Getting Data In

Partial obfuscation in Splunk Cloud

Flobzh
Engager

Hello experts,

I'm trying to obfuscate the UserName and ComputerName from my events before indexation, while keeping the possibility of using the data to group from a common source.

Configuration: data are pushed by a UniversalForwarder (no transform options) to a SplunkCloud instance (limited setup).

Example:

I have this:

time1|UserName=user1|ComputerName=FR1234|EventStart
time2|UserName=user1|ComputerName=FR1234|EventEnd
time3|UserName=user2|ComputerName=US4321|EventStart
time4|UserName=user2|ComputerName=US4321|EventEnd
time5|UserName=user1|ComputerName=US4321|EventStart
time6|UserName=user1|ComputerName=US4321|EventEnd

And want something like this:

time1|UserName=#####|ComputerName=FR#|GeneratedSessionID=eifiweuh|EventStart
time2|UserName=#####|ComputerName=FR#|GeneratedSessionID=eifiweuh|EventEnd
time3|UserName=#####|ComputerName=US#|GeneratedSessionID=fwefwe|EventStart
time4|UserName=#####|ComputerName=US#|GeneratedSessionID=fwefwe|EventEnd
time5|UserName=#####|ComputerName=US#|GeneratedSessionID=hkukuyy|EventStart
time6|UserName=#####|ComputerName=US#|GeneratedSessionID=hkukuyy|EventEnd

Where GeneratedSessionID=function(user1,FR1234,encryptKey) or something similar. Meaning that the same couple computer+user will always create the same GeneratedSessionID

I'm looking at adding a SECCMD setting on the Advanced tab of my SourceType. I see how to anonymize the UserName and ComputerName, but not how to add a new field based on the others. 

Flobzh_0-1623853581312.png

Any advise in that direction would be welcome, or any solution that will match with the restriction of my configuration.

Thanks in advance

Florent

Tags (1)
0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.