Sentinel mask or remove specific sensitive data field

Copper Contributor

Hi everyone, I am using Office 365 data collector. This collector will collect Exchange Log from O365. The exchange log will include the email subject and it may contain some sensitive data.

Can Sentinel mask or remove this email subject field before we search it?CyrilChu_0-1652950411762.png



Search query:

| where RecordType == "ExchangeItemGroup" or RecordType == "ExchangeItem"
| extend Subject_ = tostring(parse_json(Item).Subject)
| where Subject_ <> ""
| project Subject_


7 Replies

Hello @CyrilChu,


You can use the "project-away" operator to hide the Subject column. 

project-away operator - Azure Data Explorer | Microsoft Docs



Thanks for your help, the "project-away" operator can hide the Subject column when search time.
Is any method to mask or remove specific sensitive data fields on the raw log base?
Do you want to remove the sensitive data from the Log Analytics workspace itself?
best response confirmed by CyrilChu (Copper Contributor)



Based on my understanding, 

The process just like ETL

(1,Extract) Sources System (e.g. Exchange Online)  -> (2,Transform) Data collection rules -> (3,Load) Sentinel Workspace


If mask or remove sensitive data before load to workspace required, it need done in (2,Transform) state, please apply KQL in Data collection rules to do that.


Pan DT

Hi @TDPan1 and @mikhailf,

The ingestion-time transformation can solve my problem. Thanks both very much.
I have one problem when we do PII mask data at time of ingestion transformation it mask the data permanently and how can I allow only certain RBAC Role to see mask data