Security

How to encrypt or mask log data, then restrict a group of users from seeing events from that masked data?

Tejkumar451
Explorer

Hi guys,
I have some data which needs to be encrypted like xxxxx6789 for SSN instead of 123456789. And i will give access to this data for two groups A & B.
When group A users log in and searches for the SSN 123456789, they shouldn't be seeing any events.
But, when group B users log in and searches for the SSN 123456789, they should be seeing the all those events which has the SSN as 123456789.

In short, there should be some mechanism where for the group B users, the SSN in search should get encrypted/masked and search for those events and returns them.

Can this be achieved using Splunk?

Thanks in advance

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What you describe is not encryption, but masking. There are some resources available that describe how to mask data at index time. See http://docs.splunk.com/Documentation/Splunk/6.5.2/Data/Anonymizedata for starters.
You could create a custom command that would take an SSN as input and return the masked version for use in a search. That, however, would not prevent someone from Group A who figured out the masking scheme from entering a masked SSN manually and searching for it. I'm not aware of anything in Splunk that will do that.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...