WAAS Log Scrubbing
There may be sensitive data captured when WAAS events take place, such as access tokens, session cookies, PII or other information considered to be personal by various laws and regulations.
By using WAAS log scrubbing rules, users can mark data as sensitive based on regex patterns or its location in the HTTP request. This data is removed from the logs before events are recorded, and is replaced with placeholders entered by the user.
Add/Edit WAAS Scrubbing Rule
To create or edit log scrubbing rules, follow the steps below:
- Open the Console, and go toDefend > WAAS > Log Scrubbing
- Click onAdd ruleor select an existing rule.
- Enter Rule Name.
- Select rule type: pattern-based or location-based.
- For pattern-based rules:
- Provide match pattern in the form of a regular expression (re2), e.g. ^sessionID$, key-[a-zA-Z]{8,16}.
- Provide a placeholder string e.g. [scrubbed sessionID].Placeholder strings indicating the nature of the scrubbed data should be used as users will not be able to see the underlying scrubbed data.
- For location-based rules
- Select the location of the data to be scrubbed.
- Provide location details:
- For query / cookie / header / form/multipart - provide match pattern in the form of a regular expression (re2), e.g. ^SCookie.*$, item-[a-zA-Z]{8,16}.
- For XML (body) / JSON (body) - provide the path using Prisma Cloud’s custom format e.g. /root/nested/id.
- Provide a placeholder string e.g. [Scrubbed Session Cookie].Placeholder strings indicating the nature of the scrubbed data should be used as users will not be able to see the underlying scrubbed data.
- ClickSave.Data will now be scrubbed from any WAAS event before it is written (either to the Defender log or syslog) and sent to the console:
If sensitive data triggers events, both the forensic message and the recorded HTTP request are scrubbed. Hence, placeholder strings indicating the nature of the scrubbed data should be used as users will not be able to see the underlying scrubbed data.