RSA Admin

Tokenization of meta data

Discussion created by RSA Admin Employee on Jul 2, 2014
Latest reply on Jul 3, 2014 by RSA Admin

The attached proof-of-concept Lua parser can be used for simple tokenization purposes in RSA Security Analytics. This will work in both a Logs and a Packet environment. The purpose of this is to anonymize or tokenize data inside the meta database only. Other content is not modified.

 

This example parser reads "user.dst" meta and writes a CRC32 hash of the value to the "user.dst.token" meta. It can be used for other text meta but this would require the parser to be modified. The destination meta needs to be created in the index-concentrator-custom.xml if it does not exist already.

 

The original packet/log/meta may need to be removed or access needs to be restricted. There are multiple ways of doing this:

1) On a log decoder modify table-map-custom.xml set the original value to transient. This way it won't store the original meta.

2) Meta access in the Investigation module can be restricted by using sdk.roles=2 in the explorer settings for concentrator and then set RBAC for individual meta keys.

3) Another option is to restrict meta consumption on the concentrator, to not consume certain meta keys with a filter statement.

Attachments

Outcomes