cancel
Showing results for 
Search instead for 
Did you mean: 
McAfee Employee jebeling
McAfee Employee
Report Inappropriate Content
Message 1 of 2

Anonymizing, Encoding and Tokenizing Log Fields

Jump to solution

WGCS offers the ability to psuedo anonymize selective log fields. This is available to meet GDPR requirements and is essentially a consistent, one way irreversible anonymization. WGCS log files with contain the anonymized string. The strings are encrypted with AES 128 CBC with a constant key maintained by McAfee.

Similar but different the MWG ruleset allows you to anonymize any fields in your logs and secure them with 1 or 2 passwords. This anonymization can be reversed on a log file basis by loading the log file back onto an MWG and supplying the necessary passwords. 

Neither of these two methods are very convenient for administrators wishing to have consistent reversible anonymization across log files from both sources. Also administrators may wish to be able to have a methodology to easily map an anonymized field back to the original or an original to an anonymized field. For example, my reporting tool is working off anonymized logs and I want to map 123ABC456def back to the username, or I want to find the anonymized equivalent of jebeling because I want to report on his specific activity.

There are two facilities available in the MWG ruleset (and WGCS managed by MWG) to accomplish this goal. Base64 encoding (which anyone can reverse or map), and string Tokenization which requires access to a system with the password.

See below for solution details

1 Solution

Accepted Solutions
Highlighted
McAfee Employee jebeling
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: Anonymizing, Encoding and Tokenizing Log Fields

Jump to solution

I built this

Tokenize or Encode Username

[✔] Enabled [✔] Enabled in Cloud
Applies to: [] Requests [] Responses [] Embedded Objects
Always Enabled Rule Action Events Comments

[✔] Enabled Tokenize Username to User-Defined.TokenizedUsername
1: Authentication.UserName does not equal "" Continue Set User-Defined.TokenizedUsername = SecureToken.CreateToken(Authentication.UserName)<Default>  

[✘] Disabled Tokenize Username and Save Original to User-Defined.OriginalUserName
1: Authentication.UserName does not equal "" Continue Set User-Defined.OriginalUserName = Authentication.UserName
Set Authentication.UserName = SecureToken.CreateToken(Authentication.UserName)<Default> This Rule Tokenizes the Username for logging, Note that any subsequent rules that used to match on Authentication.UserName will need to be
changed to match against User-Defined.OriginalUsername

[✔] Enabled Base64 Encode Username to User-Defined.EncodedUsername
1: Authentication.UserName does not equal "" Continue Set User-Defined.EncodedUsername = String.Base64Encode(Authentication.UserName)  

[✘] Disabled Base64 Encode Username and Save Original to User-Defined.OriginalUsername
1: Authentication.UserName does not equal "" Continue Set User-Defined.OriginalUserName = Authentication.UserName
Set Authentication.UserName = String.Base64Encode(Authentication.UserName) This rule Base64 encodes the username for logging, Note that any
subsequent rules that used to match on Authentication.UserName will
need to be changed to match against User-Defined.OriginalUsername

And this

Tokenator String Encoder and Decoder (Admin only)

[✔] Enabled [✔] Enabled in Cloud
Applies to: [] Requests [] Responses [] Embedded Objects
1: URL.Host equals "token.mwginternal.com"
2: AND (Authentication.UserName is in list Token Admins
3: OR Authentication.UserGroups at least one in list Token Admin Groups°
4: OR Client.IP is in list Token Admin IPs°) Enabled Rule Action Events Comments

[✔] Enabled Detokenize
1: URL.HasParameter("string") equals true
2: AND URL.GetParameter("mode") equals "detokenize" Block<Tokenator> Set User-Defined.RawString = SecureToken.GetString(URL.GetParameter("string"),0)<Default>
Set User-Defined.EncodedString = URL.GetParameter("string")  

[✔] Enabled Tokenize
1: URL.HasParameter("string") equals true
2: AND URL.GetParameter("mode") equals "tokenize" Block<Tokenator> Set User-Defined.EncodedString = SecureToken.CreateToken(URL.GetParameter("string"))<Default>
Set User-Defined.RawString = URL.GetParameter("string")  

[✔] Enabled Base64 Decode
1: URL.HasParameter("string") equals true
2: AND URL.GetParameter("mode") equals "decode" Block<Tokenator> Set User-Defined.RawString = String.Base64DecodeAsText(URL.GetParameter("string"))
Set User-Defined.EncodedString = URL.GetParameter("string")  

[✔] Enabled Base64 Encode
1: URL.HasParameter("string") equals true
2: AND URL.GetParameter("mode") equals "encode" Block<Tokenator> Set User-Defined.EncodedString = String.Base64Encode(URL.GetParameter("string"))
Set User-Defined.RawString = URL.GetParameter("string")  

[✔] Enabled Show Tokenator Block Page
Always Block<Tokenator> Set User-Defined.EncodedString = ""
Set User-Defined.RawString = ""  

Unfortunately this platform messes up the html formatting of the above, making it virtually unreadable, so you will likely have to import the ruleset or use the Policy Viewer tool to see it in presentable form.

Here is a screenshot of the Tokenize ruleset and its placement:Tokenize.JPG

Here is a screenshot of the Tokenator ruleset and its placement. Notice it is after authentication (I put it in Common Rules) so you can restrict access to administrators..

Tokenator.JPG

Which with a customized blockpage that yields an administrative tool to deal with translation when needed by requesting token.mwginternal.com through the proxy. 

The customized blockpage needs to be created as a Template. You can click on the hyperlink next to "Block" and create and edit:

UDP.JPG

Copy and paste the HTML from the zip. Then you have to customize the Raw String and the Encoded string to match the User Defined Property links unique to your environment. You cannot directly add a UDP to a block page so you first have to add any system property and then edit it. I've used Action.Name but it could be any property that is available initially via add -> Property.

UDP.JPG

 

UDP2.JPG

 

Tokenator.png

Optionally you can add parameters to the request: ?string=<string to be encoded or decoded>&mode=<tokenize, detokenize, encode, or decode)

example: http://token.mwginternal.com?string=jebeling&mode=tokenize

Two rulesets and html for the block page are in the attached zip.

1 Reply
Highlighted
McAfee Employee jebeling
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: Anonymizing, Encoding and Tokenizing Log Fields

Jump to solution

I built this

Tokenize or Encode Username

[✔] Enabled [✔] Enabled in Cloud
Applies to: [] Requests [] Responses [] Embedded Objects
Always Enabled Rule Action Events Comments

[✔] Enabled Tokenize Username to User-Defined.TokenizedUsername
1: Authentication.UserName does not equal "" Continue Set User-Defined.TokenizedUsername = SecureToken.CreateToken(Authentication.UserName)<Default>  

[✘] Disabled Tokenize Username and Save Original to User-Defined.OriginalUserName
1: Authentication.UserName does not equal "" Continue Set User-Defined.OriginalUserName = Authentication.UserName
Set Authentication.UserName = SecureToken.CreateToken(Authentication.UserName)<Default> This Rule Tokenizes the Username for logging, Note that any subsequent rules that used to match on Authentication.UserName will need to be
changed to match against User-Defined.OriginalUsername

[✔] Enabled Base64 Encode Username to User-Defined.EncodedUsername
1: Authentication.UserName does not equal "" Continue Set User-Defined.EncodedUsername = String.Base64Encode(Authentication.UserName)  

[✘] Disabled Base64 Encode Username and Save Original to User-Defined.OriginalUsername
1: Authentication.UserName does not equal "" Continue Set User-Defined.OriginalUserName = Authentication.UserName
Set Authentication.UserName = String.Base64Encode(Authentication.UserName) This rule Base64 encodes the username for logging, Note that any
subsequent rules that used to match on Authentication.UserName will
need to be changed to match against User-Defined.OriginalUsername

And this

Tokenator String Encoder and Decoder (Admin only)

[✔] Enabled [✔] Enabled in Cloud
Applies to: [] Requests [] Responses [] Embedded Objects
1: URL.Host equals "token.mwginternal.com"
2: AND (Authentication.UserName is in list Token Admins
3: OR Authentication.UserGroups at least one in list Token Admin Groups°
4: OR Client.IP is in list Token Admin IPs°) Enabled Rule Action Events Comments

[✔] Enabled Detokenize
1: URL.HasParameter("string") equals true
2: AND URL.GetParameter("mode") equals "detokenize" Block<Tokenator> Set User-Defined.RawString = SecureToken.GetString(URL.GetParameter("string"),0)<Default>
Set User-Defined.EncodedString = URL.GetParameter("string")  

[✔] Enabled Tokenize
1: URL.HasParameter("string") equals true
2: AND URL.GetParameter("mode") equals "tokenize" Block<Tokenator> Set User-Defined.EncodedString = SecureToken.CreateToken(URL.GetParameter("string"))<Default>
Set User-Defined.RawString = URL.GetParameter("string")  

[✔] Enabled Base64 Decode
1: URL.HasParameter("string") equals true
2: AND URL.GetParameter("mode") equals "decode" Block<Tokenator> Set User-Defined.RawString = String.Base64DecodeAsText(URL.GetParameter("string"))
Set User-Defined.EncodedString = URL.GetParameter("string")  

[✔] Enabled Base64 Encode
1: URL.HasParameter("string") equals true
2: AND URL.GetParameter("mode") equals "encode" Block<Tokenator> Set User-Defined.EncodedString = String.Base64Encode(URL.GetParameter("string"))
Set User-Defined.RawString = URL.GetParameter("string")  

[✔] Enabled Show Tokenator Block Page
Always Block<Tokenator> Set User-Defined.EncodedString = ""
Set User-Defined.RawString = ""  

Unfortunately this platform messes up the html formatting of the above, making it virtually unreadable, so you will likely have to import the ruleset or use the Policy Viewer tool to see it in presentable form.

Here is a screenshot of the Tokenize ruleset and its placement:Tokenize.JPG

Here is a screenshot of the Tokenator ruleset and its placement. Notice it is after authentication (I put it in Common Rules) so you can restrict access to administrators..

Tokenator.JPG

Which with a customized blockpage that yields an administrative tool to deal with translation when needed by requesting token.mwginternal.com through the proxy. 

The customized blockpage needs to be created as a Template. You can click on the hyperlink next to "Block" and create and edit:

UDP.JPG

Copy and paste the HTML from the zip. Then you have to customize the Raw String and the Encoded string to match the User Defined Property links unique to your environment. You cannot directly add a UDP to a block page so you first have to add any system property and then edit it. I've used Action.Name but it could be any property that is available initially via add -> Property.

UDP.JPG

 

UDP2.JPG

 

Tokenator.png

Optionally you can add parameters to the request: ?string=<string to be encoded or decoded>&mode=<tokenize, detokenize, encode, or decode)

example: http://token.mwginternal.com?string=jebeling&mode=tokenize

Two rulesets and html for the block page are in the attached zip.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community