Hello Splunkers,
In my environment, we currently send C:\windows\system32\winevt\Logs*.evtx on our windows servers over to Splunk to get indexed.
Recently I was made aware that apparently somewhere within these .evtx files are cleartext passwords. I performed the following search and sure enough, it produced a table of accounts and cleartext passwords:
index=windows sourcetype=ActiveDirectory sAMAccountType=805306369 ms_Mcs_AdmPwd=* | rename ms_Mcs_AdmPwd as "Local Admin PWD" name as Hostname | dedup Hostname | table Hostname,"Local Admin PWD"
What is the best way to filter out the cleartext passwords so either those events don't get indexed OR don't show up in the clear as search results?
Thanks in advance!
@vanderaj2 filtering the clear text events out of Splunk would still expose the account at the host machine if they are being written to disk / log file in clear text. I would suggest you look at the source of the application writing the events and have them removed or hashed from the source.
Until then, you can anonymize new data coming into Splunk
https://docs.splunk.com/Documentation/Splunk/6.6.0/Data/Anonymizedata
or mask the data at search time
https://answers.splunk.com/answers/235405/how-do-i-partially-mask-or-anonymize-a-field-value.html
@vanderaj2 filtering the clear text events out of Splunk would still expose the account at the host machine if they are being written to disk / log file in clear text. I would suggest you look at the source of the application writing the events and have them removed or hashed from the source.
Until then, you can anonymize new data coming into Splunk
https://docs.splunk.com/Documentation/Splunk/6.6.0/Data/Anonymizedata
or mask the data at search time
https://answers.splunk.com/answers/235405/how-do-i-partially-mask-or-anonymize-a-field-value.html
Thank you for the response! I'll pass that on to the Windows Admin team and take a look at the links on how to anonymize or mask that data as well.....
@vanderaj2 - Did the answer provided by rphillips help provide a solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!