Editing or disabling obfuscation expressions created in previous releases

When you upgrade to IBM QRadar V7.2.6, data obfuscation expressions that were created in previous releases are automatically carried forward and continue to obfuscate data. These expressions appear in a single data obfuscation profile, named AutoGeneratedProperty.

Although you can see the expressions, you cannot edit or disable data obfuscation expressions that were created in earlier versions. You must manually disable them and create a data obfuscation profile that contains the revised expressions.

About this task

To disable an old expression, you must edit the xml configuration file that defines the attributes for the expression. You can then run the obfuscation_updater.sh script to disable it.

Ensure that you disable old expressions before you create new expressions that obfuscate the same data. Multiple expressions that obfuscate the same data cause the data to be obfuscated twice. To decrypt data that is obfuscated multiple times, each keystore that is used in the obfuscation process must be applied in the order that the obfuscation occurred.

Procedure

  1. Use SSH to log in to your QRadar Console as the root user.
  2. Edit the obfuscation expressions .xml configuration file that you created when you configured the expressions.
  3. For each expression that you want to disable, change the Enabled attribute to false.
  4. To disable the expressions, run the obfuscation_updater.sh script by typing the following command:

    obfuscation_updater.sh [-p <path_to_private_key>] [-e <path_to_obfuscation_xml_config_file>]

    The obfuscation_updater.sh script is in the /opt/qradar/bin directory, but you can run the script from any directory on your QRadar Console.

What to do next

Create a data obfuscation profile to obfuscate data and manage obfuscation expressions directly in QRadar.