This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

Redacted password in process command line

Posted on 07-23-2024 07:06 AM
phaubertin
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi, I would like to know if Chronicle has capability to redact password while ingest data. We log Crowdstrike Falcon and notice that password are redacted in process command line. We would like to know if it's something the CrowdStrike done or It's Chronicle feature? 

If Chronicle are not doing it, can it be something that we could do at the ingestion level?

Best regards, 

 

Solved Solved
1 5 333
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
Rene_Figueroa
Staff
In response to phaubertin
Reply posted on --/--/---- --:-- AM

Unfortunately, neither the forwarder or parsers can modify the actual raw logs. The parsers only control what is mapped to the UDM events, but do not modify the actual raw log source.

View solution in original post

Jump to Solution
0 Likes
5 REPLIES 5

Posted on --/--/---- --:-- AM
Rene_Figueroa
Staff
Reply posted on --/--/---- --:-- AM

Hi, 

Chronicle does not modify the raw logs. What is ingested into Chronicle is what you observe in the UI. 

Regarding redacting at the source, it is something you might need to check with the log source documentation.

Jump to Solution

Posted on --/--/---- --:-- AM
phaubertin
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

I already look at parser config... Nothing has catch my attention. Anyway, It's something that chronicle forwarder could do or chronicle parser, based on log source?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Rene_Figueroa
Staff
In response to phaubertin
Reply posted on --/--/---- --:-- AM

Unfortunately, neither the forwarder or parsers can modify the actual raw logs. The parsers only control what is mapped to the UDM events, but do not modify the actual raw log source.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Abdul_Harb1
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

You might want to look at something like Cribl, BindPlane (free for Chronicle, but it needs hardware, so it's not free), or LogStash that can do this type of ETL (Extract, transform, and load).

Also, you seem to be treating the symptoms and not the root cause. I would find out why people put things in the command line in the first place. I assume it is something like API keys or something like that? TELL THEM TO STOP and use environment variables. 

Also, what you are asking to do (in my opinion) is non-trivial. For me personally, if someone puts something in the logs, it's fair game... I need to be able to see everything, with no exceptions.

Jump to Solution

Posted on --/--/---- --:-- AM
phaubertin
Bronze 4
Bronze 4
In response to Abdul_Harb1
Reply posted on --/--/---- --:-- AM

Hi Abdul, thank you for answering. We already use Logstash for log ingestion. I wanted to know if Chronicle would do that by default because I've seen it done in other log source. it seems that log are sanitize at the source. 

About the environment variable, I totally agree with you. But, there politic involve and we need to provide security control/mitigation. It's not Rachel at accounting who put password in command line... Mostly IT people unfortunately. 

Best regards,

 

Jump to Solution
0 Likes
Top Solution Authors
View all