Security

How to mask password in Windows event logs ?

kamaljagga
Path Finder

Hello,

I am trying to mask the password in the Windows event logs at index time but somehow my config is not working. Kindly advise.

Configuration that I am trying :

1. Changes made in Props
Password extraction
[data]
password = (?m)^(.*)Process Command Line:.*\"\w+\".*\"(?P<password>.*)\"\s+\/active:yes\s+\/passwordchg:yes$
TRANSFORMS-anonymize = password-anonymizer

2. Changes made in Tranforms
[password-anonymizer]
FORMAT = ################
DEST_KEY = _raw

Logs:

Process Information:
New Process ID: xyzabc
New Process Name: C:\Windows\System32\net.exe
Token Elevation Type: abcdabcd
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 12345
Creator Process Name: C:\Program Files\BMC Software\Client Management\Client\bin\mtxproxy.exe
Process Command Line: net user "abcd" "password12345" /active:yes /passwordchg:yes /passwordreq:yes

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

 

Documentation Link: https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/Anonymizedata

 

Any advise would be appreciated.

 

0 Karma
1 Solution

kamaljagga
Path Finder

Thanks all for the reply. Here is the complete solution.

According to docs, config should be done on HF but for that the data flow has to be changed. Parsing can't be done on UF, however this can be pushed to the indexers via the Cluster Master similar to field extractions.

Steps:

1.  Write the regex to extract the password and use that regex along with the sed command (format /s/<password>/<replacement>/g) to test the masking of the password in the search. 

index=main sourcetype=data source="C:\\testdata\\TestDataMasking5.txt"
| rex mode=sed "s/\"\w+\".*\"(.*)\"\s+/##############/g"
| table _raw

2. Create a new app in the master-apps of CM and then put the above regex in props.conf and push the bundle.

[data]

SEDCMD-masking=s/\"\w+\".*\"(.*)\"\s+/##############/g

The success of above solution depends a lot on the regex. 

View solution in original post

0 Karma

kamaljagga
Path Finder

Thanks all for the reply. Here is the complete solution.

According to docs, config should be done on HF but for that the data flow has to be changed. Parsing can't be done on UF, however this can be pushed to the indexers via the Cluster Master similar to field extractions.

Steps:

1.  Write the regex to extract the password and use that regex along with the sed command (format /s/<password>/<replacement>/g) to test the masking of the password in the search. 

index=main sourcetype=data source="C:\\testdata\\TestDataMasking5.txt"
| rex mode=sed "s/\"\w+\".*\"(.*)\"\s+/##############/g"
| table _raw

2. Create a new app in the master-apps of CM and then put the above regex in props.conf and push the bundle.

[data]

SEDCMD-masking=s/\"\w+\".*\"(.*)\"\s+/##############/g

The success of above solution depends a lot on the regex. 

0 Karma

lilredcrawfish
Explorer

I think it has to be done on a HF - 
"Universal forwarders can only parse structured data"

https://docs.splunk.com/Documentation/Splunk/8.2.0/Data/Anonymizedata

kamaljagga
Path Finder

Thanks for mentioning that, Missed paying attention to HF note in docs.

I am trying it through UF. For Configuring it on HF, I will have to change the flow of windows logs, which won't be also easy.

Is there a way it can be done on UF?

0 Karma

lilredcrawfish
Explorer

Dont think so.  Try putting it on the indexer/indexers.  Should work first place data is cooked..

kamaljagga
Path Finder

Yes. Had already put there, was waiting for off hours for pushing it to the cluster. Moving it to indexers removed the whole line, so still have to work what kind of regex to put there.

Updated logs after the changes.

Process Information:

New Process ID: abcd

New Process Name: C:\Windows\System32\net1.exe

Token Elevation Type: %%1234

Mandatory Label: Mandatory Label\System Mandatory Level Creator

Process ID: abcd

Creator Process Name: C:\Windows\System32\net.exe

############## /passwordreq:yes

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

0 Karma

lilredcrawfish
Explorer

Is this being done on a UF or HF?  

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The transform needs a REGEX attribute that tells Splunk where to find the field to anonymize. 

---
If this reply helps you, Karma would be appreciated.

kamaljagga
Path Finder

Isn't it already there. Could you provide more details.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It's not in the quoted transforms.conf stanza

2. Changes made in Tranforms
[password-anonymizer]
FORMAT = ################
DEST_KEY = _raw

It usually looks something like this:

2. Changes made in Tranforms
[password-anonymizer]
REGEX = %%%%%%%%%%%%
FORMAT = ################
DEST_KEY = _raw

Have you tried using SEDCMD in props.conf?  That's usually the easier way to mask data.

---
If this reply helps you, Karma would be appreciated.

kamaljagga
Path Finder

I had initially put REGEX in transform but it didn't work. Giving SEDCMD a try now.

Updated props

splunk $ cat props.conf
[data]
SEDCMD-Anon = s/(?m)^(.*)Process Command Line:.*\"\w+\".*\"(?P.*)\"\s+\/active:yes\s+\/passwordchg:yes/##############/g
#password = (?m)^(.*)Process Command Line:.*\"\w+\".*\"(?P<password>.*)\"\s+\/active:yes\s+\/passwordchg:yes$
#TRANSFORMS-anonymize = password-anonymizer
#TRANSFORMS-anonymize = pass-anonymizer

0 Karma

kamaljagga
Path Finder

This didn't work.

splunk $ cat props.conf
[data]
SEDCMD-Anon = s/(?m)^(.*)Process Command Line:.*\"\w+\".*\"(.*)\"\s+\/active:yes\s+\/passwordchg:yes/##############/g

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...