Filter Sensitive Data with the .NET Agent

By default, the .NET Agent sends transaction data to the Controller that your organization may classify as privileged information. Although this data is useful for diagnosis and troubleshooting, security considerations may require you to filter certain information from view in the Controller. You can use sensitive data filters to exclude environment variables or URLs in the Controller or information in snapshot details.

Sensitive Data Filters are available for the .NET Windows and Linux Agents (as of 21.4).

Add a Sensitive Data Filter

To instrument sensitive data filters, you edit the .NET Agent configuration file. See Administer the .NET Agent.

  1. Edit a versioned agent configuration file:
    • Full .NET Agent: config.xml
    • Standalone Agent: config.json
  2. Add a sensitive-data-filter element as a child of the Sensitive Data Filters element using one of these attributes:
    CODE 
    <!-- Filter environment variable values sent to controller -->
<sensitive-data-filters>
<sensitive-data-filter applies-to="environment-variables,system-properties,http-headers,http-cookies" match-type="EQUALS|CONTAINS|STARTSWITH|ENDSWITH" match-pattern=""/>
</sensitive-data-filters>
    Sensitive Data Filter Attributes:

    • Specify a comma-separated list in the applies-to attribute to filter environment-variables, system-properties, or data collectors (http-headers, http-cookies)

    • Set the match-type attribute as:

      EQUALS

      CONTAINS

      STARTSWITH

      ENDSWITH

    • Specify a string to match for the match-pattern attribute. String matches are case insensitive. The pattern matches the environment variable and system property names, not values.

  3. Restart the .NET Agent and application.
In this example, the .NET Agent checks for environment variables beginning with the string "DB_". The Controller displays the values of matching environment variables and system properties as asterisks. For example, an environment variable DB_USER is obfuscated and replaced with an asterisk in the Controller.

Example config.xml file:

CODE 
</sensitive-data-filters>
<sensitive-data-filter applies-to="environment-variables,system-properties" match-type="STARTSWITH" match-pattern="DB_"/>
</sensitive-data-filters>

Example config.json file:

JSON 
sensitive-data-filters: [
{
"applies-to": "environment-variables, system-properties",
"match-type": "STARTSWITH",
"match-pattern": "DB_"
}
]

Add a Sensitive URL Filter

You can use sensitive URL filters to configure the agent to obfuscate sensitive information in the URLs in the Controller.

To instrument sensitive URL filters, you edit the .NET Agent configuration file. See Administer the .NET Agent.

  1. Edit a versioned agent configuration file:
    • Full .NET Agent: config.xml
    • Standalone Agent: config.json
  2. Add attributes to the sensitive-url-filtersSensitive URL Filter Attributes:
    CODE 
    <sensitive-url-filters>
<sensitive-url-filter delimiter=""
segment=""
match-filter=“EQUALS|INLIST|STARTSWITH|ENDSWITH|CONTAINS|REGEX|NOT_EMPTY"
match-pattern="pattern"
param-pattern=""/>
</sensitive-url-filters>
    • delimiter : Specify the character that you want to use as URL segment endpoints. The agent splices the URL at each delimiter instance to create the segments. For HTTP, use the forward-slash character "/". In the case of a forward slash, the agent does not split on the slashes immediately following the protocol. For example, " https://myapp.example.com/ " constitutes a single segment. By default, the delimiter is "/".
    • segment : Specify a comma-separated list to indicate the segments that you want the agent to filter. Segment numbering starts from 1.

    • match-pattern: Specify the string that you want to be filtered by the match-filter.

    • param-pattern: Specify the regular expression matching the query parameters to filter.

For example, this configuration splits the URL on the "/" character and masks the second segment, and the param-pattern in the third segment of the URL. In this example, the segmentation and obfuscation apply only to URLs containing "myapp".
CODE 
<!-- Filter URL/URI segments and query parameters -->
<sensitive-url-filters>
<sensitive-url-filter delimiter="/"
segment="2"
match-filter="CONTAINS"
match-pattern="myapp"
param-pattern="[a-z]+"/>
</sensitive-url-filters>
If you do not use any values for the query parameters, the Controller does not mask any query parameters in the URL.

The exit call to https://myapp.example.com/sensitive/data?first_name=abc&last_name=xyz breaks down to three segments:

The Controller shows the masked values of the URL and the param-pattern displays https://myapp.example.com/*****/data?first_name=***&last_name=*** in the snapshot details.

Add a Sensitive Message Filter

You can use the sensitive-message-filters element to obfuscate sensitive information contained within text messages collected from exception messages.

  1. Edit a versioned agent configuration file.
  2. Add attributes to the sensitive-message-filters element:
    CODE 
    <sensitive-message-filters>
<sensitive-message-filter message-type="all"
match-type="EQUALS|CONTAINS|STARTSWITH|ENDSWITH|REGEX"
match-pattern="CASESENSITIVE_PATTERN"
redaction-regex="SENSITIVE_INFO_REGEX_GROUP"/>
</sensitive-message-filters>

    Sensitive Message Filter Attributes:

      • message-type: Specify all

      • match-type: Specify the type of match that should be used to opt-in messages for redaction

      • match-pattern: Specify the pattern that, when matched, opts the message in for redaction

      • redaction-regex: Specify a regular expression identifying data that should be redacted from the opted-in messages
This example filters out a test where match-pattern contains "Sensitive".
CODE 
<sensitive-message-filters>
<sensitive-message-filter message-type="all"
match-type="CONTAINS"
match-pattern="Sensitive"
redaction-regex="[0-9]+"/>
</sensitive-message-filters>