PII and Data Scrubbing
This document describes a configuration format that we would like to hide from the user eventually. The only reason this page still exists is, because currently Relay accepts this format in alternative to regular data scrubbing settings.
The following document explores the syntax and semantics of the configuration for Advanced Data Scrubbing consumed and executed by Relay. Sometimes, this is also referred to as PII scrubbing.
Say you have an exception message which, unfortunately, contains IP addresses which are not supposed to be there. You'd write:
{
"applications": {
"$string": ["@ip:replace"]
}
}
It reads as "replace all IP addresses in all strings", or "apply @ip:replace
to all $string
fields".
@ip:replace
is called a rule, and $string
is a selector.
The following rules exist by default:
@ip:replace
and@ip:hash
for replacing IP addresses.@imei:replace
and@imei:hash
for replacing IMEIs@mac:replace
,@mac:mask
and@mac:hash
for matching MAC addresses@email:mask
,@email:replace
and@email:hash
for matching email addresses@creditcard:mask
,@creditcard:replace
and@creditcard:hash
for matching creditcard numbers@userpath:replace
and@userpath:hash
for matching local paths (e.g.C:/Users/foo/
)@password:remove
for removing passwords. In this case we're pattern matching against the field's key, whether it containspassword
,credentials
or similar strings.@anything:remove
,@anything:replace
and@anything:hash
for removing, replacing or hashing any value. It is essentially equivalent to a wildcard-regex, but it will also match much more than strings.
Rules generally consist of two parts:
- Rule types describe what to match. See PII Rule Types for an exhaustive list.
- Rule redaction methods describe what to do with the match. See PII Redaction Methods for a list.
Each page comes with examples. Try those examples out by pasting them into the "PII config" column of Piinguin and clicking on fields to get suggestions.
The easiest way to go about this is if you already have a raw JSON payload from some SDK. Go to our PII config editor Piinguin, and:
- Paste in a raw event
- Click on data you want eliminated
- Paste in other payloads and see if they look fine, go to step 2 if necessary.
After iterating on the config, paste it back into the project config located at .relay/projects/<PROJECT_ID>.json
For example:
{
"publicKeys": [
{
"publicKey": "examplePublicKey",
"isEnabled": true
}
],
"config": {
"allowedDomains": ["*"],
"piiConfig": {
"rules": {
"device_id": {
"type": "pattern",
"pattern": "d/[a-f0-9]{12}",
"redaction": {
"method": "hash"
}
}
},
"applications": {
"freeform": ["device_id"]
}
}
}
}
Our documentation is open source and available on GitHub. Your contributions are welcome, whether fixing a typo (drat!) or suggesting an update ("yeah, this would be better").