Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Anonymize clear text credentials in Powershell logs using SEDCMD

geoffmx
Explorer
‎07-31-2019 01:41 AM

I am attempting to anonymize clear-text credentials passed via PowerShell referring to the splunk documentation
to Anonymize_data_with_a_sed_script

In the inputs.conf I have...
sourcetype = WinEventLog:Microsoft-Windows-PowerShell/Operational

In props.conf I have... 

[WinEventLog:Microsoft-Windows-PowerShell/Operational]
SEDCMD-ps_logs_mask_cred = s/-ScriptBlock*/xxxxxx/g

I have attempted to mask just the password and the credential, but could not get it to work. I am able to do this partially via sed or perl on a linux command line, but have not been able to replicate on splunk.

Sample data

Invoke-Command -computername somePC -ScriptBlock {get-something -password 'som3_verY-Long_Pa$$w0rd'} -Credential somedomain\someuser

Expected output (masking the entire ScriptBlock)

Invoke-Command -computername somePC xxxxxx

Or more appropriately, masking only the password and Credential 

Invoke-Command -computername somePC -ScriptBlock {get-something -password 'xxxxxx'} -Credential xxxxxx

Any help will be much appreciated!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-31-2019 02:32 AM

Hi geoffmx,
with SEDCMD you replace the regex you have in the first part with the one in the second part, so try something like this in props.conf:

SEDCMD-ps_logs_mask_cred = s/-ScriptBlock\s.*/xxxxxx/g

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-31-2019 02:32 AM

Hi geoffmx,
with SEDCMD you replace the regex you have in the first part with the one in the second part, so try something like this in props.conf:

SEDCMD-ps_logs_mask_cred = s/-ScriptBlock\s.*/xxxxxx/g

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

geoffmx
Explorer
‎07-31-2019 03:21 AM

Thanks gcusello! This helps with masking everything after -ScriptBlock. I am also attempting to mask the text just after -password and -Credential.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-31-2019 04:00 AM

Hi geoffmx,
you have work in the same way:

SEDCMD-ps_logs_mask_cred = s/-password\s+.*\s+-Credential\s+.*/-password\sxxxxxx-Credential\sxxxxxx/g

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

geoffmx
Explorer
‎07-31-2019 04:12 AM

Thanks again!

I finally got it to work with this. 

SEDCMD-ps_logs_mask_cred = s/-password\s[[:alnum:][:punct:]]*/-password xxxxx/g s/-Credential\s[[:alnum:][:punct:]]*/-Credential xxxxx/g

I like your method too. Thanks again for pointing me in the right direction.

0 Karma
Reply
Solved! Jump to solution

dstaulcu
Builder
‎08-01-2019 07:01 PM

Gotta love positional based strategies for masking passwords. We have something like 200 masking rules which process against every event for sourcetypes where passwords are probable. Next strat is user education. Hopefully Stream processor will give more logic control for sensitive data masking.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...