detected.
Weaknesses Attack Surface
Detected Analysis/Attack Surface
Identification/

WordPress GDPR Filter /All Filters/ArcSight Selects events indicating that a WordPress
Plugins Solutions/GDPR/GDPR GDPR Plugin vulnerability was detected.
Vulnerabilities Attack Surface
Analysis/Attack Surface
Identification/

Audit Log Cleared Filter /All Filters/ArcSight Selects all events where an audit log was
Solutions/GDPR/GDPR cleared from a host. By default it will
Attack Surface recognize events on Microsoft Windows and
Analysis/Security Controls Symantec Host IDS systems, modify this filter
Risk Identification/ to include events from other devices.

Failed Anti-Virus Filter /All Filters/ArcSight Looks for events when an attempt to update a
Updates Solutions/GDPR/GDPR virus signature on a host failed.
Attack Surface
Analysis/Security Controls
Risk Identification/

Password Change Filter /All Filters/ArcSight Identifies password change attempts. By

Attempts Solutions/GDPR/GDPR default, it only identifies these events on
Attack Surface Microsoft Windows systems. Configure this
Analysis/Security Controls filter to identify password change events from
Risk Identification/ other systems as necessary.

Security Log is Filter /All Filters/ArcSight The security log is now full.
Full Solutions/GDPR/GDPR
Attack Surface
Analysis/Security Controls
Risk Identification/

Successful Filter /All Filters/ArcSight Identifies successful password change events.

Password Change Solutions/GDPR/GDPR
Attack Surface
Analysis/Security Controls
Risk Identification/

Appendix A: GDPR Resource Reference Page 63 of 91

Solutions Guide

Resource Type URI Description

Policy Violations Filter /All Filters/ArcSight Filter in events with violation of policy.
Solutions/GDPR/GDPR
Regulatory
Exposure/Composite
Regulatory Exposure/

Microsoft SQL Filter /All Filters/ArcSight Selects events indicating that Microsoft SQL
Server Solutions/GDPR/GDPR Server vulnerability was detected.
Vulnerability Threat Analysis/Data Store
Detected Risk/

ORACLE Filter /All Filters/ArcSight Selects events indicating that ORACLE

Vulnerability Solutions/GDPR/GDPR vulnerability was detected.
Detected Threat Analysis/Data Store
Risk/

MySQL Filter /All Filters/ArcSight Selects events indicating that MySQL

Vulnerability Solutions/GDPR/GDPR vulnerability was detected.
Detected Threat Analysis/Data Store
Risk/

MongoDB Filter /All Filters/ArcSight Selects events indicating that MongoDB

Vulnerability Solutions/GDPR/GDPR vulnerability was detected.
Detected Threat Analysis/Data Store
Risk/

MariaDB Filter /All Filters/ArcSight Selects events indicating that MariaDB

Vulnerability Solutions/GDPR/GDPR vulnerability was detected.
Detected Threat Analysis/Data Store
Risk/

PostgreSQL Filter /All Filters/ArcSight Selects events indicating that PostgreSQL

Vulnerability Solutions/GDPR/GDPR vulnerability was detected.
Detected Threat Analysis/Data Store
Risk/

Elasticsearch Filter /All Filters/ArcSight Selects events indicating that Elasticsearch

Vulnerability Solutions/GDPR/GDPR vulnerability was detected.
Detected Threat Analysis/Data Store
Risk/

DB2 Vulnerability Filter /All Filters/ArcSight Selects events indicating that DB2
Detected Solutions/GDPR/GDPR vulnerability was detected.
Threat Analysis/Data Store
Risk/

Cassandra Filter /All Filters/ArcSight Selects events indicating that Cassandra

Vulnerability Solutions/GDPR/GDPR vulnerability was detected.
Detected Threat Analysis/Data Store
Risk/

Appendix A: GDPR Resource Reference Page 64 of 91

Solutions Guide

Resource Type URI Description

Insecure Filter /All Filters/ArcSight Selects events indicating that Insecure

Cryptographic Solutions/GDPR/GDPR cryptographic storage has been detected.
Storage Detected Threat Analysis/Data Store
Risk/

Redis Filter /All Filters/ArcSight Selects events indicating that Redis

Vulnerability Solutions/GDPR/GDPR vulnerability was detected.
Detected Threat Analysis/Data Store
Risk/

Trojan Activity Filter /All Filters/ArcSight Selects events where trojan activity is
Solutions/GDPR/GDPR detected.
Threat Analysis/Internet
Threat Analysis/

Shell Code Filter /All Filters/ArcSight Selects events where shellCode execution is
Execution Solutions/GDPR/GDPR detected.
Detected Threat Analysis/Internet
Threat Analysis/

Worm Activity Filter /All Filters/ArcSight Selects events where worm activity is
Solutions/GDPR/GDPR detected.
Threat Analysis/Internet
Threat Analysis/

Virus Activity Filter /All Filters/ArcSight Identifies virus activities reported by either an
Solutions/GDPR/GDPR Intrusion Detection System (IDS) or an anti-
Threat Analysis/Internet virus application.
Threat Analysis/

Malware Activity Filter /All Filters/ArcSight Selects events where malicious code activity is
Solutions/GDPR/GDPR detected.
Threat Analysis/Internet
Threat Analysis/

Spyware Activity Filter /All Filters/ArcSight Identifies spyware activity reported by either
Solutions/GDPR/GDPR an Intrusion Detection System (IDS) or an anti-
Threat Analysis/Internet virus application.
Threat Analysis/

Email Attacks Filter /All Filters/ArcSight This filter detects events indicating an email
Solutions/GDPR/GDPR attack (like phishing, spam) occurred.
Threat Analysis/Internet
Threat Analysis/

Covert Channel Filter /All Filters/ArcSight This filter detects events indicating a covert
Solutions/GDPR/GDPR channel is being used.
Threat Analysis/Internet
Threat Analysis/

Appendix A: GDPR Resource Reference Page 65 of 91

Solutions Guide

Resource Type URI Description

Information Filter /All Filters/ArcSight This filter detects events indicating an

Interception Solutions/GDPR/GDPR information interception is being used.
Threat Analysis/Internet
Threat Analysis/

Clear Text Filter /All Filters/ArcSight This filter identifies a successful login or
Password Solutions/GDPR/GDPR access to a login page through unencrypted
Transmission Threat Analysis/Internet ports, which indicates that a user password
Threat Analysis/ might be transferred in clear text over the
network.

