Creating data obfuscation expressions

The data obfuscation profile uses expressions to specify which data to hide from IBM QRadar users. The expressions can use either field-based properties or regular expressions.

About this task

After an expression is created, you cannot change the type. For example, you cannot create a property-based expression and then later change it to a regular expression.

You cannot hide a normalized numeric field, such as port number or an IP address.

Multiple expressions that hide the same data cause data to be hidden twice. To decrypt data that is hidden multiple times, each keystore that is used in the obfuscation process must be applied in the order that the obfuscation occurred.

Procedure

  1. On the navigation menu ( Navigation menu icon ), click Admin.
  2. In the Data Sources section, click Data Obfuscation Management.
  3. Click the profile that you want to configure, and click View Contents.
    You cannot configure profiles that are locked.
  4. To create a new data obfuscation expression, click Add and type a unique name and description for the profile.
  5. Select the Enabled check box to enable the profile.
  6. Optional: To apply the obfuscation expression to specific domains or tenants, select them from the Domain field. Or select All Domains to apply the obfuscation expression to all domains and tenants.
  7. To create a field-based expression, click Field Based and select the field type to obfuscate.
  8. To create a regular expression, click RegEx and configure the regex properties.
  9. Click Save.