Security

How to encrypt or mask log data, then restrict a group of users from seeing events from that masked data?

Tejkumar451
Explorer

Hi guys,
I have some data which needs to be encrypted like xxxxx6789 for SSN instead of 123456789. And i will give access to this data for two groups A & B.
When group A users log in and searches for the SSN 123456789, they shouldn't be seeing any events.
But, when group B users log in and searches for the SSN 123456789, they should be seeing the all those events which has the SSN as 123456789.

In short, there should be some mechanism where for the group B users, the SSN in search should get encrypted/masked and search for those events and returns them.

Can this be achieved using Splunk?

Thanks in advance

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What you describe is not encryption, but masking. There are some resources available that describe how to mask data at index time. See http://docs.splunk.com/Documentation/Splunk/6.5.2/Data/Anonymizedata for starters.
You could create a custom command that would take an SSN as input and return the masked version for use in a search. That, however, would not prevent someone from Group A who figured out the masking scheme from entering a masked SSN manually and searching for it. I'm not aware of anything in Splunk that will do that.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...