## Run Locally (Windows)

```powershell
$env:PYTHONPATH = "$PWD"
jupyter notebook
```

## 1. Purpose

**What Shifts:**
- From: M3.3 — Audit Logging & SIEM Integration
- To: M3.4 — Incident Response & Breach Notification

**Why This Bridge Matters:**

M3.3 established comprehensive audit trails: PostgreSQL Row-Level Security capturing every data access, S3 Object Lock ensuring tamper-proof retention, and Splunk forwarding events in real-time. You can now detect incidents immediately through anomaly detection rules (bulk exports, after-hours access).

But detection alone is insufficient for production compliance systems.

**The Gap:** A March 2024 European fintech breach illustrates the critical issue—compromised credentials exposed 12,000 customer records. Audit logs detected the breach immediately, but manual response processes delayed GDPR Article 33 notification beyond the 72-hour requirement, resulting in a €4.2M fine (₹38 crores).

**M3.4 closes this detection-to-response gap** by building automated incident response workflows that execute documented procedures from classification through notification, turning your audit infrastructure into a compliance-ready incident response system.

**Bridge Type:** Readiness Validation

## 2. Concepts Covered

**New Concepts in M3.4:**

- **4-Tier Incident Classification (P0-P3 Severity Matrix)** — Standardized framework for categorizing incident severity in under 30 seconds, enabling appropriate response resource allocation
- **6-Phase Response Workflow** — Detection → Containment → Eradication → Recovery → Notification → Post-Mortem; structured process with defined actions, responsible parties, and completion criteria
- **GDPR Article 33 Automation** — 72-hour notification templates with programmatic data population from PostgreSQL audit logs
- **DPDPA Notification Engine** — Automated Indian supervisory authority notification for cross-border compliance
- **Root Cause Analysis Tools** — Audit log correlation for end-to-end incident timeline reconstruction using correlation IDs
- **Remediation Tracking Dashboard** — Closure verification system tracking remediation steps from detection through completion with audit-ready post-mortem reports

**Building On:**
- M3.3 established: Real-time audit trails, tamper-proof retention (S3 Object Lock), SIEM forwarding (Splunk), anomaly detection
- M3.4 extends: Automated response workflows that answer "who was affected?" and "what data exposed?" programmatically, transforming detection infrastructure into compliance-ready incident response system

## 3. After Completing This Bridge

**You Will Be Able To:**

- ✓ Verify PostgreSQL audit tables with Row-Level Security are operational and capturing all data access events
- ✓ Confirm S3 Object Lock is configured in COMPLIANCE mode with 7-10 year retention for tamper-proof audit trail preservation
- ✓ Validate Splunk Universal Forwarder is actively forwarding audit events in real-time to SIEM infrastructure
- ✓ Assess Hot/Warm/Cold storage tier implementation for cost-optimized audit data lifecycle management
- ✓ Test anomaly detection rules (bulk export, after-hours access) are deployed and generating alerts
- ✓ Understand readiness requirements for building automated incident response workflows in M3.4

**Pass Criteria:**
- All 5 checks pass (✓)
- No critical gaps (✗) in M3.3 audit infrastructure
- Ready for M3.4 incident response automation content

## 4. Context in Track

**Position:** Bridge L3.M3.3 → L3.M3.4

**Learning Journey:**
```
L3.M3.3 ────[THIS BRIDGE]───→ L3.M3.4
Audit Logging      Validation      Incident Response
& SIEM Integration              & Breach Notification
```

**Compliance Infrastructure Continuity:**
- M3.1: Monitoring → Real-time observability foundations
- M3.2: Testing → Compliance verification frameworks
- M3.3: Audit Trails → Tamper-proof evidence collection
- **M3.4: Response Automation** ← Closes detection-to-notification gap
- Complete production-grade compliance chain

**Time Estimate:** 15-30 minutes

## Recap: What You Built in M3.3

In M3.3, you shipped a **production-grade audit logging and SIEM integration system** that established comprehensive audit trails for GCC compliance.

**Key Deliverables:**
- **PostgreSQL Audit Tables with Row-Level Security** — Every data access captured with user context, session tracking, and tamper-proof RLS policies
- **S3 Object Lock (COMPLIANCE Mode)** — Immutable audit trail storage with 7-10 year retention, preventing modification or deletion even by administrators
- **Splunk Universal Forwarder** — Real-time audit event forwarding to SIEM infrastructure for centralized monitoring and correlation
- **Hot/Warm/Cold Storage Tiers** — Cost-optimized audit data lifecycle management balancing compliance requirements with storage economics
- **Anomaly Detection Rules** — Automated alerts for suspicious patterns (bulk export attempts, after-hours access) with correlation IDs for incident investigation

**What This Enables:**
You can now **detect** compliance incidents immediately through real-time monitoring. The next critical capability is **automated response**—M3.4 transforms detection into documented, compliant incident response workflows.

