Achieve LGPD compliance with ManageEngine

Organizations must ensure all personal-data processing aligns with LGPD’s ten principles: Purpose, Adequacy, Necessity, Free Access, Data Quality, Transparency, Security, Prevention, Non-discrimination, and Accountability. These principles must guide the entire data lifecycle—from collection to deletion—and serve as the foundation for evaluating and demonstrating compliance.

1. Unauthorized access to PII directories or tables
2. Mass file access / exfiltration anomaly
3. Disabling of security tools (Defender, Firewall, ETW, Sysmon)
4. Clearing event logs
5. Suspicious scheduled tasks / persistence mechanisms
6. Ransomware encryption patterns
7. Database DML/DDL changes on PII tables
8. Unauthorized sharing or outbound transfers

1. Correlated Events Report
2. File Integrity Monitoring Summary Report
3. UEBA Anomaly Report
4. Database Query Access Logs
5. DML/DDL Change Monitoring Report
6. Log Integrity Verification Report
7. Privilege Escalation Attempts Report
8. Suspicious Outbound Transfer Report
9. Security Control Tampering Report (Firewall/Defender/ETW)
10. File Access & Integrity Reports
11. Data Classification Evidence
12. USB/Email/Web DLP Violations
13. Ransomware Detection Logs

1. Correlated Events Report
2. File Integrity Monitoring Summary Report
3. UEBA Anomaly Report
4. Database Query Access Logs
5. DML/DDL Change Monitoring Report
6. Log Integrity Verification Report
7. Privilege Escalation Attempts Report
8. Suspicious Outbound Transfer Report
9. Security Control Tampering Report (Firewall/Defender/ETW)
10. File Access & Integrity Reports
11. Data Classification Evidence
12. USB/Email/Web DLP Violations
13. Ransomware Detection Logs

LGPD grants individuals full control over their personal data, allowing them to access, correct, delete, transfer, or request human review of automated decisions. Organizations must provide clear, timely responses and maintain full traceability of all actions taken on a data subject’s personal data.

1. Windows Firewall Settings Have Been Changed
2. Disable Microsoft Defender Firewall via Registry
3. Firewall Disabled via Netsh.EXE
4. New Firewall Rule Added Via Netsh.EXE
5. Disable Windows Firewall by Registry
6. Firewall IPS Signature Detected
7. Windows Defender Service Disabled – Registry
8. Disable Windows Defender Functionalities Via Registry Keys
9. Windows Defender Exclusions Added – Registry
10. Windows Defender Exclusions Added – PowerShell
11. PowerShell Disable Security Monitoring
12. Disable Macro Runtime Scan Scope
13. PowerShell Logging Disabled Via Registry Key Tampering
14. Security Eventlog Cleared
15. Potential EventLog File Location Tampering
16. EventLog EVTX File Deleted
17. EventLog Query Requests by Built-in Utilities
18. Clear PowerShell History – PowerShell
19. PowerShell Console History Logs Deleted
20. IIS WebServer Access Logs Deleted
21. Tomcat WebServer Logs Deleted
22. ETW Logging Disabled in .NET Processes – Sysmon Registry
23. ETW Logging Disabled for rpcrt4.dll
24. ETW Logging Disabled for SCM
25. ETW Trace Evasion Activity
26. Disable of ETW Trace – PowerShell
27. Suspicious Modification of Scheduled Tasks
28. Suspicious Scheduled Tasks Created During Non-working Hours
29. Suspicious Scheduled Task Creation Involving Temp Folder
30. Delete Important Scheduled Task
31. Delete All Scheduled Tasks
32. PUA – Sysinternal Tool Execution – Registry
33. Ransomware Detections
34. Windows Backup Deleted via Wbadmin.EXE
35. All Backups Deleted via Wbadmin.EXE
36. Periodic Backup for System Registry Hives Enabled

1. Database Query / Select Audit Report
2. Database DDL / DML Change Reports
3. Data Sharing / Transfer Activity Report
4. Data Retention & Archival Report

1. Database query logging to confirm processing activities
2. DML/DDL change monitoring to verify correction and deletion operations
3. Outbound data transfer auditing for data sharing and disclosures
4. WORM tamper-proof log storage for regulatory evidence preservation

Any organization handling personal data must keep written records of what data they process, why they process it, and how. This is especially important when using “legitimate interest” as the legal basis. These records help prove to regulators that the organization is handling data responsibly and transparently.

