![]() ![]() Role-based field filtering is available in public preview for Splunk Enterprise 9.x and we are currently incorporating the customer feedback we are receiving during this preview.ĭon’t just take it from me, try out these great new capabilities in Splunk Cloud Platform and Splunk Enterprise.Īuthors and Contributors: As always, security at Splunk is a family business.Splunk offers powerful software options, from Splunk Enterprise and Splunk Cloud Platform, to Splunk Enterprise Security, Splunk SOAR, Splunk APM, Splunk Infrastructure Monitoring, and much more. Field hashing only applies to indexed fields.Will not work with tstats, mstats or datamodel commands.Screenshot from the redacted raw event and the SHA256 hash of the UserId field for the user role where the role-based field filtering configuration is applied. The resulting search experience will display the redacted _raw field as “xxxx”, while the UserId field, which is an indexed field, will be replaced by the SHA256 hash value. The additional configuration will look like this: With role-based field filtering you can also apply hashing to indexed fields to perform analytics on the data–the UserId field in this case. Screenshot from an admin role where the unredacted data is shown. ![]() Screenshot from the redacted raw event for the user role where the role-based field filtering configuration is applied. The data format is JSON.įieldFilter-_raw = s/"UserId": "*/"UserId": "xxxx/Īs you can see, we are using a standard regex sed command to replace a field value with “xxxx”. GUI support is not currently available to configure this feature, so you must modify nf and nf to enable and configure it.įor example, to imitate what we did using Ingest Actions earlier, we can apply the following configuration to nf to filter data for a user role. Role-based field filtering is available in public preview for Splunk Enterprise 9.x and later, and by request for Splunk Cloud Platform customers. This capability lets you limit access to confidential information for certain roles by redacting or obfuscating fields in events within searches without removing data from the backend.įield filters retain the original event, but remove specific indexed or default fields from search results, or replace specific indexed or default field values at search time when those fields appear in the results. ![]() Role-based field filtering is applied to events at search time in the GUI only, as opposed to the data written to disk. Currently no tokenization or hashing, only masking of data.You are duplicating the data (and doubling the storage requirements), making it less ideal for really large datasets.Easy to set up role-based access control based on redacted indexes.Maintains compliance with “raw” logging mandates.Once you have the redacted data in another index, it is easy to apply role-based access control to the unredacted data. The search interface shows duplicate events, one original and one redacted. ![]() The outcome is that for each event that comes in, an identical event where the UserId field has been masked irreversibly with “xxxxxx” is sent to the index “o365_redacted”. The ingest actions interactive GUI displays the changes applied to data as it moves through the pipeline. We would like to mask the employee ID accessing the file and send this redacted event to another index. In the example below, we have data from Office 365 OneDrive where the events show an employee opening a file. You can mask, filter, and route the data to one or more destinations, including AWS S3 or another Splunk index. It executes before the data is written to disk. The ingest actions feature is a data pipeline that runs on the indexer, heavy forwarder, or in Splunk Cloud. The features I’m referring to are ingest actions and role-based field filtering (preview), and we will describe both in this blog. In the past, you had to rely on third-party data pipelines, tokenization software, or scheduled summary searches in Splunk to achieve the same outcome. Examples of compliance mandates include GDPR, PCI, HIPAA and other general-purpose PII and PHI protection mandates. In practice, this means you can satisfy various internal and external compliance requirements using Splunk standard components. The release of Splunk 9.x includes exciting new features that make it easier to mask, hash, and filter data on disk and in the UI. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |