cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Sentinel mask or remove specific sensitive data field

CyrilChu
Copper Contributor

‎May 19 2022 01:54 AM

‎May 19 2022 01:54 AM

Sentinel mask or remove specific sensitive data field

Hi everyone, I am using Office 365 data collector. This collector will collect Exchange Log from O365. The exchange log will include the email subject and it may contain some sensitive data.

Can Sentinel mask or remove this email subject field before we search it?CyrilChu_0-1652950411762.png

CyrilChu_1-1652949941120.png

 

Search query:

OfficeActivity
| where RecordType == "ExchangeItemGroup" or RecordType == "ExchangeItem"
| extend Subject_ = tostring(parse_json(Item).Subject)
| where Subject_ <> ""
| project Subject_

 

Labels:
3,054 Views
0 Likes
7 Replies
Reply
7 Replies
mikhailf

‎May 19 2022 02:10 AM

‎May 19 2022 02:10 AM

Re: Sentinel mask or remove specific sensitive data field

Hello @CyrilChu,

 

You can use the "project-away" operator to hide the Subject column. 

project-away operator - Azure Data Explorer | Microsoft Docs

 

 

0 Likes
Reply
CyrilChu

‎May 19 2022 02:18 AM

‎May 19 2022 02:18 AM

Re: Sentinel mask or remove specific sensitive data field


Thanks for your help, the "project-away" operator can hide the Subject column when search time.
Is any method to mask or remove specific sensitive data fields on the raw log base?
0 Likes
Reply
mikhailf

‎May 19 2022 02:23 AM

‎May 19 2022 02:23 AM

Re: Sentinel mask or remove specific sensitive data field

Do you want to remove the sensitive data from the Log Analytics workspace itself?
0 Likes
Reply
best response confirmed by CyrilChu (Copper Contributor)
TDPan1

‎May 30 2022 08:14 PM

‎May 30 2022 08:14 PM

Solution

Re: Sentinel mask or remove specific sensitive data field

@CyrilChu 

 

Based on my understanding, 

The process just like ETL

(1,Extract) Sources System (e.g. Exchange Online)  -> (2,Transform) Data collection rules -> (3,Load) Sentinel Workspace

 

If mask or remove sensitive data before load to workspace required, it need done in (2,Transform) state, please apply KQL in Data collection rules to do that.  

 

https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/microsoft-sentinel-support-for-ingest...

 

Pan DT

2 Likes
Reply
CyrilChu

‎May 31 2022 07:11 PM

‎May 31 2022 07:11 PM

Re: Sentinel mask or remove specific sensitive data field

Hi @TDPan1 and @mikhailf,

The ingestion-time transformation can solve my problem. Thanks both very much.
0 Likes
Reply
Nayan007

‎May 11 2023 12:50 AM

‎May 11 2023 12:50 AM

Re: Sentinel mask or remove specific sensitive data field

I have one problem when we do PII mask data at time of ingestion transformation it mask the data permanently and how can I allow only certain RBAC Role to see mask data
0 Likes
Reply