topic Scanning Splunk data for secret leaking? in Security https://community.splunk.com/t5/Security/Scanning-Splunk-data-for-secret-leaking/m-p/633530#M16613 <P>Dear Community,</P><P>We know that there are several options to mask sensitive data before/during ingestion. But generally, how do you scan your data to check if there is any already existing leakage of secrets/tokens/password? I've googled and searched community, but I did not find anything. I thought there is a Splunk app or Splunk ES has a built-in feature to do this, like a professional, fast, effective alert or an AI/ML assisted one.</P><P>What I've done so far for a few indexes:</P><P>&nbsp;</P><LI-CODE lang="markup">index={INDEXNAME} | stats values(*) AS * | transpose | table column | rename column AS Fieldnames | search Fieldnames=*secret* OR Fieldnames=*password*</LI-CODE><P>&nbsp;</P><P>(with last 15 minutes search interval)</P><P>Is there any better solution out? Or do you have better idea to handle this? How are others doing this?&nbsp;</P><P>We have a Splunk Cloud Platform, but I think it would be the same for Enterprise as well.</P><P>Thank you very much!</P><P>Regards,</P><P>DG</P><P>&nbsp;</P> Tue, 07 Mar 2023 08:46:57 GMT DG 2023-03-07T08:46:57Z Scanning Splunk data for secret leaking? https://community.splunk.com/t5/Security/Scanning-Splunk-data-for-secret-leaking/m-p/633530#M16613 <P>Dear Community,</P><P>We know that there are several options to mask sensitive data before/during ingestion. But generally, how do you scan your data to check if there is any already existing leakage of secrets/tokens/password? I've googled and searched community, but I did not find anything. I thought there is a Splunk app or Splunk ES has a built-in feature to do this, like a professional, fast, effective alert or an AI/ML assisted one.</P><P>What I've done so far for a few indexes:</P><P>&nbsp;</P><LI-CODE lang="markup">index={INDEXNAME} | stats values(*) AS * | transpose | table column | rename column AS Fieldnames | search Fieldnames=*secret* OR Fieldnames=*password*</LI-CODE><P>&nbsp;</P><P>(with last 15 minutes search interval)</P><P>Is there any better solution out? Or do you have better idea to handle this? How are others doing this?&nbsp;</P><P>We have a Splunk Cloud Platform, but I think it would be the same for Enterprise as well.</P><P>Thank you very much!</P><P>Regards,</P><P>DG</P><P>&nbsp;</P> Tue, 07 Mar 2023 08:46:57 GMT https://community.splunk.com/t5/Security/Scanning-Splunk-data-for-secret-leaking/m-p/633530#M16613 DG 2023-03-07T08:46:57Z