Getting Data In

How to anonymize credit card numbers using props.conf and transforms .conf?

gotenzw
Observer

hi im trying to replace credit card number (16 digits) in a csv file with xxxx

when i input below text, full event will be masked i will only see xxxx in the search

test1,test2, 0123456789123456 

when i input any credit card number which is less than 16 digits , i can see full event in the search

test3,test4,1234

 

please find the following  configuration files

props.conf

[ccdata]
TRANSFORMS-anonymize = masking

 

transforms.conf

[masking]
REGEX = \d{16}
FORMAT = xxxx
DEST_KEY = _raw

 

Labels (1)
0 Karma

gcusello
Legend

Hi @gotenzw,

as @richgalloway, the behavior you described is correct: you transform a credit card number (16 digits) if you have a number with 16 digits in that field, if you have anything different, the transformation doesn't run but it's correct.

If you want to mask every number in the third field (also less than 16 digits), you have to use a different approach as described at https://docs.splunk.com/Documentation/Splunk/9.0.0/Data/Anonymizedata:

in props.conf use this command:

[<your_sourcetype>]
TRANSFORMS-anonymize = anonymizer

in transforms.conf:

[anonymizer]
REGEX = ^(\w+,\w+,)\d+
FORMAT = $1xxxxxxxxxxxxxxxx
DEST_KEY = _raw

Ciao.

Giuseppe

0 Karma

gotenzw
Observer

i need to use same approach which is 16 digits but i want to see other fields.

im expecting  the event like below

 

event1,event2,xxxx 

0 Karma

gcusello
Legend

Hi @gotenzw,

with my approach, you should see the other fields and anonymize only the Credit Card Number, otherwise, as described in the above url (https://docs.splunk.com/Documentation/Splunk/9.0.0/Data/Anonymizedata), you can also try SEDCMD command in props.conf:

 

[<your_sourcetype>]
SEDCMD-Anonymize = s/^\w+,\w+,\d+/^\w+,\w+,xxxxxxxxxxxxxxxx/g

 

Ciao.

Giuseppe

0 Karma

gotenzw
Observer

i used the SEDCMD and it worked fine but i need to do it using transforms.conf

below is the props.conf which i used.

[ccdata]
SEDCMD-ccdatamask = s/\d{16}/xxxx/g 

 

is it possible to do the same using trasnforms.conf ?

0 Karma

gcusello
Legend

Hi @gotenzw,

yes, it's possible.

Your transforms.conf is correct, and the configuration you shared is correct but only for 16 digits numbers, if you have less numbers it doesn't work.

if you don't have other numerical fields you could try to use a little different regex to recognize your CC number:

[masking]
REGEX = \d+
FORMAT = xxxx
DEST_KEY = _raw

Ciao.

Giuseppe

 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What is the problem you are trying to solve?  The way I read this description everything appears to be working as desired.

---
If this reply helps you, Karma would be appreciated.
0 Karma

gotenzw
Observer

i need to see other fields like test1, test2, what is required is to mask only credit card number which is the 16 digit, but the issue here i can't see full event after masking as stated before only xxxx i can see in the search

0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...