Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Sentinel mask or remove specific sensitive data field

Copper Contributor

Hi everyone, I am using Office 365 data collector. This collector will collect Exchange Log from O365. The exchange log will include the email subject and it may contain some sensitive data.

Can Sentinel mask or remove this email subject field before we search it?CyrilChu_0-1652950411762.png

CyrilChu_1-1652949941120.png

 

Search query:

OfficeActivity
| where RecordType == "ExchangeItemGroup" or RecordType == "ExchangeItem"
| extend Subject_ = tostring(parse_json(Item).Subject)
| where Subject_ <> ""
| project Subject_

 

7 Replies

Hello @CyrilChu,

 

You can use the "project-away" operator to hide the Subject column. 

project-away operator - Azure Data Explorer | Microsoft Docs

 

 


Thanks for your help, the "project-away" operator can hide the Subject column when search time.
Is any method to mask or remove specific sensitive data fields on the raw log base?
Do you want to remove the sensitive data from the Log Analytics workspace itself?
best response confirmed by CyrilChu (Copper Contributor)
Solution

@CyrilChu 

 

Based on my understanding, 

The process just like ETL

(1,Extract) Sources System (e.g. Exchange Online)  -> (2,Transform) Data collection rules -> (3,Load) Sentinel Workspace

 

If mask or remove sensitive data before load to workspace required, it need done in (2,Transform) state, please apply KQL in Data collection rules to do that.  

 

https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/microsoft-sentinel-support-for-ingest...

 

Pan DT

Hi @TDPan1 and @mikhailf,

The ingestion-time transformation can solve my problem. Thanks both very much.
I have one problem when we do PII mask data at time of ingestion transformation it mask the data permanently and how can I allow only certain RBAC Role to see mask data
1 best response

Accepted Solutions
best response confirmed by CyrilChu (Copper Contributor)
Solution

@CyrilChu 

 

Based on my understanding, 

The process just like ETL

(1,Extract) Sources System (e.g. Exchange Online)  -> (2,Transform) Data collection rules -> (3,Load) Sentinel Workspace

 

If mask or remove sensitive data before load to workspace required, it need done in (2,Transform) state, please apply KQL in Data collection rules to do that.  

 

https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/microsoft-sentinel-support-for-ingest...

 

Pan DT

View solution in original post