## Readiness Check #1: PostgreSQL Audit Tables with Row-Level Security

**What This Validates:** Confirms that PostgreSQL audit tables are operational with Row-Level Security (RLS) policies actively capturing all data access events with user context.

**Pass Criteria:**
- ✓ Audit table schema exists with required columns (timestamp, user_id, action, resource, session_id, correlation_id)
- ✓ Row-Level Security policies are enabled and preventing unauthorized access
- ✓ Recent audit events are being captured (data within last 24 hours)
- ✓ User context is properly recorded (no NULL user_id values)

In [None]:
# Check 1: PostgreSQL Audit Tables with Row-Level Security
import os
from pathlib import Path

# Offline-friendly guard
DB_CREDENTIALS = os.getenv("POSTGRES_CONNECTION_STRING")

if not DB_CREDENTIALS:
    print("⚠️ Skipping (no PostgreSQL credentials)")
    print("   Set: POSTGRES_CONNECTION_STRING environment variable")
else:
    # Check for audit table artifacts from M3.3
    audit_config = Path("config/audit_tables.sql")
    rls_policies = Path("config/rls_policies.sql")
    
    checks_passed = []
    
    if audit_config.exists():
        print("✓ Audit table schema configuration found")
        checks_passed.append(True)
    else:
        print("✗ Missing: config/audit_tables.sql")
        print("   Fix: Run M3.3 to generate audit table schema")
        checks_passed.append(False)
    
    if rls_policies.exists():
        print("✓ RLS policy configuration found")
        checks_passed.append(True)
    else:
        print("✗ Missing: config/rls_policies.sql")
        print("   Fix: Run M3.3 to generate RLS policies")
        checks_passed.append(False)
    
    if all(checks_passed):
        print("\n✓ Check #1 PASSED - PostgreSQL audit infrastructure ready")
    else:
        print("\n✗ Check #1 FAILED - Complete M3.3 audit table setup")

# Expected: ✓ Check #1 PASSED - PostgreSQL audit infrastructure ready

## Readiness Check #2: S3 Object Lock Configuration

**What This Validates:** Verifies that S3 Object Lock is configured in COMPLIANCE mode with appropriate retention periods for tamper-proof audit trail storage.

**Pass Criteria:**
- ✓ S3 bucket exists with Object Lock enabled
- ✓ COMPLIANCE mode configured (not GOVERNANCE mode)
- ✓ Retention period set to 7-10 years for regulatory compliance
- ✓ Bucket versioning enabled (required for Object Lock)
- ✓ Configuration documented for audit verification

In [None]:
# Check 2: S3 Object Lock Configuration
import os
from pathlib import Path

# Offline-friendly guard
AWS_CREDENTIALS = os.getenv("AWS_ACCESS_KEY_ID") and os.getenv("AWS_SECRET_ACCESS_KEY")

if not AWS_CREDENTIALS:
    print("⚠️ Skipping (no AWS credentials)")
    print("   Set: AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables")
else:
    # Check for S3 Object Lock configuration artifacts from M3.3
    s3_config = Path("config/s3_object_lock.json")
    bucket_policy = Path("config/s3_audit_bucket_policy.json")
    
    checks_passed = []
    
    if s3_config.exists():
        print("✓ S3 Object Lock configuration found")
        checks_passed.append(True)
    else:
        print("✗ Missing: config/s3_object_lock.json")
        print("   Fix: Run M3.3 to configure S3 Object Lock")
        checks_passed.append(False)
    
    if bucket_policy.exists():
        print("✓ S3 bucket policy configuration found")
        checks_passed.append(True)
    else:
        print("✗ Missing: config/s3_audit_bucket_policy.json")
        print("   Fix: Run M3.3 to configure S3 bucket policies")
        checks_passed.append(False)
    
    if all(checks_passed):
        print("\n✓ Check #2 PASSED - S3 Object Lock ready for tamper-proof storage")
    else:
        print("\n✗ Check #2 FAILED - Complete M3.3 S3 Object Lock setup")

# Expected: ✓ Check #2 PASSED - S3 Object Lock ready for tamper-proof storage

## Readiness Check #3: Splunk Universal Forwarder Verification

**What This Validates:** Confirms that Splunk Universal Forwarder is configured and actively forwarding audit events in real-time to SIEM infrastructure.

