WAAS Sensitive Data
Table of Contents
WAAS Sensitive Data
There may be sensitive data captured when WAAS events take place, such as access tokens, session cookies, PII, or other information considered to be personal by various laws and regulations.
By using WAAS sensitive data rules, users can mark
Sensitive data
and enable Log scrubbing
based on regex patterns or its location in the HTTP request.
The data marked as sensitive will be flagged in API discovery, but will not be automatically scrubbed in the Logs.
To scrub the sensitive data in addition to marking it as sensitive, enable Log scrubbing
, the data is scrubbed and replaced with placeholders in the logs before events are recorded.- The data from HTTP responses that appear in WAAS audits will not be scrubbed and replaced by the placeholder.
- To optimize the CPU utilization when using WAAS sensitive data, Prisma Cloud scanner samples only a subset of the mirrored data to discover just the APIs and the scanner does not inspect the request body field, the sensitive request, and the response data. We sample the API traffic to limit the sensitive data body response size to less than 128k.
Add/Edit WAAS Scrubbing Rule
- Open the Console, and go toDefend > WAAS > Sensitive data.
- Click onAdd ruleor select an existing rule.
- Enter a ruleName.
- Select the ruleTypeasPattern-basedorLocation-based.
- The pattern-based rule will match the given regex pattern by either "Request Parameter keys", "Request Parameter Values", or "Response (Keys + Values)".
- Provide the pattern name to be matched in the form of a regular expression (re2), e.g. ^sessionID$, key-[a-zA-Z]{8,16}.
- Provide a placeholder string, e.g. [scrubbed sessionID].Placeholder strings indicating the nature of the scrubbed data should be used as users will not be able to see the underlying scrubbed data.
- For Location-based rules
- Select the location of the data to be scrubbed.
- Provide location details:
- For query / cookie / header / form/multipart - provide a match pattern in the form of a regular expression (re2), e.g. ^SCookie.*$, item-[a-zA-Z]{8,16}.
- For XML (body) / JSON (body) - provide the path using Prisma Cloud’s custom format e.g. /root/nested/id.
- Provide a placeholder string to indicate the nature of the scrubbed data, for example: [Scrubbed Session Cookie].
- ClickSave.Sensitive Data & Log ScrubbingThe location-based rule for sensitive data works by searching for the key value in the location, for example, query, cookie, header, form/multipart, XML, and JSON body. For log scrubbing, WAAS replaces the value with the placeholder that you enter. Data will now be scrubbed from any WAAS event before it is written (either to the Defender log or syslog) and sent to the console.For example, the email ID is redacted in the below WAAS event audit.
If sensitive data triggers events, both the forensic message and the recorded HTTP request are scrubbed.