.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Internal: How to mask specific meta keys in RSA Security Analytics 10.4 and below
Issue
Administrators wish to allow their analysts to investigate incidents while not allowing them to view or export the actual meta values in a specific meta key (i.e. credit card numbers) within the RSA Security Analytics UI.Tasks
To mask a specific meta key in Security Analytics, follow the steps below.- Create an Application Rule on the Decoder or Log Decoder in question to truncate the session containing the meta, as explained here.
- After creating the rule, the meta key should no longer show any content in the sessions.
- Next, download the attached Tokenization LUA parser (tokenize.lua) and edit it where necessary to apply to the meta key being masked, which will cause the values to be hashed.
Although performing this procedure will prevent the meta value content from being displayed in Security Analytics, you will still be able to see the count and source meta, as well as other meta related to the session.
Notes
RSA Security Analytics 10.5 provides new Data Privacy features that will more adequately perform this procedure.This process should usually be performed by a Professional Services resource and this article exists only to document the procedure.
Product Details
RSA Product Set: Security AnalyticsRSA Product/Service Type: Security Analytics UI, Decoder, Log Decoder
RSA Version/Condition: 10.3.x, 10.4.x
Platform: CentOS
O/S Version: EL5, EL6
Summary
How to mask confidential meta data (i.e.e credit card numbers) so that investigations can be performed but the actual values cannot be retained or viewed.
Approval Reviewer Queue
Technical approval queue