6 hours 3 minutes
bloom. Welcome back this blunt enterprise certified administrator course on Cyber. In this video, we're going to be doing a lab where I walk through the process of how to mask sensitive data before you write it to disk in the Splunk. So we're gonna use some props and transforms. It's basically
put that on the indexer so that
our data, which you'll see in a second, will have any credit card numbers stripped out of it and then be written to disk within a few skated value. So we're gonna first take a look at the data, then we'll walk through how to actually make that configuration.
Then we will print input for the data with art
after we place our props and transforms configurations on the indexer. And then we'll take a look in Splunk at that data actually being censored. So
let's start first by look at the data. So I haven't won my device here.
So you see, we got a day
host name, payment, portal, successor, failure, transaction idea, and then you see this credit card number is what we want to offer escape.
So I'm gonna copy this when we're gonna go to read 6.1
and place the status in here.
And basically what we're gonna do is we're going to change the log format so that,
um, this these three sets of numbers or stars, and then it just has the last four digits, and then it keeps the rest of the law the same.
So the way we can do this is it's gonna be a said command. So we're gonna write an expression that matches everything
up to here. So we'll just do dot star card
to make this a capture
that in there
on, then we will make
what this is saying. Any any digit, four digits,
followed by a hyphen followed by four digits will lengthen, followed by four digits.
And now they're hoping again.
And we're gonna save this part so we'll start another capture group, and we'll just capture everything.
So now if we referenced that first captured with dollar signs one you can see it printed everything captured by this initial capture group.
And now we will sub out normal values for
And then we will raise our second
capture it. So now you can see this is what the logs they're gonna look like after this replacement occurs.
So it will effectively sensor out this part. And so then the status will be not that sensitive anymore. So that's good.
I'll just take transforms documentation to show you
basically how to do this configuration.
So we go down to the stock, come, for example, and we'll to scroll until we see something about,
um, asking sensitive data
so you can see the name this wherever they feel like naming it.
Then put in that regular expression which will be the same wish while used the regular expression I wrote over there.
And then we put in our format key whatever this substitution ends up being, and then we tell which field we wanted to overwrite in this case, coming in under sport role, which is the field that just is like the actual raw data for the log.
So now weaken quickly, make this setting. We're gonna send up on
our search head, which is also a server
at sea deployment abs, and we will call this,
Oh, it make their change.
So make that directory
So with me in this weather. We want man
we will send.
What we had here,
we will specify are
And then we will specify. I guess
So now we will make problems
and we'll call this.
That's gonna be our source type, which will need to remember for make our inputs. And I'm gonna do a line breaker just because I want to make sure that these get ingested into sporting correctly.
any new line character followed by a dizzy
he has any character found That's data set,
followed by me Dizzy. We know to be two characters.
I don't need to escape. That will sleep it just in case.
Okay, so that's, you know, I'm not gonna do the rest of the time stamp extraction stuff just for the sake of time, but you should obviously do those.
But since we've covered that pretty slabs, I'm just not gonna go through it again. So then we pull our transforms.
Which waas leave
a sense of death. Yep.
Okay, so our props configurations are now telling That's all we'll need. We just need to go to our search head
and set it up so that these settings get sent to our indexer. And we also need to make
my orders so that we actually start
and so well,
make that directory
mom, her Sansa
And this is
in on a windows device on. Let's see where this path is.
Technically, they got one drives. No,
let's see if we can
going to open file location if I could, But I don't see that as an option.
I could just use a short cut that says sense of data, but I don't really want to do that. We'll just go to
believe what state? This Y C users may
one Dr desk town. So this is the actual path. So if I copy this address
pace that loves
help. If I didn't Maxim select that
copy that addresses text paste
and then at the file name.
I don't know if I need a doctor text or not. Let's try it with
Well, it's open this.
Yeah, it is technically not text. So
okay, now will call this force type. We wanted it to sense,
and we're gonna send Teoh Index May
because it's not what goes down must have.
So that's really all we need for that.
Now we just need to deploy both of these abs. You see it there is that one. If I refresh will get my other ones. Well,
so let's do a new server class. Well, dio
what did I name the abs
sensitive underscore Tana coming Don't like hell is inconsistent with that.
But I actually want to make the props first because I want to make sure that we don't accidentally in just that data before my crops
said restarts, plugs with settings, actually take back,
then go back
and add our advice. So we're sending it to our indexers, and my mixtures are gonna be named this way
so you can see if I had a preview
that's right. Only send to the host we wanted to. So that's good. So that should be deployed. And now we start making other configuration,
which will be this one.
And our includes
set that to restart spoon.
And now we just need Teoh bad for
forwarder, which will be
Review. See the check mark comes up. So that's good.
And now shortly we should start seeing this data brought in. And what we want to see is that the data comes in and the value is match
Let me to do
Fortunately, our connection did not go through for index here.
Well, now says we're down.
Let's check on that really quick.
It's probably restarting
at being employed. Yeah, so we probably just called it a bad time.
So let's give it a second.
Because yeah, sometimes it takes a minute to reestablish connection. But what? We're waiting. I'll just check a couple things.
Yeah, so it should be able to access that voice. No problem.
It is a
There we go. Ok, cool. So it just took a little while before everything restored it and connectivity got resumed. But you can see our credit card number is masked so you can follow that process and mask any kind of data you want. Rewrite the logs any way you want.
Three important thing is we put our inputs on our order. And then we set our crops on our indexers so that when the data got there, that's when that data gets process before gets written to disk. So
yeah, so that's everything you need to know about how to leverage props and transforms to rewrite your logs and mask any sensitive data if you want to. You also do it like if there's junk data in here, which is kissed, someone does logs. You can just set the rewrite. Teoh
rewrite everything except whatever. Since they
junk data capture group, you just explode that. But it's cool way to save on some licensing or hide some sensitive data. That's everything you need to know for this lab. So that's gonna be the end of the video, and we look forward to seeing you in the next one.
Certified Information Security Manager (CISM)
A CISM certification shows you have an all-around technical competence and an understanding of the ...
13 CEU/CPE Hours Available
Certificate of Completion Offered
Microsoft 365 Identity and Services (MS-100)
Prepare for the Microsoft 365 Identity and Services (MS-100) exam, which measures your ability to ...