I needed an anonymized ETL’s to be able to pass it to a 3rd party and couldn’t find anything that would do it, so I put few thing I found on the internet together, adjusted and here it is.

First the anonymize function which I didn’t write myself, but took it from https://gallery.technet.microsoft.com/scriptcenter/Get-StringHash-aa843f71

The hash options are: MD5, SHA1, SHA256, SHA384, SHA512


Function Get-StringHash([String] $String,$HashName = "SHA512")
{
$StringBuilder = New-Object System.Text.StringBuilder
[System.Security.Cryptography.HashAlgorithm]::Create($HashName).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($String))|%{ [Void]$StringBuilder.Append($_.ToString("x2")) }
return $StringBuilder.ToString()
}

Now let’s start with pulling the logs. You can export the logs via MMC an then load them.

$Data = [Xml] (Get-Content C:\temp\log_file.XML)

You can even pull the logs directly from the Windows Event Log.

$Data = [xml](get-eventlog security | ConvertTo-Xml) 

Now parse through the log and hash the values with SHA512 (or whatever you want). This is pretty easy for stuff like computer name which is not part of the event data and has it’s own attribute.

foreach($d in $Data.events.event.System)
{
$d.Computer = get-stringHash($d.computer, "SHA512")
}

For the parts of event data, it get a little more complex. What I wanted to anonymize was basically every user information that was in the log.

foreach($d in $Data.events.Event.EventData.Data){

if($d.Name -eq 'subjectUserName' -or $d.Name -eq 'subjectUserSid' -or $d.Name -eq 'subjectDomainName' -or $d.Name -eq 'TargetUserName' -or $d.Name -eq 'TargetUserSid' -or $d.Name -eq 'TargetDomainName' -or $d.Name -eq 'WorkstationName' -or $d.Name -eq 'IpAddress')
{
$value = $d.'#text'
$d.'#text' = get-stringHash($value, "SHA512")
}
}

That was already quite fine but still not enough. There still were the file paths with usernames in it. So let’ anonymize those too. (Just to have the context I put the foreach loop in again, but of course you do it all in one loop)

foreach($d in $Data.events.Event.EventData.Data){
$value = $d.'#text'
if($value -like "C:\Users*"){
$value= $value.split("\")
$value[2] = get-stringHash($value[2], "SHA512")
$result = [string]::join("\", $value)
$d.'#text' = $result
}
}

You can modify this to get rid of anything you want, if it shows any pattern.

And finally, just save your anonymized log somewhere.

$Data.Save("C:\temp\log_file_anonymized.XML")
Advertisements