Table of Contents
End-of-Life (EoL)

Log Scrubbing

Prisma Cloud Compute Runtime events may include sensitive information that’s found in commands that are run by protected workloads, such as secrets, tokens, PII or other information considered to be personal by various laws and regulations.
Using the Runtime log scrubbing capabilities, you can filter such sensitive information and ensure that it is not included in the Runtime findings (Forensics, Incidents, audits, etc.).
You can filter your Runtime sensitive data out using the automatic scrubbing capability, as well as using custom scrubbing rules. Follow the documentation instructions to learn more about these two options.
Sensitive information from WAAS logs can be scrubed as well, see WAAS Log Scrubbing to learn more.

Automatically scrub secrets from runtime events

To help identify and filter secrets that commonly appear in the Runtime monitored commands, we added the capability to automatically scrub known sensitive phrases and words such as "secrets", "token", etc. from your events. The detected sensitive data will be replaced in the events by "[*****]".
Automatically scrubbing secrets will be
by default when upgrading Console from 21.08 to 22.01.

Enable/Disable the automatic scrubbing:

Enable automatic log scrubbing.
  1. Open the Console, and go to
    Manage > General
  2. Select the desired mode in the
    Automatically scrub secrets from runtime events

Add/Edit custom scrubbing rule

Create or edit log scrubbing rules.
  1. Open the Console, and go to
    Manage > General
  2. In the
    Custom log scrubber
    section select Runtime or WAAS.
  3. Click on
    Add rule
    or select an existing rule.
  4. Enter the rule
  5. Provide a matching
    in the form of a regular expression (re2), e.g. ^sessionID$, key-[a-zA-Z]{8,16}.
  6. Provide a
    string e.g. [scrubbed email].
    1. Placeholder strings indicating the nature of the scrubbed data should be used as users will not be able to see the underlying scrubbed data.
  7. Click
    • Data will now be scrubbed from any Runtime and WAAS event before it is written (either to the Defender log or syslog) and sent to the console.
    • The automatic scrubbing and custom scrubbing are independent, meaning that you can choose to use each one of them separately.
    • Data will be scrubbed only in messages that are generated while the scrubbing toggle or scrubbing rule are
      . Messages that were generated
      enabling one of the scrubbing configurations above or
      disabling them, won’t be scrubbed.
    • The WAAS scrubbing rules are synced with the rules in
      Defend > WAAS > Log scrubbing
    • Serverless Runtime events are not scrubbed.

Recommended For You