Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Data Obfuscation Expressions

Data obfuscation expressions identify the data to hide. You can create data obfuscation expressions that are based on field-based properties or you can use regular expressions.

Field-based Properties

Use a field-based property to hide user names, group names, host names, and NetBIOS names. Expressions that use field-based properties obfuscate all instances of the data string. The data is hidden regardless of its log source, log source type, event name, or event category.

If the same data value exists in more than one of the fields, the data is obfuscated in all fields that contain the data even if you configured the profile to obfuscate only one of the four fields. For example, if you have a host name that is called JSAHost and a group name that is called JSAHost, the value JSAHost is obfuscated in both the host name field and the group name field even if the data obfuscation profile is configured to obfuscate only host names.

Regular Expressions

Use a regular expression to obfuscate one data string in the payload. The data is hidden only if it matches the log source, log source type, event name, or category that is defined in the expression.

You can use high-level and low-level categories to create a regular expression that is more specific than a field-based property. For example, you can use the following regex patterns to parse user names:

Table 1: Regex User Name Parsing

Example regex patterns


usrName=([0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*@([0-9 a-zA-Z][-\w]*[0-9a-zA-Z]\.)+[a-zA-Z]{2,20})$



usrName=^([a-zA-Z])[a-zA-Z_-]*[\w_-]*[\S]$|^([a -zA-Z])[0-9_-]*[\S]$|^[a-zA-Z]*[\S]$



Matches any non-white space after the equal, =, sign. This regular expression is non-specific and can lead to system performance issues.

msg=([0-9a-zA-Z]([-.\w]*[0-9a-zA-Z]))*@\b(([01] ?\d?\d|2[0-4]\d|25[0-5])\.){3}([01]?\d?\d|2[0-4 ]\d|25[0-5])\b

Matches users with IP address. For example, username@

src=\b(([01]?\d?\d|2[0-4]\d|25[0-5])\.){3}([01] ?\d?\d|2[0-4]\d|25[0-5])\b

Matches IP address formats.

host=^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a -zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0- 9\-]*[A-Za-z0-9])$