ON THIS PAGE
Data Obfuscation Expressions
Data obfuscation expressions identify the data to hide. You can create data obfuscation expressions that are based on field-based properties or you can use regular expressions.
Field-based Properties
Use a field-based property to hide user names, group names, host names, and NetBIOS names. Expressions that use field-based properties obfuscate all instances of the data string. The data is hidden regardless of its log source, log source type, event name, or event category.
If the same data value exists in more than one of the fields, the data is obfuscated
in all fields that contain the data even if you configured the profile to obfuscate
only one of the four fields. For example, if you have a host name that is called
JSAHost
and a group name that is called
JSAHost
, the value JSAHost
is obfuscated in
both the host name field and the group name field even if the data obfuscation
profile is configured to obfuscate only host names.
Regular Expressions
Use a regular expression to obfuscate one data string in the payload. The data is hidden only if it matches the log source, log source type, event name, or category that is defined in the expression.
You can use high-level and low-level categories to create a regular expression that is more specific than a field-based property. For example, you can use the following regex patterns to parse user names:
Example regex patterns |
Matches |
---|---|
usrName=([0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*@([0-9 a-zA-Z][-\w]*[0-9a-zA-Z]\.)+[a-zA-Z]{2,20})$ |
|
usrName=(^([\w]+[^\W])([^\W]\.?)([\w]+[^\W]$)) |
|
usrName=^([a-zA-Z])[a-zA-Z_-]*[\w_-]*[\S]$|^([a -zA-Z])[0-9_-]*[\S]$|^[a-zA-Z]*[\S]$ |
|
usrName=(/S+) |
Matches any non-white space after the equal, =, sign. This regular expression is non-specific and can lead to system performance issues. |
msg=([0-9a-zA-Z]([-.\w]*[0-9a-zA-Z]))*@\b(([01] ?\d?\d|2[0-4]\d|25[0-5])\.){3}([01]?\d?\d|2[0-4 ]\d|25[0-5])\b |
Matches users with IP address. For example,
|
src=\b(([01]?\d?\d|2[0-4]\d|25[0-5])\.){3}([01] ?\d?\d|2[0-4]\d|25[0-5])\b |
Matches IP address formats. |
host=^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a -zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0- 9\-]*[A-Za-z0-9])$ |
|