Log Tampering & Log Deletion Detection

1. EventLog EVTX File Deleted
2. Security Eventlog Cleared
3. Event Logs Cleared
4. Suspicious Eventlog Clear or Configuration Using Wevtutil
5. Event Logging Service Shutdown
6. EventLog File Location Tampering
7. Audit Events Dropped
8. Error in EventLog Service
9. Audit Logs Cleared (Windows Important Events)

Audit Evasion & Traceability Evasion Rules

1. ETW Logging Disabled in .NET Processes
2. ETW Trace Evasion Activity
3. Disable of ETW Trace – PowerShell
4. PowerShell Logging Disabled via Registry Key Tampering
5. Clear PowerShell History – PowerShell
6. PowerShell Console History Logs Deleted

Privilege & Configuration Integrity Rules

1. User Added to Local Administrators
2. Privilege Assigned to New Logon

System Stability & Evidence Preservation

1. Application Errors / System Errors / EMET Logs
2. Blue Screen Error (BSOD)
3. Service State Change
4. Event Logger Started

Ransomware or Destructive Activity

1. Ransomware Detections
2. Shadow Copies Deletion Using OS Utilities
3. Backup Catalog Deleted

Windows & SIEM Event Monitoring

1. All Events (Windows)
2. Important Events (Windows)
3. Weekly / Monthly Activity Summary Reports
4. Security Log Full Report

Log Tampering & Integrity

1. Audit Logs Cleared Report
2. Event Logging Service Shutdown Report
3. EventLog Tampering Reports
4. Security Event Log Clearance Attempts

Authentication & Privilege Monitoring

1. Failed Logons (all categories)
2. Locked-Out Users Report
3. User Account Management Reports
4. Privilege Use Reports

System & Policy Change Monitoring

1. Configuration Change Reports
2. Policy Change Reports
3. Audit Policy Change Reports
4. System Error / Application Error Reports

Data Access, DLP & Ransomware

1. File Read / Access Reports
2. File Modification Reports
3. File Deletion Reports
4. File Creation Reports
5. Permission Modification Reports
6. Top File Operations Reports
7. Removable Media Access Reports
8. Ransomware Detection Reports

Centralized Log Collection & Integrity

1. Log collection from all critical systems (Windows, AD, databases, network)
2. Log integrity monitoring (log deletion, clearing, overwriting)
3. Long-term log retention policies

Privilege, Configuration & Governance Monitoring

1. Privileged activity monitoring across infrastructure
2. Configuration change auditing
3. Policy and audit policy change monitoring
4. Privilege use auditing

File Integrity, Data Access & DLP

1. File integrity monitoring for critical evidence repositories
2. File access auditing
3. File modification logging
4. File deletion monitoring
5. Permission change auditing
6. Sensitive data discovery and classification
7. Endpoint DLP controls for file-transfer traceability

Security, Stability & Incident Evidence

1. Windows security log auditing
2. System and application error logging
3. Log tampering detection (log cleared, service stopped)
4. Incident timeline reconstruction
5. Ransomware detection

Organizations must appoint a Data Protection Officer (DPO) to act as the main contact for data subjects and the ANPD. The DPO oversees compliance efforts, handles data-subject requests, supports incident response, and ensures transparency. A clear, publicly available communication channel must be provided so individuals can easily exercise their LGPD rights.

