Masking Data Lab

00:00

bloom. Welcome back this blunt enterprise certified administrator course on Cyber. In this video, we're going to be doing a lab where I walk through the process of how to mask sensitive data before you write it to disk in the Splunk. So we're gonna use some props and transforms. It's basically

00:19

put that on the indexer so that

00:22

our data, which you'll see in a second, will have any credit card numbers stripped out of it and then be written to disk within a few skated value. So we're gonna first take a look at the data, then we'll walk through how to actually make that configuration.

00:39

Then we will print input for the data with art

00:43

after we place our props and transforms configurations on the indexer. And then we'll take a look in Splunk at that data actually being censored. So

00:53

let's start first by look at the data. So I haven't won my device here.

00:58

So you see, we got a day

01:00

host name, payment, portal, successor, failure, transaction idea, and then you see this credit card number is what we want to offer escape.

01:10

So I'm gonna copy this when we're gonna go to read 6.1

01:15

and place the status in here.

01:19

And basically what we're gonna do is we're going to change the log format so that,

01:25

um, this these three sets of numbers or stars, and then it just has the last four digits, and then it keeps the rest of the law the same.

01:34

So the way we can do this is it's gonna be a said command. So we're gonna write an expression that matches everything

01:44

up to here. So we'll just do dot star card

01:49

to make this a capture

01:51

that in there

01:56

on, then we will make

01:57

mother capture.

02:05

Well, actually,

02:08

this

02:12

what this is saying. Any any digit, four digits,

02:15

followed by a hyphen followed by four digits will lengthen, followed by four digits.

02:22

And now they're hoping again.

02:24

And we're gonna save this part so we'll start another capture group, and we'll just capture everything.

02:30

So now if we referenced that first captured with dollar signs one you can see it printed everything captured by this initial capture group.

02:42

And now we will sub out normal values for

02:49

four stars.

02:51

And then we will raise our second

02:53

capture it. So now you can see this is what the logs they're gonna look like after this replacement occurs.

03:00

So it will effectively sensor out this part. And so then the status will be not that sensitive anymore. So that's good.

03:09

I'll just take transforms documentation to show you

03:15

basically how to do this configuration.

03:20

So we go down to the stock, come, for example, and we'll to scroll until we see something about,

03:27

um, asking sensitive data

03:30

so you can see the name this wherever they feel like naming it.

03:34

Then put in that regular expression which will be the same wish while used the regular expression I wrote over there.

03:40

And then we put in our format key whatever this substitution ends up being, and then we tell which field we wanted to overwrite in this case, coming in under sport role, which is the field that just is like the actual raw data for the log.

03:58

So now weaken quickly, make this setting. We're gonna send up on

04:02

our search head, which is also a server

04:06

at sea deployment abs, and we will call this,

04:17

uh,

04:20

and cold.

04:24

Oh, it make their change.

04:29

So make that directory

04:31

part transforms

04:40

So with me in this weather. We want man

04:44

data

04:47

we will send.

04:55

What we had here,

05:00

we will specify are

05:04

Teoh

05:06

or Substitution.

05:10

And then we will specify. I guess

05:13

Bulls underscore.

05:16

So now we will make problems

05:23

and we'll call this.

05:30

That's gonna be our source type, which will need to remember for make our inputs. And I'm gonna do a line breaker just because I want to make sure that these get ingested into sporting correctly.

05:45

So

05:49

falls

05:51

what

05:55

equals

06:02

any new line character followed by a dizzy

06:11

he has any character found That's data set,

06:14

followed by me Dizzy. We know to be two characters.

06:19

I don't need to escape. That will sleep it just in case.

06:25

Two digits.

06:29

Four days.

06:38

Okay, so that's, you know, I'm not gonna do the rest of the time stamp extraction stuff just for the sake of time, but you should obviously do those.

06:46

But since we've covered that pretty slabs, I'm just not gonna go through it again. So then we pull our transforms.

06:55

Which waas leave

07:01

way,

07:06

score

07:10

a sense of death. Yep.

07:12

Okay, so our props configurations are now telling That's all we'll need. We just need to go to our search head

07:19

and set it up so that these settings get sent to our indexer. And we also need to make

07:29

inputs

07:33

my orders so that we actually start

07:42

and so well,

07:46

make that directory

07:50

and,

07:53

well,

07:55

mom, her Sansa

07:57

And this is

07:59

in on a windows device on. Let's see where this path is.

08:05

Technically, they got one drives. No,

08:09

let's see if we can

08:16

going to open file location if I could, But I don't see that as an option.

08:24

I could just use a short cut that says sense of data, but I don't really want to do that. We'll just go to

08:33

just, uh,

08:37

and

08:46

believe what state? This Y C users may

08:52

one Dr desk town. So this is the actual path. So if I copy this address

09:01

pace that loves

09:03

help. If I didn't Maxim select that

09:05

copy that addresses text paste

09:07

and then at the file name.

09:15

Thanks.

09:20

I don't know if I need a doctor text or not. Let's try it with

09:28

Well, it's open this.

09:35

Yeah, it is technically not text. So

09:39

okay, now will call this force type. We wanted it to sense,

09:48

and we're gonna send Teoh Index May

09:54

because it's not what goes down must have.

09:58

So that's really all we need for that.

10:01

Now we just need to deploy both of these abs. You see it there is that one. If I refresh will get my other ones. Well,

10:09

kid,

10:11

so let's do a new server class. Well, dio

10:18

what did I name the abs

10:22

sensitive underscore Tana coming Don't like hell is inconsistent with that.

10:31

But I actually want to make the props first because I want to make sure that we don't accidentally in just that data before my crops

10:39

is on

10:41

data problems.

10:45

Um,

10:48

save

10:52

said restarts, plugs with settings, actually take back,

10:56

then go back

10:58

and add our advice. So we're sending it to our indexers, and my mixtures are gonna be named this way

11:07

so you can see if I had a preview

11:09

that's right. Only send to the host we wanted to. So that's good. So that should be deployed. And now we start making other configuration,

11:18

which will be this one.

11:20

And our includes

11:26

set that to restart spoon.

11:31

And now we just need Teoh bad for

11:35

forwarder, which will be

11:37

star

11:41

Review. See the check mark comes up. So that's good.

11:45

And now shortly we should start seeing this data brought in. And what we want to see is that the data comes in and the value is match

11:56

equals.

12:03

Let me to do

12:05

all time,

12:11

huh?

12:13

Fortunately, our connection did not go through for index here.

12:22

Well, now says we're down.

12:28

Let's check on that really quick.

12:33

It's probably restarting

12:35

from

12:37

at being employed. Yeah, so we probably just called it a bad time.

12:48

So let's give it a second.

12:52

Because yeah, sometimes it takes a minute to reestablish connection. But what? We're waiting. I'll just check a couple things.

13:03

Yeah, so it should be able to access that voice. No problem.

13:09

It is a

13:11

There we go. Ok, cool. So it just took a little while before everything restored it and connectivity got resumed. But you can see our credit card number is masked so you can follow that process and mask any kind of data you want. Rewrite the logs any way you want.

13:28

Three important thing is we put our inputs on our order. And then we set our crops on our indexers so that when the data got there, that's when that data gets process before gets written to disk. So

13:43

yeah, so that's everything you need to know about how to leverage props and transforms to rewrite your logs and mask any sensitive data if you want to. You also do it like if there's junk data in here, which is kissed, someone does logs. You can just set the rewrite. Teoh

14:01

rewrite everything except whatever. Since they