**Pass Criteria:**
- ✓ Splunk Universal Forwarder installed and configured
- ✓ Forwarder connected to Splunk indexers (deployment server configured)
- ✓ Audit log inputs configured (PostgreSQL, application logs)
- ✓ Real-time forwarding active (no significant lag)
- ✓ Forwarding health monitored (connection status, throughput)

In [None]:
# Check 3: Splunk Universal Forwarder Verification
import os
from pathlib import Path

# Offline-friendly guard
SPLUNK_CONFIGURED = os.getenv("SPLUNK_FORWARDER_CONFIGURED")

if not SPLUNK_CONFIGURED:
    print("⚠️ Skipping (no Splunk configuration)")
    print("   Set: SPLUNK_FORWARDER_CONFIGURED=true after M3.3 setup")
else:
    # Check for Splunk forwarder configuration artifacts from M3.3
    forwarder_config = Path("config/splunk_forwarder_inputs.conf")
    outputs_config = Path("config/splunk_forwarder_outputs.conf")
    
    checks_passed = []
    
    if forwarder_config.exists():
        print("✓ Splunk forwarder inputs configuration found")
        checks_passed.append(True)
    else:
        print("✗ Missing: config/splunk_forwarder_inputs.conf")
        print("   Fix: Run M3.3 to configure Splunk forwarder inputs")
        checks_passed.append(False)
    
    if outputs_config.exists():
        print("✓ Splunk forwarder outputs configuration found")
        checks_passed.append(True)
    else:
        print("✗ Missing: config/splunk_forwarder_outputs.conf")
        print("   Fix: Run M3.3 to configure Splunk forwarder outputs")
        checks_passed.append(False)
    
    if all(checks_passed):
        print("\n✓ Check #3 PASSED - Splunk forwarder ready for real-time SIEM integration")
    else:
        print("\n✗ Check #3 FAILED - Complete M3.3 Splunk forwarder setup")

# Expected: ✓ Check #3 PASSED - Splunk forwarder ready for real-time SIEM integration

## Readiness Check #4: Hot/Warm/Cold Storage Tier Implementation

**What This Validates:** Verifies that storage tiering is implemented for cost-optimized audit data lifecycle management while maintaining compliance requirements.

**Pass Criteria:**
- ✓ Hot tier configured for recent data (0-30 days, high-performance access)
- ✓ Warm tier configured for medium-term data (31-365 days, standard access)
- ✓ Cold tier configured for long-term retention (1-10 years, archival access)
- ✓ Lifecycle policies automate tier transitions
- ✓ Retrieval times documented for compliance audit requirements

In [None]:
# Check 4: Hot/Warm/Cold Storage Tier Implementation
import os
from pathlib import Path

# Offline-friendly guard
STORAGE_TIERS_CONFIGURED = os.getenv("STORAGE_TIERS_CONFIGURED")

if not STORAGE_TIERS_CONFIGURED:
    print("⚠️ Skipping (no storage tier configuration)")
    print("   Set: STORAGE_TIERS_CONFIGURED=true after M3.3 setup")
else:
    # Check for storage tier configuration artifacts from M3.3
    lifecycle_policy = Path("config/s3_lifecycle_policy.json")
    tier_documentation = Path("docs/storage_tier_architecture.md")
    
    checks_passed = []
    
    if lifecycle_policy.exists():
        print("✓ S3 lifecycle policy configuration found")
        checks_passed.append(True)
    else:
        print("✗ Missing: config/s3_lifecycle_policy.json")
        print("   Fix: Run M3.3 to configure storage tier lifecycle policies")
        checks_passed.append(False)
    
    if tier_documentation.exists():
        print("✓ Storage tier documentation found")
        checks_passed.append(True)
    else:
        print("✗ Missing: docs/storage_tier_architecture.md")
        print("   Fix: Run M3.3 to document storage tier architecture")
        checks_passed.append(False)
    
    if all(checks_passed):
        print("\n✓ Check #4 PASSED - Storage tiers ready for cost-optimized compliance")
    else:
        print("\n✗ Check #4 FAILED - Complete M3.3 storage tier implementation")

# Expected: ✓ Check #4 PASSED - Storage tiers ready for cost-optimized compliance

## Readiness Check #5: Anomaly Detection Rules Deployment

**What This Validates:** Confirms that anomaly detection rules are deployed in Splunk to identify suspicious patterns requiring incident response.

**Pass Criteria:**
- ✓ Bulk export detection rule deployed (threshold: >1000 records in single query)
- ✓ After-hours access detection rule deployed (non-business hours data access)
- ✓ Rules generate alerts with correlation IDs for incident tracking
- ✓ Alert routing configured (email, ticketing system, dashboards)
- ✓ False positive tuning documented for operational efficiency

In [None]:
# Check 5: Anomaly Detection Rules Deployment
import os
from pathlib import Path

# Offline-friendly guard
ANOMALY_RULES_DEPLOYED = os.getenv("ANOMALY_RULES_DEPLOYED")

if not ANOMALY_RULES_DEPLOYED:
    print("⚠️ Skipping (no anomaly detection rules configured)")
    print("   Set: ANOMALY_RULES_DEPLOYED=true after M3.3 setup")
else:
    # Check for anomaly detection rule artifacts from M3.3
    bulk_export_rule = Path("config/splunk_alerts/bulk_export_detection.spl")
    after_hours_rule = Path("config/splunk_alerts/after_hours_access.spl")
    alert_routing = Path("config/splunk_alerts/alert_routing.conf")
    
    checks_passed = []
    
    if bulk_export_rule.exists():
        print("✓ Bulk export detection rule found")
        checks_passed.append(True)
    else:
        print("✗ Missing: config/splunk_alerts/bulk_export_detection.spl")
        print("   Fix: Run M3.3 to deploy bulk export detection rule")
        checks_passed.append(False)
    
    if after_hours_rule.exists():
        print("✓ After-hours access detection rule found")
        checks_passed.append(True)
    else:
        print("✗ Missing: config/splunk_alerts/after_hours_access.spl")
        print("   Fix: Run M3.3 to deploy after-hours access detection rule")
        checks_passed.append(False)
    
    if alert_routing.exists():
        print("✓ Alert routing configuration found")
        checks_passed.append(True)
    else:
        print("✗ Missing: config/splunk_alerts/alert_routing.conf")
        print("   Fix: Run M3.3 to configure alert routing")
        checks_passed.append(False)
    
    if all(checks_passed):
        print("\n✓ Check #5 PASSED - Anomaly detection ready for incident response")
    else:
        print("\n✗ Check #5 FAILED - Complete M3.3 anomaly detection deployment")

# Expected: ✓ Check #5 PASSED - Anomaly detection ready for incident response

## Call-Forward: What's Next in M3.4

**The Driving Question:**

*"Your RAG system exposed 10,000 customer records; audit logs detected it immediately. You have 72 hours to comply with GDPR Article 33 and DPDPA breach notification requirements. What do you do in the next 72 hours?"*

---

**Module M3.4 Will Cover:**

**1. Production-Grade Incident Response System**
- Build automated workflows that transform audit trail detection into compliant response execution
- Close the detection-to-response gap that caused the €4.2M fintech fine

**2. 4-Tier Incident Classification (P0-P3 Severity Matrix)**
- Classify incidents in under 30 seconds using standardized severity framework
- Map detected events from audit logs to appropriate response resource allocation

**3. 6-Phase Response Workflow Automation**
- Detection → Containment → Eradication → Recovery → Notification → Post-Mortem
- Structured processes with defined actions, responsible parties, and completion criteria
- End-to-end incident timeline reconstruction using correlation IDs

**4. Regulatory Compliance Automation**
- **GDPR Article 33:** Generate 72-hour notifications with programmatic data population
- **DPDPA:** Automate Indian supervisory authority notifications for cross-border compliance
- Pre-built SQL queries answering "who was affected?" and "what data exposed?" in minutes

**5. Remediation Tracking & Post-Mortem**
- Track remediation steps from detection through verified closure
- Generate audit-ready post-mortem reports with timeline correlation

---

**Why You're Ready:**

Your M3.3 audit infrastructure provides the **foundation** for incident response:
- PostgreSQL audit tables capture who, what, when for every data access
- S3 Object Lock ensures tamper-proof evidence preservation
- Splunk forwarding enables real-time correlation and timeline reconstruction
- Anomaly detection identifies incidents requiring response

M3.4 adds the **response automation layer** that transforms detection into documented, compliant action.

---

**What to Expect:**

- **Duration:** 4-5 hours (PractaThon + Conceptual)
- **Complexity:** Production-grade compliance automation (beyond MVP/hobby projects)
- **Key Deliverables:**
  - Incident classification system with severity matrix
  - 6-phase response workflow automation
  - GDPR/DPDPA notification templates with programmatic data population
  - Remediation tracking dashboard
  - Post-mortem report generator

---

**Career Positioning:**

Completing M3.4 positions you for **₹18-28 lakh GCC Compliance Engineer or Security Operations Engineer roles** by demonstrating end-to-end compliance infrastructure ownership, not isolated happy-path scenarios.

**Production Differentiator:**
> "Hobby projects detect incidents and panic. Production systems detect incidents and execute documented response workflows automatically."

---

**If You're Not Ready:**

- Review M3.3 materials (especially audit logging and SIEM integration)
- Complete failed checks above
- Ensure audit infrastructure is operational
- Reach out for support: support@techvoyagehub.com

---

**Next Steps:**

1. ✅ Ensure ALL 5 checks passed (✓)
2. → Proceed to **M3.4: Incident Response & Breach Notification**
3. 📌 Reference this bridge if stuck during M3.4