topic Re: Data Masking in Security

Data Masking

anandhalagaras1 — Thu, 02 Nov 2023 11:16:17 GMT

Kindly help on how to mask the password present in the field "securityToken" in the IIS logs. Sample event for reference.

2023-11-02 06:53:00 xx.xxx.xxx.xx GET /Security/Security/Logon 123 - xx.xxx.x.xxx Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/86.0.4240.198+Safari/537.36 https://abc.xyz.bcd.com/security/security/ChangePasswordWithQuestions?userName=xyz@abc.com&securityToken=xxxxxxxx 200 0 0 14

2023-11-02 06:52:25 xx.xxx.xxx.xx GET / 111 - xx.xxx.x.xxx Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+HeadlessChrome/117.0.5938.88+Safari/537.36 https://abc.xyz.bnm.com/security/security/ChangePasswordWithQuestions?userName=xyz@abc.com&securityToken=xxxxxxxx 302 0 0 0

We are in Splunk Cloud and can we able to mask the password in GUI itself or should i need to move the output of the client machines to the HF server and then place the props and transforms to mask the password.

Kindly help to check and update on the same.

Re: Data Masking

gcusello — Thu, 02 Nov 2023 11:27:52 GMT

Hi @anandhalagaras1,

you have two solutions:

SEDCMD in props.conf (https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata?_gl=1*mf7xvx*_ga*MTY1NjIzMDM3OC4xNjk3MjA1MzU0*_ga_GS7YF8S63Y*MTY5ODkyMDExMS40OTMuMS4xNjk4OTI0MDg4LjYwLjAuMA..*_ga_5EPM2P39FV*MTY5ODkyMDA2Ni42MDcuMS4xNjk4OTI0MjIxLjAuMC4w&_ga=2.60123688.468842275.1697205354-1656230378.1697205354&_gac=1.124697080.1697439287.Cj0KCQjwm66pBhDQARIsALIR2zDDpMo42f4nQY5ylRFnUfEyW_h0bbBBKVDgM2rBU1cuYdYxGqfUTWkaAjkxEALw_wcB#Anonymize_data_with_a_sed_script)

[your_sourcetype] SEDCMD-mask = s/securityToken=[^ ]*/securityToken=********/g

or using props.conf and transforms.conf /https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata?_gl=1*mf7xvx*_ga*MTY1NjIzMDM3OC4xNjk3MjA1MzU0*_ga_GS7YF8S63Y*MTY5ODkyMDExMS40OTMuMS4xNjk4OTI0MDg4LjYwLjAuMA..*_ga_5EPM2P39FV*MTY5ODkyMDA2Ni42MDcuMS4xNjk4OTI0MjIxLjAuMC4w&_ga=2.60123688.468842275.1697205354-1656230378.1697205354&_gac=1.124697080.1697439287.Cj0KCQjwm66pBhDQARIsALIR2zDDpMo42f4nQY5ylRFnUfEyW_h0bbBBKVDgM2rBU1cuYdYxGqfUTWkaAjkxEALw_wcB#Configure_the_transforms.conf_file )

in props.conf

[your_sourcetype] TRANSFORMS-anonymize = anonymizer

in transforms.conf

[anonymizer] REGEX = securityToken=([^ ]*) FORMAT = securityToken=(*****) DEST_KEY = _raw

I prefer the first solution.

Ciao.

Giuseppe

Re: Data Masking

isoutamo — Thu, 02 Nov 2023 11:51:28 GMT

Hi
With recent Splunk versions there are also Ingest Actions and if you have any Splunk Cloud instance then you could use Splunk Edge Processor as a one excellent option.
r. Ismo

Re: Data Masking

anandhalagaras1 — Fri, 03 Nov 2023 12:29:56 GMT

@gcusello

I have tried the first solution but it didn't masked the value. I have forwarded the UF logs to the HF server and then to indexers.

And I have tried with the sourcetype as well as with source but it didn't worked.

Props.conf:

sourcetype:
[abc]
SEDCMD-mask = s/securityToken=[^ ]*/securityToken=********/g

source:
[source::C:\\abc\\def\\xyz\\*\\*.log]
SEDCMD-mask = s/securityToken=[^ ]*/securityToken=********/g

Re: Data Masking

isoutamo — Fri, 03 Nov 2023 12:36:53 GMT

Have you put those configurations to HF? As it's the 1st full splunk instance, it will do those actions not indexer.

Re: Data Masking

anandhalagaras1 — Fri, 03 Nov 2023 12:56:55 GMT

@isoutamo yes i have placed the props in HF.

So i tried with source format as well and that too didnt worked.

So is the source format is correct?

Can we do masking based on host in props? If yes kindly let me know.

Re: Data Masking

gcusello — Fri, 03 Nov 2023 13:02:31 GMT

Hi @anandhalagaras1 ,

as @isoutamo said, You have to put these conf files on Indexers or (if present) on Heavy Forwarders.

Ciao.

Giuseppe

Re: Data Masking

isoutamo — Fri, 03 Nov 2023 13:29:24 GMT

You can do it also based on source, but you must remember precedence!

[<spec>]
* This stanza enables properties for a given <spec>.
* A props.conf file can contain multiple stanzas for any number of
  different <spec>.
* Follow this stanza name with any number of the following setting/value
  pairs, as appropriate for what you want to do.
* If you do not set a setting for a given <spec>, the default is used.

<spec> can be:
1. <sourcetype>, the source type of an event.
2. host::<host>, where <host> is the host, or host-matching pattern, for an
                 event.
3. source::<source>, where <source> is the source, or source-matching
                     pattern, for an event.
4. rule::<rulename>, where <rulename> is a unique name of a source type
                     classification rule.
5. delayedrule::<rulename>, where <rulename> is a unique name of a delayed
                            source type classification rule.
                            These are only considered as a last resort
                            before generating a new source type based on the
                            source seen.

**[<spec>] stanza precedence:**

For settings that are specified in multiple categories of matching [<spec>]
stanzas, [host::<host>] settings override [<sourcetype>] settings.
Additionally, [source::<source>] settings override both [host::<host>]
and [<sourcetype>] settings.

And of course restart is needed after changing those.

Also "splunk btool props list --debug" is excellent tool to check that you have correct configuration in use.