Anti-Virus Clean Filter /All Filters/ArcSight Looks for anti-virus events that indicate a
or Quarantine Solutions/GDPR/GDPR quarantine or cleaning attempt of a detected
Attempt Threat Analysis/Internet malware instance.
Threat Analysis/

Internal Recon Filter /All Filters/ArcSight This filter identifies events which indicate
Activity Solutions/GDPR/GDPR internal reconnaissance.
Threat Analysis/Intranet
Threat Analysis/

Windows Events Filter /All Filters/ArcSight This filters identified Microsoft Windows
with a Non- Solutions/GDPR/General events that have a non machine/system user
Machine User Filters/ either in the attacker or the target fields.

Target User Filter /All Filters/ArcSight This filter checks whether the Target User
Present Solutions/GDPR/General Name field is populated.
Filters/

Target Host or Filter /All Filters/ArcSight This filter identifies events that have either
Address Present Solutions/GDPR/General the Target Host Name or Target Address
Filters/ event fields populated.

High Priority Filter /All Filters/ArcSight This filter shows events in which the Priority
Events with Solutions/GDPR/General field is 9 or 10 with target info.
Target Info Filters/

High Priority Filter /All Filters/ArcSight This filter shows events in which the Priority
Events with Solutions/GDPR/General field is 9 or 10 with attacker info.
Attacker Info Filters/

High Priority Filter /All Filters/ArcSight This filter shows events in which the Priority
Events Solutions/GDPR/General field is 9 or 10.
Filters/

Attacker or Filter /All Filters/ArcSight This filter identifies events that have either
Target User Solutions/GDPR/General the Attacker User Name or Target User Name
Present Filters/ event fields populated.

Attacker User Filter /All Filters/ArcSight This filter identifies events that have the
Present Solutions/GDPR/General Attacker User Name event fields populated.
Filters/

Appendix A: GDPR Resource Reference Page 66 of 91

Solutions Guide

Resource Type URI Description

Target Asset is EU Filter /All Filters/ArcSight This filter selects events targeting EU
Solutions/GDPR/General Countries.
Filters/Assets/

Target Asset is Filter /All Filters/ArcSight This filter selects events targeting database
Database Solutions/GDPR/General hosts.
Filters/Assets/

Internal Targets Filter /All Filters/ArcSight This filter looks for events targeting systems
Solutions/GDPR/General inside the organization network.
Filters/Assets/

Internal Attackers Filter /All Filters/ArcSight This filter looks for events coming from
Solutions/GDPR/General systems inside the organization network.
Filters/Assets/

Attacker Asset is Filter /All Filters/ArcSight This filter selects events originated from PII
PII Solutions/GDPR/General assets.
Filters/Assets/

Attacker Asset is Filter /All Filters/ArcSight This filter selects events originated from EU
EU Solutions/GDPR/General Countries.
Filters/Assets/

Target Asset is PII Filter /All Filters/ArcSight This filter selects events targeting PII hosts.
Solutions/GDPR/General
Filters/Assets/

MITRE ATT&CK Filter /All Filters/ArcSight This filter identifies MITRE ATT&CK events
Activity with User Solutions/GDPR/General with user info.
Info Filters/Attacks/

Threats Filter /All Filters/ArcSight This filter identifies events that indicate
Solutions/GDPR/General compromise, reconnaissance, hostile, or
Filters/Attacks/ suspicious activity and MITRE Attacks.

Recon Activity Filter /All Filters/ArcSight This filter identifies events that indicate
Solutions/GDPR/General reconnaissance activity.
Filters/Attacks/

MITRE ATT&CK Filter /All Filters/ArcSight This filter identifies MITRE ATT&CK events
Activity with Solutions/GDPR/General with target info.
Target Info Filters/Attacks/

Attacks with Port Filter /All Filters/ArcSight This filter identifies events with port info
Info Solutions/GDPR/General which indicate compromise, reconnaissance,
Filters/Attacks/ hostile, or suspicious activity.

MITRE ATT&CK Filter /All Filters/ArcSight This filter identifies MITRE ATT&CK events.
Activity Solutions/GDPR/General
Filters/Attacks/

Appendix A: GDPR Resource Reference Page 67 of 91

Solutions Guide

Resource Type URI Description

Exploitation Filter /All Filters/ArcSight This filter identifies events which indicate
Activity Solutions/GDPR/General exploitation activity.
Filters/Attacks/

DoS Attacks with Filter /All Filters/ArcSight This filter identifies denial of service attacks
Geo Information Solutions/GDPR/General with geo information.
Filters/Attacks/

DoS Attacks Filter /All Filters/ArcSight This filter identifies reported denial of service
Solutions/GDPR/General attacks.
Filters/Attacks/

Attacks with Filter /All Filters/ArcSight This filter identifies events with target info
Target Info Solutions/GDPR/General which indicate compromise, reconnaissance,
Filters/Attacks/ hostile, or suspicious activity.

Attacks with Geo Filter /All Filters/ArcSight This filter selects attack events with
Information Solutions/GDPR/General populated Geo fields for both the attacker
Filters/Attacks/ and target addresses.

Attacks with Filter /All Filters/ArcSight This filter identifies events with attacker info
Attacker Info Solutions/GDPR/General which indicate compromise, reconnaissance,
Filters/Attacks/ hostile, or suspicious activity.

Attacks and Filter /All Filters/ArcSight This filter identifies events which indicate
Suspicious Solutions/GDPR/General compromise, reconnaissance, hostile, or
Activity Filters/Attacks/ suspicious activity.

MITRE ATT&CK Filter /All Filters/ArcSight This filter identifies MITRE ATT&CK events
Activity with Solutions/GDPR/General with attacker info.
Attacker Info Filters/Attacks/

Unsuccessful Filter /All Filters/ArcSight This filter identified failed logins by both
Logins with Solutions/GDPR/General administrative and non-administrative users
Attacker and Filters/Authentication/ with attacker and target info.
Target Info

Unsuccessful Filter /All Filters/ArcSight This filter identified failed logins by both
Logins with Solutions/GDPR/General administrative and non-administrative users
Target Info Filters/Authentication/ with target info.

Unsuccessful Filter /All Filters/ArcSight This filter identified failed logins by both
Logins with Solutions/GDPR/General administrative and non-administrative users
Attacker and Filters/Authentication/ with attacker and user info.
User Info

Unsuccessful Filter /All Filters/ArcSight This filter identified failed logins by both
Logins with Solutions/GDPR/General administrative and non-administrative users
Attacker Info Filters/Authentication/ with attacker info.

Successful Logins Filter /All Filters/ArcSight This filter identifies successful logins by both
with Target Info Solutions/GDPR/General administrative and non-administrative users
Filters/Authentication/ with target info.

Appendix A: GDPR Resource Reference Page 68 of 91

Solutions Guide

Resource Type URI Description

Successful Logins Filter /All Filters/ArcSight This filter identifies successful logins by both
from non EU Solutions/GDPR/General administrative and non-administrative users
Countries with Filters/Authentication/ from non EU countries with target info.
Target Info

Successful Logins Filter /All Filters/ArcSight This filter identifies successful logins by both
with Attacker Solutions/GDPR/General administrative and non-administrative users
Info Filters/Authentication/ with attacker info.

Successful Logins Filter /All Filters/ArcSight This filter identifies successful logins by both
from non EU Solutions/GDPR/General administrative and non-administrative users
Countries with Filters/Authentication/ from non EU countries with user info.
User Info

Successful Logins Filter /All Filters/ArcSight This filter identifies successful logins by both
Solutions/GDPR/General administrative and non-administrative users.
Filters/Authentication/

Successful Logins Filter /All Filters/ArcSight This filter identifies successful logins by both
from non EU Solutions/GDPR/General administrative and non-administrative users
Countries with Filters/Authentication/ from non EU countries with attacker info.
Attacker Info

Successful Logins Filter /All Filters/ArcSight This filter identifies successful logins by both
from non EU Solutions/GDPR/General administrative and non-administrative users
Countries Filters/Authentication/ from non EU countries.

Unsuccessful Filter /All Filters/ArcSight This filter identified failed logins by both
Logins Solutions/GDPR/General administrative and non-administrative users.
Filters/Authentication/

Login Attempts Filter /All Filters/ArcSight This filter selects any attempts at logging into
Solutions/GDPR/General systems. It excludes machine logins into
Filters/Authentication/ Microsoft Windows systems.

Configuration Filter /All Filters/ArcSight Detects non-arcsight configuration

Modifications Solutions/GDPR/General modifications events.
Filters/Configuration
Changes/

Inbound Events Filter /All Filters/ArcSight This filter looks for events coming from
Solutions/GDPR/General outside the organization network targeting
Filters/Data Flow/ internal networks .

Inbound Events Filter /All Filters/ArcSight This filter looks for events coming from non
from non EU Solutions/GDPR/General EU Countries targeting internal networks .
Countries Filters/Data Flow/

Outbound Events Filter /All Filters/ArcSight This filter looks for events coming from inside
Solutions/GDPR/General the organization network targeting the public
Filters/Data Flow/ network.

Appendix A: GDPR Resource Reference Page 69 of 91

Solutions Guide

Resource Type URI Description

Outbound Events Filter /All Filters/ArcSight This filter looks for events coming from inside
to Non EU Solutions/GDPR/General the organization network targeting non EU
Countries Filters/Data Flow/ countries.

Firewall Deny Filter /All Filters/ArcSight This filter selects events where a firewall
Solutions/GDPR/General denied passage to traffic.
Filters/Firewall/

Personal Records Filter /All Filters/ArcSight This filter identifies information leaks with
Information Leak Solutions/GDPR/General regard to personal information.
with User Info Filters/Information Leakage/

Organizational Filter /All Filters/ArcSight This filter identifies information leaks with
Records Solutions/GDPR/General regard to company information.
Information Leak Filters/Information Leakage/

Encrypted Filter /All Filters/ArcSight This filter identifies information leaks with
Communication Solutions/GDPR/General regard to encrypted communication on the
Information Filters/Information Leakage/ network.
Leaks

Personal Records Filter /All Filters/ArcSight This filter identifies information leaks with
Information Leak Solutions/GDPR/General regard to personal information.
Filters/Information Leakage/

Insecure Services Filter /All Filters/ArcSight Selects events based on inherently insecure
Solutions/GDPR/General services.
Filters/Insecure Services/

GDPR Rule Firing Filter /All Filters/ArcSight This filter selects all rule firing events, where
with Target Info Solutions/GDPR/General the rule is a part of the compliance content
Filters/Overview/Risk Score and has target info.
Dashboard Overview/

Compliance Score Filter /All Filters/ArcSight This filter identifies events that are generated
Updates Solutions/GDPR/General when values in the Compliance Score active
Filters/Overview/Risk Score list are changed.
Dashboard Overview/

GDPR Rule Firing Filter /All Filters/ArcSight This filter selects all rule firing events, where
with Attacker Solutions/GDPR/General the rule is a part of the compliance content
Info Filters/Overview/Risk Score and has attacker info.
Dashboard Overview/

GDPR Rule Firing Filter /All Filters/ArcSight This filter selects all GDPR rules firing events.
Solutions/GDPR/General
Filters/Overview/Risk Score
Dashboard Overview/

GDPR Rule Firing Filter /All Filters/ArcSight This filter selects all rule firing events, where
with Attacker and Solutions/GDPR/General the rule is a part of the compliance content
Target Info Filters/Overview/Risk Score and has attacker and target info.
Dashboard Overview/

Appendix A: GDPR Resource Reference Page 70 of 91

Solutions Guide

Resource Type URI Description

Vulnerability Filter /All Filters/ArcSight This filter identifies scanner-generated events.

Scanner Events Solutions/GDPR/General
Filters/Vulnerabilities/

Limit Regulation Filter /All Filters/ArcSight The purpose of this filter is to ensure that the
Solutions/GDPR/My Filters/ solution only processes events that are
addressed by the regulation.

After Hours Filter /All Filters/ArcSight This filter defines the time period of 'after
Solutions/GDPR/My Filters/ hours'. Change this filter to adjust the default
settings.

Query /All Queries/ArcSight Provides a listing of GDPR correlation events

Solutions/GDPR/Overview/ on the last 2 hours.

GDPR Rule Firing QueryViewer /All Query Viewers/ArcSight Provides a listing of GDPR correlation events
Events Solutions/GDPR/Overview/ on the last hour.

Privileged Rule /All Rules/ArcSight Fires whenever an access/authorization

Account Changes Solutions/GDPR/GDPR change is attempted to be made to an
Access Activity/Access administrative account.
Activity/

User Logged in to Rule /All Rules/ArcSight Fires when someone is using the same user
different Targets Solutions/GDPR/GDPR name to login to different targets, This may
on Short Period Access Activity/Access indicate user name sharing.
of Time Activity/

Password Spray Rule /All Rules/ArcSight Detects password spray attack on windows
Attack Solutions/GDPR/GDPR systems.
Access Activity/Access
Activity/

User Logged in Rule /All Rules/ArcSight This rule fires when someone is using the
from Two Solutions/GDPR/GDPR same user name to login from two different
Countries Access Activity/Access countries. This may indicate user name
Activity/ sharing.

User Logged in Rule /All Rules/ArcSight Fires when someone is using the same user
from different IP Solutions/GDPR/GDPR name to login from different ip addresses.
Addresses Access Activity/Access This may indicate user name sharing.
Activity/

Appendix A: GDPR Resource Reference Page 71 of 91

Solutions Guide

Resource Type URI Description

Suspicious Logins Rule /All Rules/ArcSight This rule looks for an exponential increase of
Activity Increased Solutions/GDPR/GDPR suspicious login events.
Exponentially in Access Activity/Access
less than 10 Activity/
Minutes
Before deploying this rule make sure the
following data monitor

Suspicious Logins per10 Minutes

and the following rules :

User Logged in from different IP Addresses

User Logged in from Two Countries

User Logged in to different Targets on Short

Period of Time

are enabled.

Frequent Rule /All Rules/ArcSight Fires when it notices a high frequency of

Unsuccessful Solutions/GDPR/GDPR unsuccessful logins on the same target host.
Logins to Target Access Activity/Access
Host Activity/ Note : This rule works against every target
application on GDPR environment, in case
some applications produce false positive
results you can exclude those targets on the
conditions tab of the rule.

Removal of Rule /All Rules/ArcSight Triggers when events indicating removal of

Access Rights Solutions/GDPR/GDPR access rights happen.
Access Activity/Access
Activity/

Frequent Rule /All Rules/ArcSight Fires when it notices a continuous set of

Unsuccessful Solutions/GDPR/GDPR unsuccessful logins from the same attacker
Logins from Access Activity/Access host.
Attacker Host Activity/

Appendix A: GDPR Resource Reference Page 72 of 91

Solutions Guide

Resource Type URI Description

Frequent Rule /All Rules/ArcSight Fires when it notices the same user is
Unsuccessful Solutions/GDPR/GDPR responsible for a continuous set of
Logins by User Access Activity/Access unsuccessful logins.
Name Activity/

Frequent Rule /All Rules/ArcSight This rule looks for an exponential increase of
Unsuccessful Solutions/GDPR/GDPR frequent failed login events.
Logins Activity Access Activity/Access
Increased Activity/
Exponentially in
less than 10 Before deploying this rule make sure the
Minutes following data monitor

Frequent Failed Login per 10 Minutes

and the following rules :

Frequent Unsuccessful Logins by User Name

Frequent Unsuccessful Logins from Attacker

Host

Frequent Unsuccessful Logins to Target Host

are enabled.

Failed Building Rule /All Rules/ArcSight Detects failed physical building access.
Access Solutions/GDPR/GDPR
Access Activity/Access
Activity/

Appendix A: GDPR Resource Reference Page 73 of 91

Solutions Guide

Resource Type URI Description

Failed Access by Rule /All Rules/ArcSight Detects failed physical access by the same
the Same User to Solutions/GDPR/GDPR user to multiple buildings on short period of
Multiple Access Activity/Access time.
Buildings Activity/

Before enabling and deploying this rule,

please make sure the following

rule: "Failed Building Access" is enabled and

deployed

After Hours Rule /All Rules/ArcSight Detects building access events after business
Building Access Solutions/GDPR/GDPR hours by contractors.
by Contractors Access Activity/Access
Activity/

Account Lockout Rule /All Rules/ArcSight This rule detects account lockouts.
Solutions/GDPR/GDPR
Access Activity/Access
Activity/

Frequent Rule /All Rules/ArcSight This rule fires when it notices a continuous set
Unsuccessful Solutions/GDPR/GDPR of unsuccessful user logins from non EU
Logins from non Access Activity/Access countries to PII assets.
EU Countries to Activity/
PII Asset Please use this rule when you didn't expect
login from non EU countries to your PII Asset.

Note : In order for this rule to be triggered the

PII assets should be categorized with the "/All
Assets Categories/ArcSight
Solutions/Compliance Insight
Package/Network Domains/Electronic PII".

User Logged in Rule /All Rules/ArcSight This rule fires when there is a login from non
from non EU Solutions/GDPR/GDPR EU countries to PII Assets.
Countries to PII Access Activity/Access
Asset Activity/ Please use this rule when you didn't expect
login from non EU countries to your PII Asset.

Note : In order for this rule to be triggered the

PII assets should be categorized with the "/All
Assets Categories/ArcSight
Solutions/Compliance Insight
Package/Network Domains/Electronic PII".

Appendix A: GDPR Resource Reference Page 74 of 91

Solutions Guide

Resource Type URI Description

XSS Rule /All Rules/ArcSight Triggers when XSS vulnerability is detected.

Vulnerabilities Solutions/GDPR/GDPR
Attack Surface
Analysis/Attack Surface
Identification/

XSRF Rule /All Rules/ArcSight Triggers when XSRF vulnerability is detected.

Vulnerabilities Solutions/GDPR/GDPR
Attack Surface
Analysis/Attack Surface
Identification/

WordPress GDPR Rule /All Rules/ArcSight Triggers when a WorldPress GDPR Plugin
Plugins Solutions/GDPR/GDPR vulnerability is detected.
Vulnerabilities Attack Surface
Analysis/Attack Surface
Identification/

Specific Rule /All Rules/ArcSight Triggers when a specific CVE Id vulnerability

Vulnerability Solutions/GDPR/GDPR or vendor signature ID is detected.
Detected - Attack Surface
Template Analysis/Attack Surface
Identification/
Before enabling and deploying this rule make
sure that either :

1.CVE ID is defined using deviceCustomString2

= <CVE ID> on the Conditions tab.

OR

2.Signature ID is defined using device Event

Class Id =<Signature ID> on the conditions
tab.

Security Patch Rule /All Rules/ArcSight Triggers when a security patch missing
Missing Solutions/GDPR/GDPR vulnerability is detected.
Attack Surface
Analysis/Attack Surface
Identification/

Appendix A: GDPR Resource Reference Page 75 of 91

Solutions Guide

Resource Type URI Description

SQL Injection Rule /All Rules/ArcSight Triggers when SQL Injection vulnerability is
Vulnerabilities Solutions/GDPR/GDPR detected.
Attack Surface
Analysis/Attack Surface
Identification/

Password and Rule /All Rules/ArcSight Triggers when a password and authentication
Authentication Solutions/GDPR/GDPR weaknesses are detected.
Weaknesses Attack Surface
Analysis/Attack Surface
Identification/

SSL|TLS Rule /All Rules/ArcSight Triggers when SSL|TLS vulnerability is

Vulnerabilities Solutions/GDPR/GDPR detected.
Attack Surface
Analysis/Attack Surface
Identification/

Non Fixed Rule /All Rules/ArcSight Triggers when a non fixed security patch
Security Patch Solutions/GDPR/GDPR detected.
Detected Attack Surface
Analysis/Attack Surface
Identification/
before enabling and deploying this rule please
make sure the following rule:

Security Patch Missing is enabled and

deployed.

Invalid or Expired Rule /All Rules/ArcSight Detects invalid or expired Certificates.

Certificate Solutions/GDPR/GDPR
Attack Surface
Analysis/Attack Surface
Identification/

Information Rule /All Rules/ArcSight This rule looks for information disclosure
Disclosure Solutions/GDPR/GDPR vulnerability detected on multiple PII Assets.
Vulnerability Attack Surface
Detected on Analysis/Attack Surface
Multiple PII Identification/
Assets Note : In order for this rule to be triggered the
PII assets should be categorized with the "/All
Assets Categories/ArcSight
Solutions/Compliance Insight
Package/Network Domains/Electronic PII".

Appendix A: GDPR Resource Reference Page 76 of 91

Solutions Guide

Resource Type URI Description

Information Rule /All Rules/ArcSight Triggers when information disclosure

Disclosure Solutions/GDPR/GDPR vulnerability is detected.
Vulnerability Attack Surface
Detected Analysis/Attack Surface
Identification/

High Risk Rule /All Rules/ArcSight Triggers when a high risk vulnerability is
Vulnerability Solutions/GDPR/GDPR detected.
Detected Attack Surface
Analysis/Attack Surface
Identification/

Format String Rule /All Rules/ArcSight Triggers when format string vulnerability is
Vulnerabilities Solutions/GDPR/GDPR detected.
Attack Surface
Analysis/Attack Surface
Identification/

Overflow Rule /All Rules/ArcSight Triggers when overflow vulnerability is

Vulnerabilities Solutions/GDPR/GDPR detected.
Attack Surface
Analysis/Attack Surface
Identification/

Successful Rule /All Rules/ArcSight Detects when a user's password is

Password Change Solutions/GDPR/GDPR changed.Will then take the user name off the
Attack Surface list where it was kept to track whether or not
Analysis/Security Controls the default password was changed.
Risk Identification/

Security Log is Rule /All Rules/ArcSight Triggers when security Log is full.
Full Solutions/GDPR/GDPR
Attack Surface
Analysis/Security Controls
Risk Identification/

Potential Rule /All Rules/ArcSight This rule looks for Potential Distributed DoS.
Distributed DoS Solutions/GDPR/GDPR
Attack Surface Before deploying this rule make sure rule
Analysis/Security Controls "DoS Detected" is enabled .
Risk Identification/

Password not Rule /All Rules/ArcSight Fires when an entry expires out of the
Changed for Solutions/GDPR/GDPR referenced active list, signifying that the new
Longer than Attack Surface (default) password was not changed within
Policy Standard Analysis/Security Controls the prescribed time. Time limit is defined by
Risk Identification/ the TTL in the active list.

Appendix A: GDPR Resource Reference Page 77 of 91

Solutions Guide

Resource Type URI Description

Failed Anti-Virus Rule /All Rules/ArcSight This rule detects failed anti-virus updates.
Updates Solutions/GDPR/GDPR
Attack Surface
Analysis/Security Controls
Risk Identification/

Critical Change Rule /All Rules/ArcSight Triggers when there are PII environment
on multiple PII Solutions/GDPR/GDPR configuration change detected and has Very-
Assets Attack Surface High agent severity.
Analysis/Security Controls
Risk Identification/

Note : In order for this rule to be triggered the

PII assets should be categorized with the "/All
Assets Categories/ArcSight
Solutions/Compliance Insight
Package/Network Domains/Electronic PII".

Asset not Rule /All Rules/ArcSight Fires when an entry expires out of the
Scanned for Solutions/GDPR/GDPR referenced active list, signifying that asset
Longer than Attack Surface didn’t scanned within the prescribed time.
Policy Standard Analysis/Security Controls Time limit is defined by the TTL in the active
Risk Identification/ list (default 60 days).

Before deploying this rule make sure "Asset

Scanned" rule is enabled and deployed.

Asset Scanned Rule /All Rules/ArcSight This rule detects vulnerability scans against a
Solutions/GDPR/GDPR specific asset and adds the asset to the active
Attack Surface list.
Analysis/Security Controls
Risk Identification/

DoS Detected Rule /All Rules/ArcSight This rule looks for DoS.
Solutions/GDPR/GDPR
Attack Surface
Analysis/Security Controls
Risk Identification/

Audit Log Cleared Rule /All Rules/ArcSight Monitors for events on clearing of the audit
Solutions/GDPR/GDPR log on Windows systems.
Attack Surface
Analysis/Security Controls
Risk Identification/

Appendix A: GDPR Resource Reference Page 78 of 91

Solutions Guide

Resource Type URI Description

Security Software Rule /All Rules/ArcSight Triggers when a security software service has
Stopped or Solutions/GDPR/GDPR been disabled, refer to the condition tab of
Paused Attack Surface this rule for the list of such services.
Analysis/Security Controls
Risk Identification/

Multiple Policy Rule /All Rules/ArcSight This rule looks for multiple policy violations
Violations Solutions/GDPR/GDPR against PII assets.
Against PII Assets Regulatory
Exposure/Composite
Regulatory Exposure/
Note : In order for this rule to be triggered :

1.the assets which match the condition should

be categorized with the /All Assets
Categories/Compliance Insight
Package/Network Domains/Electronic PII/.

2.Before deploying this rule make sure rule

"Policy Violations" is enabled .

Policy Violations Rule /All Rules/ArcSight This rule looks for policy violations.
Solutions/GDPR/GDPR
Regulatory
Exposure/Composite
Regulatory Exposure/

Internal Data Rule /All Rules/ArcSight This rule looks for internal data flow non EU
Flow from non Solutions/GDPR/GDPR countries to PII asset.
EU to PII Asset Regulatory
Exposure/Composite
Regulatory Exposure/
Note : In order for this rule to be triggered the
PII assets should be categorized with the "/All
Assets Categories/ArcSight
Solutions/Compliance Insight
Package/Network Domains/Electronic PII" and
your internal assets should be categorized
with "/All Assets Categories/ArcSight
Solutions/Compliance Insight
Package/Address Spaces/Protected/".

Appendix A: GDPR Resource Reference Page 79 of 91

Solutions Guide

Resource Type URI Description

Threats from non Rule /All Rules/ArcSight This rule looks for threats from non EU to PII
EU to PII Asset Solutions/GDPR/GDPR asset.
Regulatory
Exposure/Composite
Regulatory Exposure/
Note : In order for this rule to be triggered the
PII assets should be categorized with the "/All
Assets Categories/ArcSight
Solutions/Compliance Insight
Package/Network Domains/Electronic PII".

High Risk Events Rule /All Rules/ArcSight
Increased Solutions/GDPR/GDPR
Exponentially in Regulatory
less than 10 Exposure/Composite
Minutes Regulatory Exposure/
This rule looks for an exponential increase of
high risk events. Before deploying this rule
make sure this data monitor "High Risk Events
per 10 Minutes" is enabled.

External Data Rule /All Rules/ArcSight This rule looks for external data flow non EU
Flow from non Solutions/GDPR/GDPR countries to PII asset.
EU to PII Asset Regulatory
Exposure/Composite
Regulatory Exposure/
Note : In order for this rule to be triggered the
PII assets should be categorized with the "/All
Assets Categories/ArcSight
Solutions/Compliance Insight
Package/Network Domains/Electronic PII" and
your internal assets should be categorized
with "/All Assets Categories/ArcSight
Solutions/Compliance Insight
Package/Address Spaces/Protected/".

External Data Rule /All Rules/ArcSight This rule looks for external data flow from PII
Flow from PII Solutions/GDPR/GDPR asset to non EU countries.
Asset to non EU Regulatory
Exposure/Composite
Regulatory Exposure/
Note : In order for this rule to be triggered the
PII assets should be categorized with the "/All
Assets Categories/ArcSight
Solutions/Compliance Insight
Package/Network Domains/Electronic PII" and
your internal assets should be categorized
with "/All Assets Categories/ArcSight
Solutions/Compliance Insight
Package/Address Spaces/Protected/".

Appendix A: GDPR Resource Reference Page 80 of 91

Solutions Guide

Resource Type URI Description

Internal Data Rule /All Rules/ArcSight This rule looks for internal data flow from PII
Flow from PII Solutions/GDPR/GDPR asset to non EU countries.
Asset to non EU Regulatory
Exposure/Composite
Regulatory Exposure/
Note : In order for this rule to be triggered the
PII assets should be categorized with the "/All
Assets Categories/ArcSight
Solutions/Compliance Insight
Package/Network Domains/Electronic PII" and
your internal assets should be categorized
with "/All Assets Categories/ArcSight
Solutions/Compliance Insight
Package/Address Spaces/Protected/".

Redis Rule /All Rules/ArcSight Triggers when Redis vulnerability is detected.

Vulnerabilities Solutions/GDPR/GDPR
Threat Analysis/Data Store
Risk/

PostgreSQL Rule /All Rules/ArcSight Triggers when PostgreSQL vulnerability is

Vulnerabilities Solutions/GDPR/GDPR detected.
Threat Analysis/Data Store
Risk/

ORACLE Rule /All Rules/ArcSight Triggers when ORACLE vulnerability is

Vulnerabilities Solutions/GDPR/GDPR detected.
Threat Analysis/Data Store
Risk/

MongoDB Rule /All Rules/ArcSight Triggers when MongoDB vulnerability is

Vulnerabilities Solutions/GDPR/GDPR detected.
Threat Analysis/Data Store
Risk/

Microsoft SQL Rule /All Rules/ArcSight Triggers when Microsoft SQL Server
Server Solutions/GDPR/GDPR vulnerability is detected.
Vulnerabilities Threat Analysis/Data Store
Risk/

MariaDB Rule /All Rules/ArcSight Triggers when MariaDB vulnerability is

Vulnerabilities Solutions/GDPR/GDPR detected.
Threat Analysis/Data Store
Risk/

MySQL Rule /All Rules/ArcSight Triggers when MySQL vulnerability is

Vulnerabilities Solutions/GDPR/GDPR detected.
Threat Analysis/Data Store
Risk/

Appendix A: GDPR Resource Reference Page 81 of 91

Solutions Guide

Resource Type URI Description

Exploit Executed Rule /All Rules/ArcSight This rule detects exploit executed against
on Database Solutions/GDPR/GDPR database assets.
Asset Threat Analysis/Data Store
Risk/

Note: In order for this rule to be triggered the

database assets should be categorized with
this category "/All Asset Categories/Site Asset
Categories/Business Impact Analysis/Business
Role/Service/Database".

Elasticsearch Rule /All Rules/ArcSight Triggers when Elasticsearch vulnerability is

Vulnerabilities Solutions/GDPR/GDPR detected.
Threat Analysis/Data Store
Risk/

DB2 Rule /All Rules/ArcSight Triggers when DB2 vulnerability is detected.

Vulnerabilities Solutions/GDPR/GDPR
Threat Analysis/Data Store
Risk/

Critical Database Rule /All Rules/ArcSight Triggers when a configuration change is

Change Detected Solutions/GDPR/GDPR detected on a database asset and has Very-
Threat Analysis/Data Store High agent severity.
Risk/

Note: In order for this rule to be triggered the

database assets should be categorized with
this category "/All Asset Categories/Site Asset
Categories/Business Impact Analysis/Business
Role/Service/Database".

Cassandra Rule /All Rules/ArcSight Triggers when Cassandra vulnerability is

Vulnerabilities Solutions/GDPR/GDPR detected.
Threat Analysis/Data Store
Risk/

CRM or ERP Rule /All Rules/ArcSight Triggers when CRM or ERP vulnerability is
Vulnerabilities Solutions/GDPR/GDPR detected.
Threat Analysis/Data Store
Risk/

Insecure Rule /All Rules/ArcSight Triggers when insecure cryptographic storage

Cryptographic Solutions/GDPR/GDPR detected.
Storage Detected Threat Analysis/Data Store
Risk/

Appendix A: GDPR Resource Reference Page 82 of 91

Solutions Guide

Resource Type URI Description

Possible DNS Rule /All Rules/ArcSight This rule looks for command and control DNS
Based Zombie Solutions/GDPR/GDPR zombies in the organization.
Threat Analysis/Internet
Threat Analysis/

Before enabling and deploying this rule,

please make sure the following rule: "Possible
Botnet Activity" is enabled and deployed and
the following active list: "DMZ Assets" include
the DNS relevant assets.

Possible Rule /All Rules/ArcSight This rule looks for events indicating a
Directory Solutions/GDPR/GDPR directory traversal attack is being used.
Traversal Threat Analysis/Internet
Threat Analysis/

Possible Email Rule /All Rules/ArcSight This rule looks for attacks where email activity
Attack Solutions/GDPR/GDPR involved.
Threat Analysis/Internet
Threat Analysis/

Possible HTTP Rule /All Rules/ArcSight This rule looks for command and control HTTP
Based Zombie Solutions/GDPR/GDPR based zombies on the organization.
Threat Analysis/Internet
Threat Analysis/

Before enabling and deploying this rule,

please make sure the following

rule: "Possible Botnet Activity" is enabled and

deployed and the following active list: "DMZ
Assets" include the web relevant assets.

Possible Rule /All Rules/ArcSight This rule looks for attacks where information
Information Solutions/GDPR/GDPR could be redirected and collected by an
Interception Threat Analysis/Internet unintended party.
Threat Analysis/

Possible Spear Rule /All Rules/ArcSight This rule identifies potential spear phishing
Phishing Attack Solutions/GDPR/GDPR attack, before deploying this rule please make
Threat Analysis/Internet sure to add high profile email addresses to
Threat Analysis/ the “Important Emails†active list.

Appendix A: GDPR Resource Reference Page 83 of 91

Solutions Guide

Resource Type URI Description

Possible SMTP Rule /All Rules/ArcSight This rule looks for command and control
Based Zombie Solutions/GDPR/GDPR SMTP based zombies in the organization.
Threat Analysis/Internet
Threat Analysis/

Before enabling and deploying this rule,

please make sure the following rule: "Possible
Botnet Activity" is enabled and deployed and
the following active list: "DMZ Assets" include
the SMTP relevant assets.

Potential Worm Rule /All Rules/ArcSight Triggers when a worm propagated internally.
Propagated Solutions/GDPR/GDPR
Internally Threat Analysis/Internet
Threat Analysis/
Before deploying this rule please make sure
the following rule :

Worm Detected

is enabled and deployed

Shellcode Rule /All Rules/ArcSight This rule detects shellcode execution.

Execution Solutions/GDPR/GDPR
Detected Threat Analysis/Internet
Threat Analysis/

Possible Covert Rule /All Rules/ArcSight This rule looks for events indicating a covert
Channel Solutions/GDPR/GDPR channel is being used.
Threat Analysis/Internet
Threat Analysis/

Worm Detected Rule /All Rules/ArcSight Triggers when a worm is reported by either an
Solutions/GDPR/GDPR Intrusion Detection System (IDS) or an anti-
Threat Analysis/Internet virus application.
Threat Analysis/

Possible Botnet Rule /All Rules/ArcSight This rule looks for command and control
Activity Solutions/GDPR/GDPR zombies in the organization.
Threat Analysis/Internet
Threat Analysis/ Before enabling and deploying this rule,
please make sure the following active list:
"DMZ Assets" includes the relevant assets.

Appendix A: GDPR Resource Reference Page 84 of 91

Solutions Guide

Resource Type URI Description

Exploit Executed Rule /All Rules/ArcSight This rule detects exploit executed against PII
Against PII Asset Solutions/GDPR/GDPR assets.
Threat Analysis/Internet
Threat Analysis/

Note : In order for this rule to be triggered the

PII assets should be categorized with the /All
Assets Categories/ArcSight
Solutions/Compliance Insight
Package/Network Domains/Electronic PII.

Personal Rule /All Rules/ArcSight This rule looks for any personal information
Information Leak Solutions/GDPR/GDPR being sent out of the corporate network.
Threat Analysis/Internet
Threat Analysis/

Organizational Rule /All Rules/ArcSight This rule looks for any organizational
Data Information Solutions/GDPR/GDPR information being sent out of the corporate
Leak Threat Analysis/Internet network.
Threat Analysis/

Malware Rule /All Rules/ArcSight Triggers when malware detected on PII asset.
Detected on PII Solutions/GDPR/GDPR
Asset Threat Analysis/Internet
Threat Analysis/
Note : In order for this rule to be triggered the
PII assets should be categorized with the /All
Assets Categories/Compliance Insight
Package/Network Domains/Electronic PII.

MITRE ATT&CK Rule /All Rules/ArcSight This rule looks for mitre techniques detected
Techniques Solutions/GDPR/GDPR on multiple PII Assets on short period of time.
Detected on Threat Analysis/Internet
Multiple PII Asset Threat Analysis/

Note : In order for this rule to be triggered the

PII assets should be categorized with the /All
Assets Categories/ArcSight
Solutions/Compliance Insight
Package/Network Domains/Electronic PII.

Exploit Executed Rule /All Rules/ArcSight This rule detects exploit executed against
Against Solutions/GDPR/GDPR WordPress GDPR Plugins.
WordPress GDPR Threat Analysis/Internet
Plugins Threat Analysis/

Excessive Blocked Rule /All Rules/ArcSight This rule looks for possible excessive blocked
Firewall Traffic Solutions/GDPR/GDPR firewall traffic from the same source.
from the same Threat Analysis/Internet
Source Threat Analysis/

Appendix A: GDPR Resource Reference Page 85 of 91

Solutions Guide

Resource Type URI Description

Encrypted Rule /All Rules/ArcSight This rule looks for any encrypted
Communication Solutions/GDPR/GDPR communication Information Leaks on the
Information Threat Analysis/Internet network.
Leaks Threat Analysis/

Clear Text Rule /All Rules/ArcSight This rule looks for events indicating a clear
Password Solutions/GDPR/GDPR text password transmission.
Transmission Threat Analysis/Internet
Threat Analysis/

Attacks Increased Rule /All Rules/ArcSight This rule looks for an exponential increase of
Exponentially in Solutions/GDPR/GDPR attack and suspicious activity events.
less than 10 Threat Analysis/Internet
Minutes Threat Analysis/

Before deploying this rule make sure this data

monitor "Attacks and Suspicious Activity per
10 Minutes" is enabled .

Personal Rule /All Rules/ArcSight This rule looks for an exponential increase of
Information Leak Solutions/GDPR/GDPR personal information leaks events.
Increased Threat Analysis/Internet
Exponentially in Threat Analysis/
less than 10
Minutes Before deploying this rule make sure this data
monitor "Personal Information Leakage per
10 Minutes" is enabled .

Multiple MITRE Rule /All Rules/ArcSight This rule looks for multiple mitre techniques
ATT&CK Solutions/GDPR/GDPR detected on PII Asset on short period of time.
Techniques Threat Analysis/Internet
Detected on PII Threat Analysis/
Asset
Note : In order for this rule to be triggered the
PII assets should be categorized with the /All
Assets Categories/ArcSight
Solutions/Compliance Insight
Package/Network Domains/Electronic PII.

Internal Insecure Rule /All Rules/ArcSight Detects when insecure protocols, such as
Service Provider Solutions/GDPR/GDPR Telnet or RSH, are used inside the network
Detected Threat Analysis/Intranet when triggered.
Threat Analysis/

Note : In order for this rule to be triggered the

internal assets should be categorized with the
"/All Assets Categories/ArcSight
Solutions/Compliance Insight
Package/Address Spaces/Protected/".

Appendix A: GDPR Resource Reference Page 86 of 91

Solutions Guide

Resource Type URI Description

Internal Recon Rule /All Rules/ArcSight This rule looks for internal reconnaissance
Detected Solutions/GDPR/GDPR activity.
Threat Analysis/Intranet
Threat Analysis/

Note : In order for this rule to be triggered the

internal assets should be categorized with the
"/All Assets Categories/ArcSight
Solutions/Compliance Insight
Package/Address Spaces/Protected/".

