Solved: Data Masking

anandhalagaras1 · ‎11-02-2023

Kindly help on how to mask the password present in the field "securityToken" in the IIS logs. Sample event for reference.

2023-11-02 06:53:00 xx.xxx.xxx.xx GET /Security/Security/Logon 123 - xx.xxx.x.xxx Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/86.0.4240.198+Safari/537.36 https://abc.xyz.bcd.com/security/security/ChangePasswordWithQuestions?userName=xyz@abc.com&securityToken=xxxxxxxx 200 0 0 14

2023-11-02 06:52:25 xx.xxx.xxx.xx GET / 111 - xx.xxx.x.xxx Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+HeadlessChrome/117.0.5938.88+Safari/537.36 https://abc.xyz.bnm.com/security/security/ChangePasswordWithQuestions?userName=xyz@abc.com&securityToken=xxxxxxxx 302 0 0 0

We are in Splunk Cloud and can we able to mask the password in GUI itself or should i need to move the output of the client machines to the HF server and then place the props and transforms to mask the password.

Kindly help to check and update on the same.

gcusello · ‎11-02-2023

Hi @anandhalagaras1,

you have two solutions:

SEDCMD in props.conf (https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata?_gl=1*mf7xvx*_ga*MTY1NjIzMDM3...)

[your_sourcetype]
SEDCMD-mask = s/securityToken=[^ ]*/securityToken=********/g

or using props.conf and transforms.conf /https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata?_gl=1*mf7xvx*_ga*MTY1NjIzMDM3... )

in props.conf

[your_sourcetype]
TRANSFORMS-anonymize = anonymizer

in transforms.conf

[anonymizer]
REGEX = securityToken=([^ ]*)
FORMAT = securityToken=(*****)
DEST_KEY = _raw

I prefer the first solution.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎11-02-2023

Hi @anandhalagaras1,

you have two solutions:

SEDCMD in props.conf (https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata?_gl=1*mf7xvx*_ga*MTY1NjIzMDM3...)

[your_sourcetype]
SEDCMD-mask = s/securityToken=[^ ]*/securityToken=********/g

or using props.conf and transforms.conf /https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata?_gl=1*mf7xvx*_ga*MTY1NjIzMDM3... )

in props.conf

[your_sourcetype]
TRANSFORMS-anonymize = anonymizer

in transforms.conf

[anonymizer]
REGEX = securityToken=([^ ]*)
FORMAT = securityToken=(*****)
DEST_KEY = _raw

I prefer the first solution.

Ciao.

Giuseppe

anandhalagaras1 · ‎11-03-2023

@gcusello

I have tried the first solution but it didn't masked the value. I have forwarded the UF logs to the HF server and then to indexers.

And I have tried with the sourcetype as well as with source but it didn't worked.

Props.conf:

sourcetype:
[abc]
SEDCMD-mask = s/securityToken=[^ ]*/securityToken=********/g

source:
[source::C:\\abc\\def\\xyz\\*\\*.log]
SEDCMD-mask = s/securityToken=[^ ]*/securityToken=********/g

gcusello · ‎11-03-2023

Hi @anandhalagaras1 ,

as @isoutamo said, You have to put these conf files on Indexers or (if present) on Heavy Forwarders.

Ciao.

Giuseppe

isoutamo · ‎11-03-2023

Have you put those configurations to HF? As it's the 1st full splunk instance, it will do those actions not indexer.

anandhalagaras1 · ‎11-03-2023

@isoutamo yes i have placed the props in HF.

So i tried with source format as well and that too didnt worked.

So is the source format is correct?

Can we do masking based on host in props? If yes kindly let me know.

isoutamo · ‎11-03-2023

You can do it also based on source, but you must remember precedence!

[<spec>]
* This stanza enables properties for a given <spec>.
* A props.conf file can contain multiple stanzas for any number of
  different <spec>.
* Follow this stanza name with any number of the following setting/value
  pairs, as appropriate for what you want to do.
* If you do not set a setting for a given <spec>, the default is used.

<spec> can be:
1. <sourcetype>, the source type of an event.
2. host::<host>, where <host> is the host, or host-matching pattern, for an
                 event.
3. source::<source>, where <source> is the source, or source-matching
                     pattern, for an event.
4. rule::<rulename>, where <rulename> is a unique name of a source type
                     classification rule.
5. delayedrule::<rulename>, where <rulename> is a unique name of a delayed
                            source type classification rule.
                            These are only considered as a last resort
                            before generating a new source type based on the
                            source seen.

**[<spec>] stanza precedence:**

For settings that are specified in multiple categories of matching [<spec>]
stanzas, [host::<host>] settings override [<sourcetype>] settings.
Additionally, [source::<source>] settings override both [host::<host>]
and [<sourcetype>] settings.

And of course restart is needed after changing those.

Also "splunk btool props list --debug" is excellent tool to check that you have correct configuration in use.

isoutamo · ‎11-02-2023

Hi
With recent Splunk versions there are also Ingest Actions and if you have any Splunk Cloud instance then you could use Splunk Edge Processor as a one excellent option.
r. Ismo

Data Masking

encryption

other

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio