How Does Data Obfuscation Work?
Before you configure data obfuscation in your JSA deployment, you must understand how it works for new and existing offenses, assets, rules, and log source extensions.
Existing Event Data
When a data obfuscation profile is enabled, the system masks the data for each event as it is received by JSA. Events that are received by the appliance before data obfuscation is configured remain in the original unobfuscated state. The older event data is not masked and users can see the information.
When data obfuscation is configured, the asset model accumulates data that is masked while the pre-existing asset model data remains unmasked.
To prevent someone from using unmasked data to trace the obfuscated information, purge the asset model data to remove the unmasked data. JSA will repopulate the asset database with obfuscated values.
To ensure that offenses do not display data that was previously unmasked, close all existing offenses by resetting the SIM model. For more information, see Resetting SIM.
You must update rules that depend on data that was previously unmasked. For example, rules that are based on a specific user name do not fire when the user name is obfuscated.
Log Source Extensions
Log source extensions that change the format of the event payload can cause issues with data obfuscation.