Security

How to encrypt or mask log data, then restrict a group of users from seeing events from that masked data?

Tejkumar451
Explorer

Hi guys,
I have some data which needs to be encrypted like xxxxx6789 for SSN instead of 123456789. And i will give access to this data for two groups A & B.
When group A users log in and searches for the SSN 123456789, they shouldn't be seeing any events.
But, when group B users log in and searches for the SSN 123456789, they should be seeing the all those events which has the SSN as 123456789.

In short, there should be some mechanism where for the group B users, the SSN in search should get encrypted/masked and search for those events and returns them.

Can this be achieved using Splunk?

Thanks in advance

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What you describe is not encryption, but masking. There are some resources available that describe how to mask data at index time. See http://docs.splunk.com/Documentation/Splunk/6.5.2/Data/Anonymizedata for starters.
You could create a custom command that would take an SSN as input and return the masked version for use in a search. That, however, would not prevent someone from Group A who figured out the masking scheme from entering a masked SSN manually and searching for it. I'm not aware of anything in Splunk that will do that.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...

Splunk AppDynamics Agents Webinar Series

Mark your calendars! On June 24th at 12PM PST, we’re going live with the second session of our Splunk ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...