Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Scenario: Obfuscating User Names

 

You are an JSA administrator. Your organization has an agreement with the workers union that all personal identifiable information must be hidden from JSA users. You want to configure JSA to hide all user names.

Use the Data Obfuscation Management feature on the Admin tab to configure JSA to hide the data:

  1. Create a data obfuscation profile and download the system-generated private key. Save the key in a secure location.

  2. Create the data obfuscation expressions to target the data that you want to hide.

  3. Enable the profile so that the system begins to obfuscate the data.

  4. To read the data in JSA, upload the private key to deobfuscate the data.

Creating a Data Obfuscation Profile

JSA uses data obfuscation profiles to determine which data to mask, and to ensure that the correct keystore is used to unmask the data.

You can create a profile that creates a new keystore or you can use an existing keystore. If you create a keystore, it must be downloaded and stored in a secure location. Remove the keystore from the local system and store it in a location that can be accessed only by users who are authorized to view the unmasked data.

Configuring profiles that use different keystores is useful when you want to limit data access to different groups of users. For example, create two profiles that use different keystores when you want one group of users to see user names and another group of users to see host names.

  1. On the navigation menu (), click Admin.
  2. In the Data Sources section, click Data Obfuscation Management.
  3. To create a new profile, click Add and type a unique name and description for the profile.
  4. To create a new keystore for the profile, complete these steps:
    1. Click System generate keystore.

    2. In the Provider list box, select IBMJCE.

    3. In the Algorithm list box, select JCE and select whether to generate 512-bit or 1024-bit encryption keys.

      In the Keystore Certificate CN box, the fully qualified domain name for the JSA server is auto-populated.

    4. In the Keystore password box, enter the keystore password.

      The keystore password is required to protect the integrity of the keystore. The password must be at least 8 characters in length.

    5. In the Verify keystore password, retype the password.

  5. To use an existing keystore with the profile, complete these steps:
    1. Click Upload keystore.

    2. Click Browse and select the keystore file.

    3. In the Keystore password box, type the password for the keystore.

  6. Click Submit.
  7. Download the keystore. Remove the keystore from your system and store it in a secure location.

Creating Data Obfuscation Expressions that target the data that you want to hide.

Creating Data Obfuscation Expressions

The data obfuscation profile uses expressions to specify which data to hide from JSA users. The expressions can use either field-based properties or regular expressions.

After an expression is created, you cannot change the type. For example, you cannot create a property-based expression and then later change it to a regular expression.

You cannot hide a normalized numeric field, such as port number or an IP address.

Multiple expressions that hide the same data cause data to be hidden twice. To decrypt data that is obfuscated multiple times, each keystore that is used in the obfuscation process must be applied in the order that the obfuscation occurred.

  1. On the navigation menu (), click Admin.
  2. In the Data Sources section, click Data Obfuscation Management.
  3. Click the profile that you want to configure, and click View Contents.

    You cannot configure profiles that are locked.

  4. To create a new data obfuscation expression, click Add and type a unique name and description for the profile.
  5. Select the Enabled check box to enable the profile.
  6. Optional: To apply the obfuscation expression to specific domains or tenants, select them from the Domain field. Or select All Domains to apply the obfuscation expression to all domains and tenants.
  7. To create a field-based expression, click Field Based and select the field type to obfuscate.
  8. To create a regular expression, click RegEx and configure the regex properties.
  9. Click Save.

Deobfuscating Data So That It Can Be Viewed in the Console

When data obfuscation is configured on an JSA system, the masked version of the data is shown throughout the application. You must have both the corresponding keystore and the password to deobfuscate the data so that it can be viewed.

You must be an administrator and have the private key and the password for the key before you can deobfuscate data. The private key must be on your local computer.

Before you can see the obfuscated data, you must upload the private key. After the key is uploaded, it remains available on the system for the duration of the current session. The session ends when you log out of JSA, when the cache is cleared on the JSA console, or when there is an extended period of inactivity. When the session ends, the private keys that were uploaded in the previous session are no longer visible.

JSA can use the keys available in the current session to automatically deobfuscate data. With auto-deobfuscation enabled, you do not have to repeatedly select the private key on the Obfuscation Session Key window each time that you want to view the data. Auto-deobfuscate is automatically disabled when the current session ends.

  1. On the Event Details page, find the data that you want to deobfuscate.
  2. To deobfuscate identity-based data:
    1. Click the lock icon next to the data that you want to deobfuscate.

    2. In the Upload Key section, click Select File and select the keystore to upload.

    3. In the Password box, type the password that matches the keystore.

    4. Click Upload.

      The Deobfuscation window shows the event payload, the profile names that are associated with the keystore, the obfuscated text, and the deobfuscated text.

    5. Optional:Click Toggle Auto Deobfuscate to enable auto-deobfuscation.

      After you toggle the auto-deobfuscation setting, you must refresh the browser window and reload the event details page for the changes to appear.

  3. To deobfuscate payload data that is not identity-based:
    1. On the toolbar on the Event Details page, click Obfuscation >Deobfuscation keys.

    2. In the Upload Key section, click Select File and select the private key to upload.

    3. In the Password box, type the password that matches the private key and click Upload.

    4. In the Payload information box, select and copy the obfuscated text to the clipboard.

    5. On the toolbar on the Event Details page, click Obfuscation >Deobfuscation.

    6. Paste the obfuscated text in to dialog box.

    7. Select the obfuscation profile from the drop-down list and click Deobfuscate.

Editing or Disabling Obfuscation Expressions Created in Previous Releases

When you upgrade to JSA 2014.6, data obfuscation expressions that were created in previous releases are automatically carried forward and continue to obfuscate data. These expressions appear in a single data obfuscation profile, named AutoGeneratedProperty.

Although you can see the expressions, you cannot edit or disable data obfuscation expressions that were created in earlier versions. You must manually disable them and create a data obfuscation profile that contains the revised expressions.

To disable an old expression, you must edit the xml configuration file that defines the attributes for the expression. You can then run the obfuscation_updater.sh script to disable it.

Ensure that you disable old expressions before you create new expressions that obfuscate the same data. Multiple expressions that obfuscate the same data cause the data to be obfuscated twice. To decrypt data that is obfuscated multiple times, each keystore that is used in the obfuscation process must be applied in the order that the obfuscation occurred.

  1. Use SSH to log in to your JSA Console as the root user.
  2. Edit the obfuscation expressions .xml configuration file that you created when you configured the expressions.
  3. For each expression that you want to disable, change the Enabled attribute to false.
  4. To disable the expressions, run the obfuscation_updater.sh script by typing the following command:

    obfuscation_updater.sh [-p <path_to_private_key>] [-e <path_to_obfuscation_xml_config_file>]

    The obfuscation_updater.sh script is in the /opt/qradar/bin directory, but you can run the script from any directory on your JSA Console.

Creating Data Obfuscation Expressions to obfuscate data and manage obfuscation expressions directly in JSA.