I am attempting to anonymize clear-text credentials passed via PowerShell referring to the splunk documentation
to Anonymize_data_with_a_sed_script
In the inputs.conf I have...
sourcetype = WinEventLog:Microsoft-Windows-PowerShell/Operational
In props.conf I have...
[WinEventLog:Microsoft-Windows-PowerShell/Operational]
SEDCMD-ps_logs_mask_cred = s/-ScriptBlock*/xxxxxx/g
I have attempted to mask just the password and the credential, but could not get it to work. I am able to do this partially via sed or perl on a linux command line, but have not been able to replicate on splunk.
Sample data
Invoke-Command -computername somePC -ScriptBlock {get-something -password 'som3_verY-Long_Pa$$w0rd'} -Credential somedomain\someuser
Expected output (masking the entire ScriptBlock)
Invoke-Command -computername somePC xxxxxx
Or more appropriately, masking only the password and Credential
Invoke-Command -computername somePC -ScriptBlock {get-something -password 'xxxxxx'} -Credential xxxxxx
Any help will be much appreciated!
↧
