Splunk Cloud Platform

Securing Splunk Cloud Platform

Protect PII, PHI, and other sensitive data with field filters

Preview features are provided by Splunk to you "as is" without any warranties, maintenance and support, or service level commitments. Splunk makes this preview feature available in its sole discretion and may discontinue it at any time. Use of preview features is subject to the Splunk General Terms.

READ THIS FIRST: Should you deploy field filters in your organization?

Field filters are a powerful tool that can help many organizations protect their sensitive fields from prying eyes, but it might not be a good fit for everyone. If your organization runs Splunk Enterprise Security or if your users rely heavily on commands that field filters restricts by default (mpreview, mstats, tstats, typeahead, and walklex), do not use field filters in production until you have thoroughly planned how you will work around these restricted commands. See READ THIS: Restricted commands do not work in searches on indexes that have field filters.

Overview

To protect your personal identifiable information (PII) and protected health information (PHI) data, and meet data privacy requirements, such as General Data Protection Regulation (GDPR) or other privacy regulations, you can use field filters in the Splunk platform to control which users can see your sensitive data. Field filters let you limit access to confidential information by redacting or obfuscating fields in events within searches for all roles, with optional role-based exemptions.

You can use field filters to remove _raw fields and indexed fields that are extracted from indexed events, or replace their values in search results when those fields are processed at search time, all without modifying the source events in your index. To redact a specific field, you can use a field filter to remove the field from the results of searches. Alternatively, you can redact the value of a specific field by replacing it with a custom string such as XXXX. Or you can obfuscate the field value by replacing it with a hash using SHA-256 or SHA-512 (SHA-2 family) hash functions. As a result, when your users run searches that include fields that are affected by field filters, they see only what you want them to see.

With field filters, you decide which sensitive information to protect and how, and which users have access to the data. One or more field filters can be applied to all roles, which then affect the results of searches run by users assigned with those roles. Privileged users who have authority to access the sensitive data can still see it, provided you exempt the roles they hold from your field filters. For more information on roles and capabilities, see Create and manage roles with Splunk Web.

Field filters protect sensitive data from appearing in search results, but do not affect the source data stored in Splunk platform indexes, since that data is immutable and remains unchanged. See Immutability of indexed data in Splunk Enterprise Managing Indexers and Clusters of Indexers.

Field filters use cases

There are many different ways you can use field filters in your organization. For example, say that only managers in your company are allowed to see certain confidential information about customers contained in a field called account. If you don't want non-managers to be able to access that information, you could create a field filter that deletes the account field from the search results. Then, you could exempt the role that your managers hold from the account field filter, so that the managers can still access that confidential information.

Or maybe you want to replace the value of the account field with a custom string such as HIDDEN, so someone who is not a manager can see the field name but not the true value. If you also don't want that person's searches to display the name of the network device that is generating the events, you can configure another field filter to replace the host name with a SHA-generated hash value. Then, the value of the host field in the searches displays as a long number instead of the actual host name, which helps protect your sensitive customer data even more.

Tasks for setting up field filters

The following table describes common tasks for setting up field filters.

Task Description For more information
Plan how field filters will be deployed in your organization. Before you start setting up your field filters, consider which fields will be filtered on which target indexes, how you want your field filters to obfuscate or redact fields, which roles will be exempted, the impact of field filters on searches, and so on. See Plan for field filters in your organization.
Create field filters to protect sensitive data. Use Splunk Web to add field filters to all nonexempt roles that remove a field using a null value, or replace the field value with a custom string such as XXXX or a hash using SHA-256 or SHA-512 (SHA-2 family) hash functions. See Create field filters using Splunk Web.
Optimize field filter performance by limiting field filters to specific hosts, sources, and source types. You can fine tune your field filters during or after creation by configuring them to filter events from specific hosts, sources, and source types. This is not required to set up field filters, but limiting field filters to specific hosts, sources, or source types can significantly improve search performance. See Optimize field filter performance using Splunk Web.
Exempt certain roles from field filters. If there are roles in your organization that need access to confidential data that you are restricting with field filters, you can exempt those roles from your field filters. See Exempt certain roles from field filters using Splunk Web.
Use Splunk REST API endpoints to create and manage field filters. If you don't want to use Splunk Web to create and manage your field filters, you can use Splunk platform REST API endpoints instead. For example, you might choose to use REST if you want to automate the creation of field filters across a large deployment. See the following in the Splunk platform REST API Reference Manual:
Use configuration files to create and manage field filters (Splunk Enterprise only). If you don't want to use Splunk Web to create and manage your field filters, you can use configuration files instead. For example, you might choose to use configuration files if you want to automate the creation of field filters across a large deployment.

To maintain data integrity and security, do not use configuration files to exempt roles from field filters.

See:

See also

About configuring role-based user access in this manual.
The sequence of search-time operations ​in the Splunk Cloud Platform Knowledge Manager Manual.
Last modified on 06 August, 2024
Troubleshoot token authentication   Plan for field filters in your organization

This documentation applies to the following versions of Splunk Cloud Platform: 9.2.2403, 9.2.2406 (latest FedRAMP release)


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters