Security

Data Masking

anandhalagaras1
Contributor

Kindly help on how to mask the password present in the field "securityToken"  in the IIS logs. Sample event for reference. 

2023-11-02 06:53:00 xx.xxx.xxx.xx GET /Security/Security/Logon 123 - xx.xxx.x.xxx Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/86.0.4240.198+Safari/537.36 https://abc.xyz.bcd.com/security/security/ChangePasswordWithQuestions?userName=xyz@abc.com&securityToken=xxxxxxxx  200 0 0 14

2023-11-02 06:52:25 xx.xxx.xxx.xx GET / 111 - xx.xxx.x.xxx Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+HeadlessChrome/117.0.5938.88+Safari/537.36 https://abc.xyz.bnm.com/security/security/ChangePasswordWithQuestions?userName=xyz@abc.com&securityToken=xxxxxxxx  302 0 0 0

We are in Splunk Cloud and can we able to mask the password in GUI itself or should i need to move the output  of the client machines to the HF server and then place the props and transforms to mask the password.

 

Kindly help to check and update on the same.

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @anandhalagaras1,

you have two solutions:

SEDCMD in props.conf (https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata?_gl=1*mf7xvx*_ga*MTY1NjIzMDM3...)

[your_sourcetype]
SEDCMD-mask = s/securityToken=[^ ]*/securityToken=********/g

or using props.conf and transforms.conf /https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata?_gl=1*mf7xvx*_ga*MTY1NjIzMDM3... )

in props.conf

[your_sourcetype]
TRANSFORMS-anonymize = anonymizer

in transforms.conf

[anonymizer]
REGEX = securityToken=([^ ]*)
FORMAT = securityToken=(*****)
DEST_KEY = _raw

I prefer the first solution.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @anandhalagaras1,

you have two solutions:

SEDCMD in props.conf (https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata?_gl=1*mf7xvx*_ga*MTY1NjIzMDM3...)

[your_sourcetype]
SEDCMD-mask = s/securityToken=[^ ]*/securityToken=********/g

or using props.conf and transforms.conf /https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata?_gl=1*mf7xvx*_ga*MTY1NjIzMDM3... )

in props.conf

[your_sourcetype]
TRANSFORMS-anonymize = anonymizer

in transforms.conf

[anonymizer]
REGEX = securityToken=([^ ]*)
FORMAT = securityToken=(*****)
DEST_KEY = _raw

I prefer the first solution.

Ciao.

Giuseppe

anandhalagaras1
Contributor

@gcusello 

I have tried the first solution but it didn't masked the value. I have forwarded the UF logs to the HF server and then to indexers.

And I have tried with the sourcetype as well as with source but it didn't worked.

 

Props.conf:

sourcetype:
[abc]
SEDCMD-mask = s/securityToken=[^ ]*/securityToken=********/g

source:
[source::C:\\abc\\def\\xyz\\*\\*.log]
SEDCMD-mask = s/securityToken=[^ ]*/securityToken=********/g

 

 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @anandhalagaras1 ,

as @isoutamo said, You have to put these conf files on Indexers or (if present) on Heavy Forwarders.

Ciao.

Giuseppe

0 Karma

isoutamo
SplunkTrust
SplunkTrust
Have you put those configurations to HF? As it's the 1st full splunk instance, it will do those actions not indexer.
0 Karma

anandhalagaras1
Contributor

@isoutamo yes i have placed the props in HF.

So i tried with source format as well and that too didnt worked.

So is the source format is correct?

Can we do masking based on host in props? If yes kindly let me know.

 

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

You can do it also based on source, but you must remember precedence!

[<spec>]
* This stanza enables properties for a given <spec>.
* A props.conf file can contain multiple stanzas for any number of
  different <spec>.
* Follow this stanza name with any number of the following setting/value
  pairs, as appropriate for what you want to do.
* If you do not set a setting for a given <spec>, the default is used.

<spec> can be:
1. <sourcetype>, the source type of an event.
2. host::<host>, where <host> is the host, or host-matching pattern, for an
                 event.
3. source::<source>, where <source> is the source, or source-matching
                     pattern, for an event.
4. rule::<rulename>, where <rulename> is a unique name of a source type
                     classification rule.
5. delayedrule::<rulename>, where <rulename> is a unique name of a delayed
                            source type classification rule.
                            These are only considered as a last resort
                            before generating a new source type based on the
                            source seen.

**[<spec>] stanza precedence:**

For settings that are specified in multiple categories of matching [<spec>]
stanzas, [host::<host>] settings override [<sourcetype>] settings.
Additionally, [source::<source>] settings override both [host::<host>]
and [<sourcetype>] settings. 

 And of course restart is needed after changing those. 

Also "splunk btool props list --debug" is excellent tool to check that you have correct configuration in use.

0 Karma

isoutamo
SplunkTrust
SplunkTrust
Hi
With recent Splunk versions there are also Ingest Actions and if you have any Splunk Cloud instance then you could use Splunk Edge Processor as a one excellent option.
r. Ismo
0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...