1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Administrator’s Guide (Compute)
    5. Configure
    6. Log Scrubbing

    Log Scrubbing

    Prisma Cloud Compute Runtime events may include sensitive information that’s found in commands that are run by protected workloads, such as secrets, tokens, PII or other information considered to be personal by various laws and regulations.
    Using the Runtime log scrubbing capabilities, you can filter such sensitive information and ensure that it is not included in the Runtime findings (Forensics, Incidents, audits, etc.).
    You can filter your Runtime sensitive data out using the automatic scrubbing capability, as well as using custom scrubbing rules. Follow the documentation instructions to learn more about these two options.
    Sensitive information from WAAS logs can be scrubed as well, see WAAS Log Scrubbing to learn more.

    Automatically scrub secrets from runtime events

    To help identify and filter secrets that commonly appear in the Runtime monitored commands, we added the capability to automatically scrub known sensitive phrases and words such as "secrets", "token", etc. from your events. The detected sensitive data will be replaced in the events by "[*****]".
    Automatically scrubbing secrets will be
    enabled
     by default when upgrading Console from 21.08 to 22.01.

    Enable/Disable the automatic scrubbing:

    Enable automatic log scrubbing.
    1. Open the Console, and go to
      Manage > General
      .
    2. Select the desired mode in the
      Automatically scrub secrets from runtime events
       toggle.

    Add/Edit custom scrubbing rule

    Create or edit log scrubbing rules.
    1. Open the Console, and go to
      Manage > General
      .
    2. In the
      Custom log scrubber
       section select Runtime or WAAS.
    3. Click on
      Add rule
       or select an existing rule.
    4. Enter the rule
      Name
      .
    5. Provide a matching
      Pattern
       in the form of a regular expression (re2), e.g. ^sessionID$, key-[a-zA-Z]{8,16}.
    6. Provide a
      Placeholder
       string e.g. [scrubbed email].
      1. Placeholder strings indicating the nature of the scrubbed data should be used as users will not be able to see the underlying scrubbed data.
    7. Click
      Save
      .
      • Data will now be scrubbed from any Runtime and WAAS event before it is written (either to the Defender log or syslog) and sent to the console.
      • The automatic scrubbing and custom scrubbing are independent, meaning that you can choose to use each one of them separately.
      • Data will be scrubbed only in messages that are generated while the scrubbing toggle or scrubbing rule are
        enabled
        . Messages that were generated
        before
         enabling one of the scrubbing configurations above or
        after
         disabling them, won’t be scrubbed.
      • The WAAS scrubbing rules are synced with the rules in
        Defend > WAAS > Log scrubbing
        .
      • Serverless Runtime events are not scrubbed.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo