Download PDF
Download page Filter Sensitive Data with the .NET Agent.
Filter Sensitive Data with the .NET Agent
By default, the AppDynamics .NET Agent sends transaction data to the Controller that your organization may classify as privileged information. Although this data is useful for diagnosis and troubleshooting, security considerations may require you to filter certain information from view in the Controller. You can use sensitive data filters to exclude environment variables or URLs in the Controller or information in snapshot details.
Sensitive Data Filters are available for the .NET Windows and Linux Agents (as of 21.4).
Add a Sensitive Data Filter
To instrument sensitive data filters, you edit the .NET Agent configuration file. See Administer the .NET Agent.
- Edit a versioned agent configuration file:
- Full .NET Agent:
config.xml
- Standalone Agent:
config.json
- Full .NET Agent:
Add a
sensitive-data-filter
element as a child of the Sensitive Data Filters element using one of these attributes:<!-- Filter environment variable values sent to controller --> <sensitive-data-filters> <sensitive-data-filter applies-to="environment-variables, system-properties, http-headers, http-cookies", match-type="EQUALS|CONTAINS|STARTSWITH|ENDSWITH" match-pattern=""/> </sensitive-data-filters>
XMLSensitive Data Filter Attributes:
Specify a comma-separated list in the
applies-to
attribute to filterenvironment-variables,
system-properties
, or data collectors (http-headers
,http-cookies
)Set the match-type attribute as:
EQUALS
CONTAINS
STARTSWITH
ENDSWITH
Specify a string to match for the
match-pattern
attribute. String matches are case insensitive. The pattern matches the environment variable and system property names, not values.
- Restart the .NET Agent and application.
In this example, the .NET Agent checks for environment variables beginning with the string "DB_". The Controller displays the values of matching environment variables and system properties as asterisks. For example, an environment variable DB_USER
is obfuscated and replaced with an asterisk in the Controller.
Example config.xml file:
<sensitive-data-filter applies-to="environment-variables, system-properties",
match-type="STARTSWITH"
match-pattern="DB_"/>
</sensitive-data-filters>
Example config.json file:
sensitive-data-filters: [
{
"applies-to": "environment-variables, system-properties",
"match-type": "STARTSWITH",
"match-pattern": "DB_"
}
]
Add a Sensitive URL Filter
You can use sensitive URL filters to configure the agent to obfuscate sensitive information in the URLs in the Controller.
To instrument sensitive URL filters, you edit the .NET Agent configuration file. See Administer the .NET Agent.
- Edit a versioned agent configuration file:
- Full .NET Agent:
config.xml
- Standalone Agent:
config.json
- Full .NET Agent:
Add attributes to the
sensitive-url-filters
element:<sensitive-url-filters> <sensitive-url-filter delimiter="" segment="" match-filter=“EQUALS|INLIST|STARTSWITH|ENDSWITH|CONTAINS|REGEX|NOT_EMPTY" match-pattern="pattern" param-pattern=""/> </sensitive-url-filters>
XMLSensitive URL Filter Attributes:
delimiter
: Specify the character that you want to use as URL segment endpoints. The agent splices the URL at each delimiter instance to create the segments. For HTTP, use the forward-slash character "/". In the case of a forward slash, the agent does not split on the slashes immediately following the protocol. For example, "https://myapp.example.com/
" constitutes a single segment. By default, the delimiter is "/".segment
: Specify a comma-separated list to indicate the segments that you want the agent to filter. Segment numbering starts from 1.match-pattern
: Specify the string that you want to be filtered by thematch-filter
.param-pattern
: Specify the regular expression matching the query parameters to filter.
For example, this configuration splits the URL on the "/" character and masks the second segment, and the param-pattern in the third segment of the URL. In this example, the segmentation and obfuscation apply only to URLs containing "myapp
".
<!-- Filter URL/URI segments and query parameters -->
<sensitive-url-filters>
<sensitive-url-filter delimiter="/"
segment="2"
match-filter="CONTAINS"
match-pattern="myapp"
param-pattern="[a-z]+"/>
</sensitive-url-filters>
If you do not use any values for the query parameters, the Controller does not mask any query parameters in the URL.
The exit call to https://myapp.example.com/sensitive/data?first_name=abc&last_name=xyz
breaks down to three segments:
"https://myapp.example.com"
"sensitive"
"data?first_name=abc&last_name=xyz"
The Controller shows the masked values of the URL and the param-pattern displays https://myapp.example.com/*****/data?first_name=***&last_name=***
in the snapshot details.
Add a Sensitive Message Filter
You can use the sensitive-message-filters
element to obfuscate sensitive information contained within text messages collected from exception messages.
Edit a versioned agent configuration file.
Add attributes to the
sensitive-message-filters
element:<sensitive-message-filters> <sensitive-message-filter message-type="all" match-type="EQUALS|CONTAINS|STARTSWITH|ENDSWITH|REGEX" match-pattern="CASESENSITIVE_PATTERN" redaction-regex="SENSITIVE_INFO_REGEX_GROUP"/> </sensitive-message-filters>
XMLSensitive Message Filter Attributes:
message-type
: Specifyall
match-type
: Specify the type of match that should be used to opt-in messages for redactionmatch-pattern
: Specify the pattern that, when matched, opts the message in for redactionredaction-regex
: Specify a regular expression identifying data that should be redacted from the opted-in messages
This example filters out a test where match-pattern
contains "Sensitive"
.
<sensitive-message-filters>
<sensitive-message-filter message-type="all"
match-type="CONTAINS"
match-pattern="Sensitive"
redaction-regex="[0-9]+"/>
</sensitive-message-filters>