Forum Discussion

Copper Contributor

May 19, 2022

Solved

Sentinel mask or remove specific sensitive data field

Hi everyone, I am using Office 365 data collector. This collector will collect Exchange Log from O365. The exchange log will include the email subject and it may contain some sensitive data. Can Sen...

Log Data

TDPan1
May 31, 2022
CyrilChu

Based on my understanding,
The process just like ETL
(1,Extract) Sources System (e.g. Exchange Online) -> (2,Transform) Data collection rules -> (3,Load) Sentinel Workspace

If mask or remove sensitive data before load to workspace required, it need done in (2,Transform) state, please apply KQL in Data collection rules to do that.

https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/microsoft-sentinel-support-for-ingestion-time-data/ba-p/3244531

Pan DT

TDPan1

Copper Contributor

May 31, 2022

CyrilChu

Based on my understanding,

The process just like ETL

(1,Extract) Sources System (e.g. Exchange Online) -> (2,Transform) Data collection rules -> (3,Load) Sentinel Workspace

If mask or remove sensitive data before load to workspace required, it need done in (2,Transform) state, please apply KQL in Data collection rules to do that.

https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/microsoft-sentinel-support-for-ingestion-time-data/ba-p/3244531

Pan DT

mikhailf
Iron Contributor
May 31, 2022
TDPan1 ,
Great idea. The Data Collection Rules can help here.

CyrilChu please, check the following links:
Data Collection Rules in Azure Monitor - Azure Monitor | Microsoft Docs
Tutorial - Add ingestion-time transformation to Azure Monitor Logs using Azure portal - Azure Monitor | Microsoft Docs
- CyrilChu
  Copper Contributor
  Jun 01, 2022
  Hi TDPan1 and mikhailf,
  
  The ingestion-time transformation can solve my problem. Thanks both very much.
  - Nayan007
    Copper Contributor
    May 11, 2023
    I have one problem when we do PII mask data at time of ingestion transformation it mask the data permanently and how can I allow only certain RBAC Role to see mask data