1. Clearing of security logs (event logs, PowerShell logs, web server logs)
2. Disabling security tools (Firewall, Defender, ETW)
3. Suspicious access to PII systems used by DPO (identity stores, databases)
4. Scheduled-task tampering linked to persistence
5. Ransomware behavior and abnormal file modifications
6. Outbound exfiltration of DSR-related evidence or documents

Security & Incident Monitoring

1. Security Incident & Alert Summary Report
2. Correlated Incident Timeline Report
3. User Behavior Anomaly Report
4. Failed Login & Brute-Force Detection Reports

Log & Data Integrity

1. Log Integrity Verification Report
2. Evidence Retention & Log Archival Status Report

Compliance & Change Monitoring

1. DML/DDL Change Monitoring Report (for systems holding PII)
2. Outbound Data Transfer Logs

1. SIEM correlation to detect unauthorized access to DPO systems
2. UEBA baselining for insider threats and DPO impersonation attempts
3. File Integrity Monitoring to protect governance and compliance documentation
4. WORM-based log retention for regulatory and legal evidence
5. Alerting on suspicious outbound data transfers related to DSR evidence
6. DLP controls to prevent leakage of DSR documents and personal data
7. File integrity monitoring on DPO evidence repositories
8. Automated ransomware detection and containment to protect logs and evidence
9. Classification of sensitive data handled by the DPO

Organizations must protect personal data by applying technical and administrative safeguards that ensure confidentiality, integrity, and availability. This includes risk-based security measures such as access control, encryption, continuous monitoring, secure system design, employee training, auditing, and maintaining reliable evidence of all data-processing and security activities.

1. Firewall settings modification detected
2. Windows Defender Firewall disabled (Registry / PowerShell / Netsh)
3. New firewall rule added or modified
4. Windows Defender service disabled
5. Windows Defender exclusion added (Registry or PowerShell)
6. Suspicious scheduled tasks created or modified
7. Deletion of critical scheduled tasks
8. SafeBoot registry keys added
9. New root or CA certificate installed
10. Execution of suspicious Sysinternals tools
11. Ransomware detection signatures triggered
12. Windows backups deleted (Wbadmin)
13. System registry hive backups altered
14. Failed logon attempts (all types)
15. Multiple account lockouts
16. Privilege escalation attempts
17. Lateral movement indicators
18. Unusual data access or exfiltration behavior
19. Cloud misconfiguration alerts (AWS / Azure / GCP)
20. Event log clearing or tampering detected
21. Policy change events (audit, authentication, authorization)
22. Correlated alerts across endpoint, identity, and cloud sources
23. SIEM-driven investigation timelines
24. Evidence retention for regulatory and forensic requirements.

1. File Integrity Monitoring (FIM) summary report
2. Correlated security events report
3. UEBA anomaly detection report
4. Database DML / DDL change audit report
5. Top vulnerable devices report
6. Windows audit log clearance attempt report
7. System and application error logs
8. Policy change reports
9. Privilege user reports
10. Authentication failure reports
11. Firewall rule change reports
12. Audit log integrity check report
13. Log archival and retention status report
14. File access / read reports
15. File modification / deletion reports
16. Permission modification reports
17. Sensitive data access report
18. Ransomware impact and containment report

1. Real-time event correlation for multi-stage attack detection
2. Continuous monitoring of endpoint, server, and network events
3. Tamper-proof WORM storage for secure audit logs
4. Automated alerting for policy/configuration changes
5. Predefined alert profiles: Malware activity, Firewall changes, Brute-force attacks, Suspicious privilege use
6. Detection of system errors that may compromise security
7. File Integrity Monitoring (FIM) for critical directories
8. Monitoring unauthorized file changes
9. Tracking firewall rule modifications
10. Privilege use auditing (sensitive rights & operations)
11. Cloud event auditing (AWS, Azure, GCP)
12. Detection of access anomalies & misconfigurations
13. Monitoring hybrid infrastructure security events

Organizations must promptly detect, assess, and report any personal data breach that may pose risk or harm. Notifications to the ANPD and affected individuals must clearly describe what data was impacted, the risks involved, actions taken, and provide DPO contact details. Organizations must retain logs, audit trails, and incident evidence to support regulatory investigations and demonstrate transparency.

