Forum Discussion
Solved
Sentinel mask or remove specific sensitive data field
Hi everyone, I am using Office 365 data collector. This collector will collect Exchange Log from O365. The exchange log will include the email subject and it may contain some sensitive data.
Can Sentinel mask or remove this email subject field before we search it?
Search query:
OfficeActivity
| where RecordType == "ExchangeItemGroup" or RecordType == "ExchangeItem"
| extend Subject_ = tostring(parse_json(Item).Subject)
| where Subject_ <> ""
| project Subject_
Based on my understanding,
The process just like ETL
(1,Extract) Sources System (e.g. Exchange Online) -> (2,Transform) Data collection rules -> (3,Load) Sentinel Workspace
If mask or remove sensitive data before load to workspace required, it need done in (2,Transform) state, please apply KQL in Data collection rules to do that.
Pan DT
7 Replies
Based on my understanding,
The process just like ETL
(1,Extract) Sources System (e.g. Exchange Online) -> (2,Transform) Data collection rules -> (3,Load) Sentinel Workspace
If mask or remove sensitive data before load to workspace required, it need done in (2,Transform) state, please apply KQL in Data collection rules to do that.
Pan DT
TDPan1 ,
Great idea. The Data Collection Rules can help here.
CyrilChu please, check the following links:
Data Collection Rules in Azure Monitor - Azure Monitor | Microsoft Docs
Hello CyrilChu,
You can use the "project-away" operator to hide the Subject column.
project-away operator - Azure Data Explorer | Microsoft Docs