Compliance Score Rule /All Rules/ArcSight This rule is triggered by other GDPR rules and
Update Solutions/GDPR/Overview/ updates the Compliance Risk Score active list.

Manual Status Rule /All Rules/ArcSight This rule is triggered when a section's status
Change Solutions/GDPR/Overview/ on the Compliance Risk Score dashboard is
changed manually.

Appendix A: GDPR Resource Reference Page 87 of 91

Appendix B: GDPR Categories
The following table shows all the categories used and the resources which use those
categorizations.

Resource Type URI Category URI

Frequent Unsuccessful Rule /All Rules/ArcSight /All Assets Categories/ArcSight

Logins from non EU Solutions/GDPR/GDPR Access Solutions/Compliance Insight
Countries to PII Asset Activity/Access Activity/ Package/Network Domains/Electronic
PII

User Logged in from non Rule /All Rules/ArcSight /All Assets Categories/ArcSight
EU Countries to PII Asset Solutions/GDPR/GDPR Access Solutions/Compliance Insight
Activity/Access Activity/ Package/Network Domains/Electronic
PII

Information Disclosure Rule /All Rules/ArcSight /All Assets Categories/ArcSight

Vulnerability Detected on Solutions/GDPR/GDPR Attack Surface Solutions/Compliance Insight
Multiple PII Assets Analysis/Attack Surface Identification Package/Network Domains/Electronic
PII

Critical Change on Rule /All Rules/ArcSight /All Assets Categories/ArcSight

multiple PII Assets Solutions/GDPR/GDPR Attack Surface Solutions/Compliance Insight
Analysis/Security Controls Risk Package/Network Domains/Electronic
Identification PII

External Data Flow from Rule /All Rules/ArcSight /All Assets Categories/ArcSight
non EU to PII Asset Solutions/GDPR/GDPR Regulatory Solutions/Compliance Insight
Exposure/Composite Regulatory Package/Network Domains/Electronic
Exposure PII

/All Assets Categories/AcSight

Solutions/Compliance Insight
Package/Address Spaces/Protected

External Data Flow from Rule /All Rules/ArcSight /All Assets Categories/ArcSight
PII Asset to non EU Solutions/GDPR/GDPR Regulatory Solutions/Compliance Insight
Exposure/Composite Regulatory Package/Network Domains/Electronic
Exposure PII

/All Assets Categories/AcSight

Solutions/Compliance Insight
Package/Address Spaces/Protected

Appendix B: GDPR Categories Page 88 of 91

Solutions Guide

Resource Type URI Category URI

Internal Data Flow from Rule /All Rules/ArcSight /All Assets Categories/ArcSight
non EU to PII Asset Solutions/GDPR/GDPR Regulatory Solutions/Compliance Insight
Exposure/Composite Regulatory Package/Network Domains/Electronic
Exposure PII

/All Assets Categories/AcSight

Solutions/Compliance Insight
Package/Address Spaces/Protected

Internal Data Flow from Rule /All Rules/ArcSight /All Assets Categories/ArcSight
PII Asset to non EU Solutions/GDPR/GDPR Regulatory Solutions/Compliance Insight
Exposure/Composite Regulatory Package/Network Domains/Electronic
Exposure PII

/All Assets Categories/AcSight

Solutions/Compliance Insight
Package/Address Spaces/Protected

Multiple Policy Violations Rule /All Rules/ArcSight /All Assets Categories/ArcSight

Against PII Assets Solutions/GDPR/GDPR Regulatory Solutions/Compliance Insight
Exposure/Composite Regulatory Package/Network Domains/Electronic
Exposure PII

Threats from non EU to Rule /All Rules/ArcSight /All Assets Categories/ArcSight

PII Asset Solutions/GDPR/GDPR Regulatory Solutions/Compliance Insight
Exposure/Composite Regulatory Package/Network Domains/Electronic
Exposure PII

Critical Database Change Rule /All Rules/ArcSight /All Asset Categories/Site Asset
Detected Solutions/GDPR/GDPR Threat Categories/Business Impact
Analysis/Data Store Risk Analysis/Business
Role/Service/Database

Exploit Executed on Rule /All Rules/ArcSight /All Asset Categories/Site Asset

Database Asset Solutions/GDPR/GDPR Threat Categories/Business Impact
Analysis/Data Store Risk Analysis/Business
Role/Service/Database

MITRE ATT&CK Rule /All Rules/ArcSight /All Assets Categories/ArcSight

Techniques Detected on Solutions/GDPR/GDPR Threat Solutions/Compliance Insight
Multiple PII Asset Analysis/Internet Threat Analysis Package/Network Domains/Electronic
PII

Multiple MITRE ATT&CK Rule /All Rules/ArcSight /All Assets Categories/ArcSight

Techniques Detected on Solutions/GDPR/GDPR Threat Solutions/Compliance Insight
PII Asset Analysis/Internet Threat Analysis Package/Network Domains/Electronic
PII

Appendix B: GDPR Categories Page 89 of 91

Solutions Guide

Resource Type URI Category URI

Exploit Executed Against Rule /All Rules/ArcSight /All Assets Categories/ArcSight

PII Asset Solutions/GDPR/GDPR Threat Solutions/Compliance Insight
Analysis/Internet Threat Analysis Package/Network Domains/Electronic
PII

Malware Detected on PII Rule /All Rules/ArcSight /All Assets Categories/ArcSight

Asset Solutions/GDPR/GDPR Threat Solutions/Compliance Insight
Analysis/Internet Threat Analysis Package/Network Domains/Electronic
PII

Internal Insecure Service Rule /All Rules/ArcSight /All Assets Categories/ArcSight

Provider Detected Solutions/GDPR/GDPR Threat Solutions/Compliance Insight
Analysis/Intranet Threat Analysis Package/Address Spaces/Protected

Internal Recon Detected Rule /All Rules/ArcSight /All Assets Categories/ArcSight

Solutions/GDPR/GDPR Threat Solutions/Compliance Insight
Analysis/Intranet Threat Analysis Package/Address Spaces/Protected

Appendix B: GDPR Categories Page 90 of 91

Send Documentation Feedback
If you have comments about this document, you can contact the documentation team by
email. If an email client is configured on this computer, click the link above and an email
window opens with the following information in the subject line:
Feedback on Solutions Guide (ESM CIP for GDPR 1.0)
Just add your feedback to the email and click send.
If no email client is available, copy the information above to a new message in a web mail
client, and send your feedback to [email protected].
We appreciate your feedback!

Send Documentation Feedback Page 91 of 91