1. Firewall Settings Modified
2. Microsoft Defender Firewall Disabled (Registry / Netsh / PowerShell)
3. New Firewall Rule Added
4. Windows Defender Service Disabled
5. Windows Defender Exclusions Added (Registry / PowerShell)
6. Security Tools Disabled
7. PowerShell Logging Disabled (Registry / Script)
8. Macro Runtime Scan Disabled
9. Security Event Log Cleared
10. EventLog File Deleted
11. EventLog File Location Tampering
12. ETW Logging Disabled (rpcrt4.dll, SCM, .NET, PowerShell)
13. ETW Trace Evasion Activity
14. PowerShell Console History Logs Deleted
15. Clear PowerShell History
16. IIS Access Logs Deleted
17. Tomcat Access Logs Deleted
18. Ransomware Detections
19. Backups Deleted via Wbadmin
20. All Backups Wiped
21. Registry Hive Backup Interference

1. Security Incident Report
2. Real-time Alert History
3. Audit Log Integrity Check Report
4. Correlated Incident Timeline Report
5. DML/DDL Change Reports (database tampering)
6. Log Archival & Retention Audit
7. Windows Security Log Clearance Attempt Report
8. Audit Policy Change Report
9. Privilege Use Report
10. System Error & Crash Logs (indicate breach impact)
11. Firewall Rule Modification Report
12. File Access / File Modification / File Deletion Reports
13. Exfiltration Attempt Reports (USB, Email, Web)
14. Ransomware Activity Report
15. Permission Change Evidence Reports

1. Enable Real-time Correlation to identify multi-stage intrusions
2. Use File Integrity Monitoring to detect unauthorized file changes
3. Enforce Tamper-proof Logging (WORM) for forensic evidence integrity
4. Configure UBA to detect unusual access and mass file events
5. Enable Real-time Alerts for privilege escalation, malware, firewall changes
6. Centralize Incident Response Timelines for ANPD reporting
7. Enable Real-time File Access & Modification Tracking
8. Enable DLP (USB / Email / Web) to detect and prevent data exfiltration
9. Enable Permission Change Auditing to identify attacker escalation
10. Enable Ransomware Early Detection with automated isolation
11. Monitor authentication failures and privilege use events
12. Track system integrity events (policy changes, audit config changes)
13. Detect log tampering and system-level evasion techniques
14. Maintain real-time visibility into server, firewall, and application logs

Article 49 requires that any system used to process personal data must be designed and operated according to security requirements, good practices, governance principles, and relevant regulatory standards. This means organizations must embed security from the beginning (“security by design”), maintain continuous protection (“security by default”), and ensure that every system handling personal data follows robust, verifiable, and auditable security practices.

1. Windows Firewall Settings Have Been Changed
2. Disable Microsoft Defender Firewall via Registry
3. Firewall Disabled via Netsh.EXE
4. New Firewall Rule Added Via Netsh.EXE
5. Firewall IPS Signature Detected
6. Windows Defender Service Disabled – Registry
7. Disable Windows Defender Functionalities Via Registry Keys
8. Windows Defender Exclusions Added – Registry
9. Windows Defender Exclusions Added – PowerShell
10. ETW Logging Disabled in .NET Processes – Sysmon Registry
11. ETW Logging Disabled for rpcrt4.dll
12. ETW Logging Disabled for SCM
13. ETW Trace Evasion Activity
14. Disable of ETW Trace – PowerShell
15. PowerShell Disable Security Monitoring
16. PowerShell Logging Disabled via Registry Key Tampering
17. Security Eventlog Cleared
18. EventLog EVTX File Deleted
19. Potential EventLog File Location Tampering
20. IIS WebServer Access Logs Deleted
21. Tomcat WebServer Logs Deleted
22. Suspicious Modification of Scheduled Tasks
23. Suspicious Scheduled Tasks Created During Non-working Hours
24. Delete All Scheduled Tasks
25. Add SafeBoot Keys via Reg Utility
26. New Root or CA or AuthRoot Certificate Installed
27. PUA – Sysinternal Tool Execution – Registry

