Mask personally-identifiable information in Splunk UBA
To share information in Splunk UBA without disclosing personally identifiable information (PII), you can mask PII in Splunk UBA. Administrators can mask or unmask PII for all users or specific users.
PII masking in Splunk UBA
Enabling PII masking in Splunk UBA causes the name, employee ID number, telephone number, email address, and user name (login ID) of each user in Splunk UBA to be replaced with a string of characters. If you export or download dashboard information while PII is masked, the PII is masked in the downloaded information. If you send a threat email while PII is masked, the PII is masked in the email.
Information sent automatically from Splunk UBA, such as threats and anomalies sent to Splunk Enterprise Security, ServiceNow, or email using the output connectors, is unaffected by PII masking. Masking PII affects only the display of information on Splunk UBA. No data is modified.
Masking PII hides raw and triggering events from the Splunk platform. Instead, to view the raw or triggering events from the Splunk platform, click view contributing events to view the events in the Splunk platform. The data in the Splunk platform events is not masked, but you can use other access control mechanisms to prevent users without the proper access privileges from viewing PII in the Splunk platform.
Enable PII masking for all users in Splunk UBA
As an administrator, you can enable PII masking for all users by performing the following procedure:
- Log in to Splunk UBA as an admin.
- Select Manage > Settings.
- In the PII Masking section, select Enable PII Masking.
- Select an Unmask Time. Users can be allowed to unmask PII by being granted the specific privilege to do so, or by being assigned to a role with the privilege. See Allow local users to unmask PII in Splunk UBA and Allow non-local users to unmask PII in Splunk UBA. The unmask time is the amount of time that users can view PII after unmasking PII. You can select 15 minutes, 30 minutes, or 1 hour.
- Select the fields you want to mask.
Field Description Masked fields pertaining to users User Name Mask the name of the user. Employee Id Mask the employee ID of the user. OU Mask the organizational unit (OU) of the user. Phone Mask the phone number of the user. Street Mask the street name of the user's address. City Mask the name of the city where the user resides. State Mask the name of the state where the user resides. Country Mask the name of the country where the user resides. Masked fields pertaining to accounts Login Id Mask the login ID of the user's account. Email Address Mask the email address of the user's account. Domain and LoginId Mask the domain and login ID of the user's account. Masked fields pertaining to devices Device Name Mask all device-related PII fields:
- Host name, IP address, and MAC address
- Business Unit
- Asset tag
- Device FQDN
- Managed by
- Created by
- Cost center
See Asset data fields in the Get Data into Splunk User Behavior Analytics manual.
- Click OK to enable PII masking.
Allow local users to unmask PII in Splunk UBA
Follow the procedure in this section to disable PII masking for local users created in Splunk UBA.
When PII masking is disabled, PII is not masked.
- Log in to Splunk UBA.
- Verify that PII masking is enabled for all users in the system. See Enable PII masking for all users in Splunk UBA.
- Select Manage > UBA Accounts.
- Hover on the table row for the user you want to edit, then select the edit icon () for that user.
- Disable PII masking based on the user role:
- Users assigned to the PII_Unmask role have permissions to unmask PII as given by the PII Unmask privilege in the role, even if the Allow PII Unmasking checkbox is not selected.
- For users in the User, Analyst, or Content_Developer roles, click the checkbox in Allow PII Unmasking.
In both cases, the user can view PII for the configured Unmask Time (the default is 30 minutes). To mask PII before the unmask time expires, refresh the browser. After logging in, they can select Unmask PII from the menu bar by clicking on their account name.Admin users have permissions to unmask PII by default and will not see the Allow PII Unmasking checkbox.
- Click OK to allow this user to unmask PII.
Allow non-local users to unmask PII in Splunk UBA
Follow the procedure in this section to disable PII masking for all non-local users authenticating to Splunk UBA, including SSO or Splunk platform users. This is the only way for non-local users to be able to unmask PII. While this procedure also works for local users, it is not recommended because the PII_Unmask role has only a subset of the privileges in the User or Analyst role. For local users, follow the procedure in Allow local users to unmask PII in Splunk UBA.
When PII masking is disabled, PII is not masked.
- In Splunk UBA, verify that PII masking is enabled for all users in the system. See Enable PII masking for all users in Splunk UBA.
- Sign in to your SSO system.
- For any user you want to be able to disable PII masking, assign them to the PII_Unmask role in Splunk UBA.
When the user logs in to Splunk UBA, they can select Unmask PII from the menu bar by clicking on their account name.
The user can view PII for the configured Unmask Time (the default is 30 minutes). To mask PII before the unmask time expires, refresh the browser.
Customize anomaly scoring rules
Disable the Splunk UBA web interface timeout
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 22.214.171.124, 5.0.5, 126.96.36.199, 5.1.0, 188.8.131.52, 5.2.0
Feedback submitted, thanks!