Deobfuscating data so that it can be viewed in the console

When data obfuscation is configured on an IBM® QRadar® system, the masked version of the data is shown throughout the application. You must have both the corresponding keystore and the password to deobfuscate the data so that it can be viewed.

Before you begin

You must be an administrator and have the private key and the password for the key before you can deobfuscate data. The private key must be on your local computer.

About this task

Before you can see the obfuscated data, you must upload the private key. After the key is uploaded, it remains available on the system for the duration of the current session. The session ends when you log out of QRadar, when the cache is cleared on the QRadar Console, or when there is an extended period of inactivity. When the session ends, the private keys that were uploaded in the previous session are no longer visible.

QRadar can use the keys available in the current session to automatically deobfuscate data. With auto-deobfuscation enabled, you do not have to repeatedly select the private key on the Obfuscation Session Key window each time that you want to view the data. Auto-deobfuscate is automatically disabled when the current session ends.

Procedure

  1. On the Event Details page, find the data that you want to deobfuscate.
  2. To deobfuscate identity-based data:
    1. Click the lock icon next to the data that you want to deobfuscate.
    2. In the Upload Key section, click Select File and select the keystore to upload.
    3. In the Password box, type the password that matches the keystore.
    4. Click Upload.

      The Deobfuscation window shows the event payload, the profile names that are associated with the keystore, the obfuscated text, and the deobfuscated text.

    5. Optional: Click Toggle Auto Deobfuscate to enable auto-deobfuscation.

      After you toggle the auto-deobfuscation setting, you must refresh the browser window and reload the event details page for the changes to appear.

  3. To deobfuscate payload data that is not identity-based:
    1. On the toolbar on the Event Details page, click Obfuscation > Deobfuscation keys.
    2. In the Upload Key section, click Select File and select the private key to upload.
    3. In the Password box, type the password that matches the private key and click Upload.
    4. In the Payload information box, select and copy the obfuscated text to the clipboard.
    5. On the toolbar on the Event Details page, click Obfuscation > Deobfuscation.
    6. Paste the obfuscated text in to dialog box.
    7. Select the obfuscation profile from the drop-down list and click Deobfuscate.