Obfuscate Traces

Overview

Protect sensitive data in your traces by masking or removing it before storage. By integrating data obfuscation directly into your traces pipeline, you maintain privacy and meet compliance requirements while still retaining the necessary operational details.

Why Obfuscate Traces?

Traces often contain sensitive information in payloads, headers, and attributes:

Personal Identifiable Information (PII) - emails, names, addresses in request/response bodies
Credentials - API keys, tokens, passwords in headers or payloads
Financial data - credit card numbers, account numbers in payment spans
Internal system details - internal IPs, service tokens in headers

Obfuscating this data helps you:

Meet compliance requirements (GDPR, PCI-DSS, HIPAA, etc.)
Protect customer privacy
Reduce security risks from leaked credentials
Maintain audit trails while removing sensitive details

Obfuscation Approaches

There are three approaches to obfuscating sensitive data in traces:

1. Automatic PII Detection with obfuscate_pii

Automatically detect and redact sensitive data, no regex required. This is the recommended approach for broad coverage with minimal configuration.

Best for: Broad PII protection across many pattern types with zero regex effort

2. Masking with replace_pattern

Replace parts of a string with a masking token (e.g., replacing email characters with asterisks). Use this when you want to preserve the field structure while hiding the sensitive value.

Best for: Custom patterns not covered by obfuscate_pii, partial masking with capture groups

3. Removing with delete_key

Remove fields that contain sensitive data entirely. Use this when the field is not required for downstream analysis.

Best for: API keys, passwords, tokens, unnecessary PII in attributes

Best Practices

Apply obfuscation to the right scope - Target specific workloads, headers, or body fields rather than applying broadly
Be specific with patterns - Avoid over-matching by using precise regex patterns
Test thoroughly - Review rules carefully before deploying
Document your rules - Use clear ruleName values to explain what each rule protects
Balance utility and privacy - Mask data in a way that preserves operational value
Combine approaches - Use obfuscate_pii for broad coverage and replace_pattern for custom patterns
Order matters - Place obfuscation rules after transformation rules so useful fields are extracted first

Automatic PII Obfuscation

The obfuscate_pii function detects and redacts sensitive data across 16 built-in patterns — without writing any regex. It scans the specified field and replaces any detected PII in-place.

obfuscate_pii is designed for zero allocations when no PII is detected, making it safe for high-throughput pipelines.

Supported Patterns

Pattern

Category

Example

Min Match Length

email

personal_info

[email protected]

credit_card

credit_card

4111-1111-1111-1111

ipv4_address

network_info

192.168.1.1

ipv6_address

network_info

::1

mac_address

network_info

11:22:33:44:55:66

url

network_info

https://example.com/path

jwt

auth_token

eyJhbGciOi...

bearer_token

auth_token

Bearer abc123xyz

aws_credential

cloud_credential

AKIAIOSFODNN7EXAMPLE

azure_credential

cloud_credential

azure_key=ABCDE...

github_token

api_token

ghp_xxxx...

gitlab_token

api_token

glpat-xxxx...

slack_token

api_token

xoxb-xxxx...

google_api_key

api_token

AIzaXXXX...

stripe_key

api_token

sk_live_xxxx...

private_key

private_key

-----BEGIN RSA PRIVATE KEY-----

Usage

obfuscate_pii(field, replacement, patterns)

Arguments:

Argument

Required

Description

field

Yes

The field to scan and obfuscate (e.g. request_body)

replacement

Yes

The string to replace detected PII with

patterns

Yes

Comma-separated list of pattern names to enable

The replacement string must be shorter than or equal to the minimum match length across all enabled patterns. For example, if ipv6_address is enabled (min match length 3), the replacement must be <= 3 characters.

When PII is detected, obfuscate_pii automatically:

Replaces the matched content in the target field
Sets pii_<pattern>_detected = "true" as a span attribute
Sets is_pii = true on the span

Common Use Cases

Obfuscate Request Body

Scan request payloads for emails and cloud credentials.

ottlRules:
  - ruleName: obfuscate_request_body
    conditions:
      - request_body != nil
    statements:
      - obfuscate_pii(request_body, "[R]", "email,aws_credential")

💡 What it does: Scans the request body for emails and AWS credentials, replacing them with [R]. Automatically sets is_pii = true and detection attributes.

Obfuscate Response Body

Protect sensitive data in API responses.

ottlRules:
  - ruleName: obfuscate_response_body
    conditions:
      - response_body != nil
      - workload == "user-service"
    conditionLogicOperator: "and"
    statements:
      - obfuscate_pii(response_body, "***", "email,credit_card,ipv4_address")

💡 What it does: Scans response bodies from the user service for emails, credit cards, and IP addresses.

Obfuscate Authorization Headers

Redact bearer tokens and JWTs in request headers.

ottlRules:
  - ruleName: obfuscate_auth_header
    conditions:
      - request_headers["authorization"] != nil
    statements:
      - obfuscate_pii(request_headers["authorization"], "[R]", "bearer_token,jwt")

💡 What it does: Detects and redacts bearer tokens and JWTs in the Authorization header.

Scan All Request Headers

Scan every entry in request headers for sensitive data.

ottlRules:
  - ruleName: "scan_all_headers"
    conditions:
      - request_headers != nil
    statements:
      - obfuscate_pii(request_headers, "[R]", "bearer_token,jwt,aws_credential")

💡 What it does: Scans all request header values for tokens and credentials, without needing to specify individual header names.

Obfuscate Span Attributes

Redact sensitive values stored in span attributes.

ottlRules:
  - ruleName: "obfuscate_user_email"
    conditions:
      - attributes["user_email"] != nil
    statements:
      - obfuscate_pii(attributes["user_email"], "[R]", "email")

💡 What it does: Detects and redacts email addresses in the user_email attribute.

Manual Obfuscation with replace_pattern

For custom patterns not covered by obfuscate_pii, use replace_pattern with regex.

Mask SSN in Attributes

ottlRules:
  - ruleName: mask_ssn
    conditions:
      - attributes["ssn"] != nil
    statements:
      - set(is_pii, true)
      - replace_pattern(attributes["ssn"], "[0-9]{3}-[0-9]{2}-[0-9]{4}", "XXX-XX-XXXX")

💡 Example: 123-45-6789 → XXX-XX-XXXX

Redact Passwords in Request Body

ottlRules:
  - ruleName: redact_passwords
    conditions:
      - request_body != nil
      - IsMatch(request_body, "password")
    conditionLogicOperator: "and"
    statements:
      - replace_pattern(request_body, "(\"password\"\\s*:\\s*\")[^\"]+\"", "$1[REDACTED]\"")

💡 Example: {"password": "secret123"} → {"password": "[REDACTED]"}

Redact Entire Response from Sensitive Server

ottlRules:
  - ruleName: redact_secret_server_responses
    conditions:
      - workload == "vault-service"
    statements:
      - set(response_body, "<REDACTED>")
      - set(is_pii, true)

💡 What it does: Completely replaces the response body for all spans from the vault service.

Redact Cookie Headers

ottlRules:
  - ruleName: redact_cookies
    statements:
      - set(request_headers["cookie"], "[REDACTED]") where request_headers["cookie"] != nil
      - set(response_headers["set-cookie"], "[REDACTED]") where response_headers["set-cookie"] != nil

💡 What it does: Removes cookie values from both request and response headers.

Removing Sensitive Attributes

Use delete_key to completely remove sensitive fields.

ottlRules:
  - ruleName: remove_sensitive_attributes
    conditions:
      - workload == "auth-service"
    statements:
      - delete_key(attributes, "api_key")
      - delete_key(attributes, "secret_token")
      - delete_key(attributes, "password_hash")

💡 What it does: Removes the entire api_key, secret_token, and password_hash attributes from auth service spans.

Key Functions

obfuscate_pii

Automatically detects and redacts sensitive data across built-in PII patterns.

Syntax:

- 'obfuscate_pii(field, "replacement", "pattern1,pattern2,...")'

Supported targets:

request_body / response_body — scan payloads
attributes["key"] — scan a specific attribute
attributes — scan ALL attributes
request_headers["key"] — scan a specific header
request_headers / response_headers — scan ALL headers

Available patterns: email, credit_card, ipv4_address, ipv6_address, mac_address, url, jwt, bearer_token, aws_credential, azure_credential, github_token, gitlab_token, slack_token, google_api_key, stripe_key, private_key

replace_pattern

Replaces text matching a pattern with a replacement string.

Syntax:

- 'replace_pattern(target_field, "pattern", "replacement")'

With capture groups:

- 'replace_pattern(target_field, "(keep_this)remove_this(keep_this)", "$1****$2")'

delete_key

Completely removes a field from the attributes.

Syntax:

- 'delete_key(attributes, "field_name")'

Last updated 16 hours ago

hashtagObfuscate Traces

Obfuscate Traces