Skip to main content

Cloud-delivered Advanced AnalyticsExabeam Advanced Analytics Administration Guide

Mask Data for Notifications

You can configure Advanced Analytics to mask specific fields when sending notable sessions and/or anomalous rules via email, Splunk, and QRadar. This prevents exposure of sensitive data when viewing alerts sent to external destinations.

Note

Advanced Analytics activity log data is not masked or obfuscated when sent via Syslog. It is your responsibility to upload the data to a dedicated index which is available only to users with appropriate privileges.

Before proceeding through the steps below, ensure your deployment has:

  • Enabled data masking (instructions below)

  • Configured a destination for Notable Sessions notifications sent from Advanced Analytics via Notifications

By default, all fields in a notification are unmasked. To enable data masking for notifications, the Enabled field needs to be set to true. This is located in the application.conf file in the path /opt/exabeam/config/tequila/custom.

NotificationRouter {
    ...
    Masking {
        Enabled = true
        Types = []
        NotableSessionFields = []
        AnomaliesRulesFields = []
    }
}

Use the Types field to add the notification destinations (Syslog, Email, QRadar, and/or Splunk). Then, use the NotableSessionFields and AnomaliesRulesFields to mask specific fields included in a notification.

For example, if you want to mask the user, source host and IP, and destination host and IP for notifications sent via syslog and Splunk, then you would configure the lists as shown below:

NotificationRouter {
    ...
    Masking {
        Enabled  = true
        Types = [Syslog, Splunk]
        NotableSessionFields = ["user", "src_host", "src_ip", "dest_host", "dest_ip"]

    }
}