Splunk® User Behavior Analytics

Administer Splunk User Behavior Analytics

Mask personally-identifiable information in Splunk UBA

To share information in Splunk UBA without disclosing personally identifiable information (PII), you can mask PII in Splunk UBA. Administrators can mask or unmask PII for all users or specific users.

PII masking in Splunk UBA

Enabling PII masking in Splunk UBA causes the name, employee ID number, telephone number, email address, and user name (login ID) of each user in Splunk UBA to be replaced with a string of characters. If you export or download dashboard information while PII is masked, the PII is masked in the downloaded information. If you send a threat email while PII is masked, the PII is masked in the email.

Information sent automatically from Splunk UBA, such as threats and anomalies sent to Splunk Enterprise Security, ServiceNow, or email using the output connectors, is unaffected by PII masking. Masking PII affects only the display of information on Splunk UBA. No data is modified.

Masking PII hides raw and triggering events from the Splunk platform. Instead, to view the raw or triggering events from the Splunk platform, click view contributing events to view the events in the Splunk platform. The data in the Splunk platform events is not masked, but you can use other access control mechanisms to prevent users without the proper access privileges from viewing PII in the Splunk platform.

Enable PII masking for all users in Splunk UBA

As an administrator, you can enable PII masking for all users by performing the following procedure:

  1. Log in to Splunk UBA as an admin.
  2. Select Manage > Settings.
  3. In the PII Masking section, select Enable PII Masking.
  4. Select an Unmask Time. Users can be allowed to unmask PII by being granted the specific privilege to do so, or by being assigned to a role with the privilege. See Allow local users to unmask PII in Splunk UBA and Allow non-local users to unmask PII in Splunk UBA. The unmask time is the amount of time that users can view PII after unmasking PII. You can select 15 minutes, 30 minutes, or 1 hour.
  5. Select the fields you want to mask.
    Field Description
    Masked fields pertaining to users
    User Name Mask the name of the user.
    Employee Id Mask the employee ID of the user.
    OU Mask the organizational unit (OU) of the user.
    Phone Mask the phone number of the user.
    Street Mask the street name of the user's address.
    City Mask the name of the city where the user resides.
    State Mask the name of the state where the user resides.
    Country Mask the name of the country where the user resides.
    Masked fields pertaining to accounts
    Login Id Mask the login ID of the user's account.
    Email Address Mask the email address of the user's account.
    Domain and LoginId Mask the domain and login ID of the user's account.
    Masked fields pertaining to devices
    Device Name Mask all device-related PII fields:
    • Host name, IP address, and MAC address
    • Owner
    • City
    • Business Unit
    • Country
    • Asset tag
    • Department
    • Device FQDN
    • Managed by
    • Created by
    • Cost center

    See Asset data fields in the Get Data into Splunk User Behavior Analytics manual.

  6. Click OK to enable PII masking.

Allow local users to unmask PII in Splunk UBA

Follow the procedure in this section to disable PII masking for local users created in Splunk UBA.

When PII masking is disabled, PII is not masked.

  1. Log in to Splunk UBA.
  2. Verify that PII masking is enabled for all users in the system. See Enable PII masking for all users in Splunk UBA.
  3. Select Manage > UBA Accounts.
  4. Hover on the table row for the user you want to edit, then select the edit icon (Image of the edit icon) for that user.
  5. Disable PII masking based on the user role:
    • Users assigned to the PII_Unmask role have permissions to unmask PII as given by the PII Unmask privilege in the role, even if the Allow PII Unmasking checkbox is not selected.
    • For users in the User, Analyst, or Content_Developer roles, click the checkbox in Allow PII Unmasking.

    In both cases, the user can view PII for the configured Unmask Time (the default is 30 minutes). To mask PII before the unmask time expires, refresh the browser. After logging in, they can select Unmask PII from the menu bar by clicking on their account name.
    This screen image shows a portion of the Splunk UBA menu bar. The user name "user2" is shown as clicked, with the following drop-down items visible: Profile, Unmask PII, and Logout. The Unmask PII option is selected.

    Admin users have permissions to unmask PII by default and will not see the Allow PII Unmasking checkbox.
  6. Click OK to allow this user to unmask PII.

Allow non-local users to unmask PII in Splunk UBA

Follow the procedure in this section to disable PII masking for all non-local users authenticating to Splunk UBA, including SSO or Splunk platform users. This is the only way for non-local users to be able to unmask PII. While this procedure also works for local users, it is not recommended because the PII_Unmask role has only a subset of the privileges in the User or Analyst role. For local users, follow the procedure in Allow local users to unmask PII in Splunk UBA.

When PII masking is disabled, PII is not masked.

  1. In Splunk UBA, verify that PII masking is enabled for all users in the system. See Enable PII masking for all users in Splunk UBA.
  2. Sign in to your SSO system.
  3. For any user you want to be able to disable PII masking, assign them to the PII_Unmask role in Splunk UBA.

When the user logs in to Splunk UBA, they can select Unmask PII from the menu bar by clicking on their account name.
This screen image shows a portion of the Splunk UBA menu bar. The user name "user2" is shown as clicked, with the following drop-down items visible: Profile, Unmask PII, and Logout. The Unmask PII option is selected.

The user can view PII for the configured Unmask Time (the default is 30 minutes). To mask PII before the unmask time expires, refresh the browser.

Last modified on 25 February, 2020
Customize anomaly scoring rules   Disable the Splunk UBA web interface timeout

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters