How to encrypt or mask log data, then restrict a g...

Tejkumar451 · ‎03-17-2017

Hi guys,
I have some data which needs to be encrypted like xxxxx6789 for SSN instead of 123456789. And i will give access to this data for two groups A & B.
When group A users log in and searches for the SSN 123456789, they shouldn't be seeing any events.
But, when group B users log in and searches for the SSN 123456789, they should be seeing the all those events which has the SSN as 123456789.

In short, there should be some mechanism where for the group B users, the SSN in search should get encrypted/masked and search for those events and returns them.

Can this be achieved using Splunk?

Thanks in advance

richgalloway · ‎03-18-2017

What you describe is not encryption, but masking. There are some resources available that describe how to mask data at index time. See http://docs.splunk.com/Documentation/Splunk/6.5.2/Data/Anonymizedata for starters.
You could create a custom command that would take an SSN as input and return the masked version for use in a search. That, however, would not prevent someone from Group A who figured out the masking scheme from entering a masked SSN manually and searching for it. I'm not aware of anything in Splunk that will do that.

---
If this reply helps you, Karma would be appreciated.

How to encrypt or mask log data, then restrict a group of users from seeing events from that masked data?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!