Dear Community,
We know that there are several options to mask sensitive data before/during ingestion. But generally, how do you scan your data to check if there is any already existing leakage of secrets/tokens/password? I've googled and searched community, but I did not find anything. I thought there is a Splunk app or Splunk ES has a built-in feature to do this, like a professional, fast, effective alert or an AI/ML assisted one.
What I've done so far for a few indexes:
index={INDEXNAME} | stats values(*) AS * | transpose | table column | rename column AS Fieldnames | search Fieldnames=*secret* OR Fieldnames=*password*
(with last 15 minutes search interval)
Is there any better solution out? Or do you have better idea to handle this? How are others doing this?
We have a Splunk Cloud Platform, but I think it would be the same for Enterprise as well.
Thank you very much!
Regards,
DG