Time
6 hours 3 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Transcription

00:00
bloom. Welcome back this blunt enterprise certified administrator course on Cyber. In this video, we're going to be doing a lab where I walk through the process of how to mask sensitive data before you write it to disk in the Splunk. So we're gonna use some props and transforms. It's basically
00:19
put that on the indexer so that
00:22
our data, which you'll see in a second, will have any credit card numbers stripped out of it and then be written to disk within a few skated value. So we're gonna first take a look at the data, then we'll walk through how to actually make that configuration.
00:39
Then we will print input for the data with art
00:43
after we place our props and transforms configurations on the indexer. And then we'll take a look in Splunk at that data actually being censored. So
00:53
let's start first by look at the data. So I haven't won my device here.
00:58
So you see, we got a day
01:00
host name, payment, portal, successor, failure, transaction idea, and then you see this credit card number is what we want to offer escape.
01:10
So I'm gonna copy this when we're gonna go to read 6.1
01:15
and place the status in here.
01:19
And basically what we're gonna do is we're going to change the log format so that,
01:25
um, this these three sets of numbers or stars, and then it just has the last four digits, and then it keeps the rest of the law the same.
01:34
So the way we can do this is it's gonna be a said command. So we're gonna write an expression that matches everything
01:44
up to here. So we'll just do dot star card
01:49
to make this a capture
01:51
that in there
01:56
on, then we will make
01:57
mother capture.
02:05
Well, actually,
02:08
this
02:12
what this is saying. Any any digit, four digits,
02:15
followed by a hyphen followed by four digits will lengthen, followed by four digits.
02:22
And now they're hoping again.
02:24
And we're gonna save this part so we'll start another capture group, and we'll just capture everything.
02:30
So now if we referenced that first captured with dollar signs one you can see it printed everything captured by this initial capture group.
02:42
And now we will sub out normal values for
02:49
four stars.
02:51
And then we will raise our second
02:53
capture it. So now you can see this is what the logs they're gonna look like after this replacement occurs.
03:00
So it will effectively sensor out this part. And so then the status will be not that sensitive anymore. So that's good.
03:09
I'll just take transforms documentation to show you
03:15
basically how to do this configuration.
03:20
So we go down to the stock, come, for example, and we'll to scroll until we see something about,
03:27
um, asking sensitive data
03:30
so you can see the name this wherever they feel like naming it.
03:34
Then put in that regular expression which will be the same wish while used the regular expression I wrote over there.
03:40
And then we put in our format key whatever this substitution ends up being, and then we tell which field we wanted to overwrite in this case, coming in under sport role, which is the field that just is like the actual raw data for the log.
03:58
So now weaken quickly, make this setting. We're gonna send up on
04:02
our search head, which is also a server
04:06
at sea deployment abs, and we will call this,
04:17
uh,
04:20
and cold.
04:24
Oh, it make their change.
04:29
So make that directory
04:31
part transforms
04:40
So with me in this weather. We want man
04:44
data
04:47
we will send.
04:55
What we had here,
05:00
we will specify are
05:04
Teoh
05:06
or Substitution.
05:10
And then we will specify. I guess
05:13
Bulls underscore.
05:16
So now we will make problems
05:23
and we'll call this.
05:30
That's gonna be our source type, which will need to remember for make our inputs. And I'm gonna do a line breaker just because I want to make sure that these get ingested into sporting correctly.
05:45
So
05:49
falls
05:51
what
05:55
equals
06:02
any new line character followed by a dizzy
06:11
he has any character found That's data set,
06:14
followed by me Dizzy. We know to be two characters.
06:19
I don't need to escape. That will sleep it just in case.
06:25
Two digits.
06:29
Four days.
06:38
Okay, so that's, you know, I'm not gonna do the rest of the time stamp extraction stuff just for the sake of time, but you should obviously do those.
06:46
But since we've covered that pretty slabs, I'm just not gonna go through it again. So then we pull our transforms.
06:55
Which waas leave
07:01
way,
07:06
score
07:10
a sense of death. Yep.
07:12
Okay, so our props configurations are now telling That's all we'll need. We just need to go to our search head
07:19
and set it up so that these settings get sent to our indexer. And we also need to make
07:29
inputs
07:33
my orders so that we actually start
07:42
and so well,
07:46
make that directory
07:50
and,
07:53
well,
07:55
mom, her Sansa
07:57
And this is
07:59
in on a windows device on. Let's see where this path is.
08:05
Technically, they got one drives. No,
08:09
let's see if we can
08:16
going to open file location if I could, But I don't see that as an option.
08:24
I could just use a short cut that says sense of data, but I don't really want to do that. We'll just go to
08:33
just, uh,
08:37
and
08:46
believe what state? This Y C users may
08:52
one Dr desk town. So this is the actual path. So if I copy this address
09:01
pace that loves
09:03
help. If I didn't Maxim select that
09:05
copy that addresses text paste
09:07
and then at the file name.
09:15
Thanks.
09:20
I don't know if I need a doctor text or not. Let's try it with
09:28
Well, it's open this.
09:35
Yeah, it is technically not text. So
09:39
okay, now will call this force type. We wanted it to sense,
09:48
and we're gonna send Teoh Index May
09:54
because it's not what goes down must have.
09:58
So that's really all we need for that.
10:01
Now we just need to deploy both of these abs. You see it there is that one. If I refresh will get my other ones. Well,
10:09
kid,
10:11
so let's do a new server class. Well, dio
10:18
what did I name the abs
10:22
sensitive underscore Tana coming Don't like hell is inconsistent with that.
10:31
But I actually want to make the props first because I want to make sure that we don't accidentally in just that data before my crops
10:39
is on
10:41
data problems.
10:45
Um,
10:48
save
10:52
said restarts, plugs with settings, actually take back,
10:56
then go back
10:58
and add our advice. So we're sending it to our indexers, and my mixtures are gonna be named this way
11:07
so you can see if I had a preview
11:09
that's right. Only send to the host we wanted to. So that's good. So that should be deployed. And now we start making other configuration,
11:18
which will be this one.
11:20
And our includes
11:26
set that to restart spoon.
11:31
And now we just need Teoh bad for
11:35
forwarder, which will be
11:37
star
11:41
Review. See the check mark comes up. So that's good.
11:45
And now shortly we should start seeing this data brought in. And what we want to see is that the data comes in and the value is match
11:56
equals.
12:03
Let me to do
12:05
all time,
12:11
huh?
12:13
Fortunately, our connection did not go through for index here.
12:22
Well, now says we're down.
12:28
Let's check on that really quick.
12:33
It's probably restarting
12:35
from
12:37
at being employed. Yeah, so we probably just called it a bad time.
12:48
So let's give it a second.
12:52
Because yeah, sometimes it takes a minute to reestablish connection. But what? We're waiting. I'll just check a couple things.
13:03
Yeah, so it should be able to access that voice. No problem.
13:09
It is a
13:11
There we go. Ok, cool. So it just took a little while before everything restored it and connectivity got resumed. But you can see our credit card number is masked so you can follow that process and mask any kind of data you want. Rewrite the logs any way you want.
13:28
Three important thing is we put our inputs on our order. And then we set our crops on our indexers so that when the data got there, that's when that data gets process before gets written to disk. So
13:43
yeah, so that's everything you need to know about how to leverage props and transforms to rewrite your logs and mask any sensitive data if you want to. You also do it like if there's junk data in here, which is kissed, someone does logs. You can just set the rewrite. Teoh
14:01
rewrite everything except whatever. Since they
14:03
junk data capture group, you just explode that. But it's cool way to save on some licensing or hide some sensitive data. That's everything you need to know for this lab. So that's gonna be the end of the video, and we look forward to seeing you in the next one.

Splunk Enterprise Certified Administrator

The course is designed around the guidelines provided in Splunk’s Test Blueprint for the Certified Administrator certification, Splunk Docs, the Splunk Data and System Admin courses, and the experience of a Splunk Professional Services Consultant.

Instructed By

Instructor Profile Image
Anthony Fecondo
Splunk Professional Service Consultant
Instructor