topic Re: How to mask the indexed data in Splunk cloud? in Getting Data In

How to mask the indexed data in Splunk cloud?

sathiyasun — Tue, 23 May 2023 04:37:33 GMT

There are few events already indexed the sensitive info in Splunk SaaS cloud. how to mask those sensitive data in the events. or events delete option to restrict user not to view those events. Please advise.

Splunk SaaS cloud.

Example event:
{"@timestamp":"2023-05-14T15:32:07.449Z", "log.level": "Msg", "labels.message":"system Authenticate customer :dda9c1ad-2df1-ehetiokhnergiwre453644836-sgnreg346893 PAN1 123456789 request AuthVerificationRequest(authRequest=null, accountNumber=null, pan=123456789, pin=0987654321pcw/5, txnsubtypcde=Full_pan_Lookup)" , "ecs.version": "1.2.0","process.thread.name":"http-nio-8080-exec-150","log.logger":"com","labels.appId":"IVR-BEE","labels.appVersion":"1","labels.channelId":"ACIVR","labels.correlationId":"ujb6678879-2df1-4a32-83e5-4198dbcfe913","labels.flow-id":"AUTH-PIN","labels.interactionId":"5646540-8a2c-4893kr-58434","labels.tenantId":"lll","labels.url":"/digital-auth/engineering/authenticateuser/v1/auth"}

Re: How to mask the indexed data in Splunk cloud?

isoutamo — Sat, 27 May 2023 13:58:57 GMT

if the event is written on bucket then users could always see it somehow if they have access to this index. At least I didn't know any way how to avoid this. There are some ways to do this little bit harder but now way to make it impossible.

So your only ways to disable users see it is restrict access to this index or "delete" those from index.

For deleting it you need can_delete capability added to your account. I propose that you add it just temporary and remove it as soon as you have deleted those from index. BUT remember that even delete command cannot remove events from bucket/disk, it just mark those so that searches didn't shows those.

How to delete? Just create search which found only those event which has sensitive content and when you are happy with it then pipe it to delete command like

index=<your indexes> <your search which founds only those events which you want to remove> | delete

r. Ismo

Re: How to mask the indexed data in Splunk cloud?

PickleRick — Sun, 28 May 2023 09:56:35 GMT

From the security point of view - probably the only acceptable solution would be to drop the index altogether and re-ingest the data from scratch - this time properly with sensitive data masked/removed. That of course costs your license usage.

You could try to fiddle with masking and collecting to another index but again - collect with a sourcetype other than stash incurs license usage.

As @isoutamo already pointed out, the delete command marks the events as unsearchable but they are still contained within the buckets so they might be readable by examining raw buckets content which is probably not OK by your compliance dept.

Any form of search-time manipulation within splunk itself is indeed bypassable relatively easy and it can be seen only as a way to hide some event parts for making work with some parts of data more convenient but not as a security control (at least not an effective one).