Hi 🙂
We use the Splunk Cloud which gets logs from two HFs, which get logs from many UFs.
A few of those UFs live on our Domain Controllers, which interact to some extend with the LDAP-API and get notifications, everytime an AD-Object changes (https://www.splunk.com/en_us/blog/tips-and-tricks/working-with-active-directory-on-splunk-universal-...).
What now happens is, every time LAPS changes the passwords, the Computer-Object gets updated, the UF gets ahold of those Passwords and we can see them plaintext in Splunk Cloud.
After discovering this, i added this to props.conf (Splunk\etc\system\local) on the HF and restarted the HF :
[ActiveDirectory]
SEDCMD-pwdmask = s/(ms\-Mcs\-AdmPwd\=).+/########/g
And since this hasn't worked, I tried this :
[ActiveDirectory]
SEDCMD-anonymiseLaps = 's/ms-Mcs-AdmPwd\=.*/ms-Mcs-AdmPwd=####!!!!!#####/g'
(Source: https://www.databl.io/anonymise-your-clear-text-laps-passwords-in-splunk/ - this describes the problem pretty well.)
...which hasn't worked either.
We still see those Passwords.
Has anybody encountered similar problems and/or has hints or possible solutions?
Thanks in advance.