1. Configuration Change Audit Report
2. Correlation Rule Trigger Report
3. Log Retention & Archival Report
4. Firewall Policy Change Report
5. System Hardening Deviation Report
6. Database DML / DDL Change Audit
7. File Integrity Monitoring (FIM) Change Report

1. Correlation engine to detect multi-step attacks against system infrastructure
2. File Integrity Monitoring for system files, configuration files, registry, and application directories
3. Continuous log monitoring from servers, firewalls, AD, and applications to detect insecure modifications
4. UEBA analytics to identify identity or system misuse inconsistent with secure design
5. Audit-proof log immutability (WORM) meeting governance requirements
6. Configuration drift detection ensuring systems remain aligned with secure baseline configurations
7. Permission analytics to detect overexposure of sensitive data
8. Sensitive data discovery and classification to ensure proper governance controls
9. Real-time access, modification, and deletion alerts to enforce integrity protections

Article 50 requires organizations to maintain a formal and continually updated privacy governance framework. This includes documented policies, security standards, risk-based controls, complaint handling, internal supervision, and training. Governance must reflect the nature and sensitivity of processed data and must demonstrate transparency and accountability to data subjects and the ANPD.

1. Windows Firewall Settings Have Been Changed
2. Disable Microsoft Defender Firewall via Registry
3. Firewall Disabled via Netsh.EXE
4. New Firewall Rule Added Via Netsh.EXE
5. Windows Defender Service Disabled – Registry
6. Disable Windows Defender Functionalities via Registry Keys
7. Windows Defender Exclusions Added (Registry / PowerShell)
8. PowerShell Disable Security Monitoring
9. PowerShell Logging Disabled via Registry Key
10. Security EventLog Cleared
11. EventLog EVTX File Deleted
12. EventLog File Location Tampering
13. IIS WebServer Logs Deleted
14. Tomcat Logs Deleted
15. ETW Logging Disabled (rpcrt4.dll, SCM, .NET processes)
16. ETW Trace Evasion Activity
17. Suspicious Scheduled Task Modifications
18. Unauthorized Task Creation in Temp Folder
19. Add SafeBoot Registry Keys
20. Unauthorized Root/CA Certificate Installation
21. PUA – Sysinternal Tool Execution
22. Ransomware Detections
23. Windows Backup Deleted via Wbadmin
24. All Backups Deleted

1. Policy Change Audit Report
2. Correlation Rule Trigger Reports
3. File Integrity Monitoring (FIM) Reports
4. Log Archival & Retention Compliance Reports
5. Privileged User Activity Monitoring Report
6. Cross-System Change Correlation Report
7. Database Permission & Schema Change Reports
8. UEBA Anomaly Reports
9. File Access & Modification Reports
10. Permission Changes & Vulnerability Reports
11. Data Classification Summary (Sensitive vs Non-sensitive)
12. Endpoint DLP Violations Report
13. GPO/Security Policy Modification Reports
14. AD Object Modification & Deletion Reports
15. Privileged Group Membership Change Report
16. Logon/Logoff Activity Reports
17. Permission Changes for Sensitive Folders
18. AD Change Summary (for governance audits)
19. Delegation & Role Assignment Reports
20. User Lifecycle Activity Reports (Creation, Disable, Deletion)
21. Permission Analysis Reports
22. Inactive Users / Stale Objects Reports
23. Workflow Execution Audit Report
24. MFA Enrollment Usage Report
25. Password Policy Enforcement Report
26. Self-Service Access History

1. Implement policy-change monitoring across all systems and infrastructure
2. Enforce File Integrity Monitoring for configuration files, registry, certificates, and system directories
3. Use UEBA to detect deviations from established governance baselines
4. Ensure log immutability (WORM) to maintain trustworthy, auditable governance evidence
5. Enforce continuous correlation monitoring for unauthorized activity or system drift
6. Enforce Data Classification to maintain governance based on sensitivity
7. Detect permission vulnerabilities and enforce least-privilege governance
8. Monitor real-time access to sensitive or regulated files
9. Enforce DLP policies for email, USB, web, and printing to maintain governance obligations