IBM Support

QRadar: How Data Obfuscation works

How To


Summary

This article contains information on how the Data Obfuscation tool works and how to configure it.

Steps

What Is Data Obfuscation

This tool hides sensitive data found in the events without having the event or the sensitive data dropped or deleted. This tool was designed to hide sensitive information, but it can be used with any data. 

For example, if the account number in the next event was sensitive:

<38>Sep 24 11:21:28 10.10.10.1 TransactionNumber=”1234567890” Amount=”1,234” 
AccountNumber=”1234-567-890” Owner=”John Johnson” City=”Alberta”.

Obfuscation would change that account number to a random character combination:

<38>Sep 24 11:21:28 10.10.10.1 TransactionNumber=”1234567890” Amount=”1,234” 
AccountNumber=”Ww2z7nLaBxwVOtCOm/TR6A” Owner=”John Johnson” City=”Alberta”.

The field name then has a padlock icon, where the person with the key and password can see the deobfuscated text:

image 12702

This action protects the sensitive information from unauthorized access. The data is still accessible, but only for those users with the key and password. 

Important Notes:

  • During the configuration, the admin is asked to create a password, if this password is lost, then the obfuscated data cannot be deobfuscated.
  • During the configuration, the system creates a key, this key needs to be downloaded and saved properly, if this key is lost, then the obfuscated data cannot be deobfuscated.
  • Obfuscation data cannot be used in searches.

How to Configure Data Obfuscation

Follow the next steps in order to enable data obfuscation.

Important Notes:

  • During the configuration, the admin is asked to create a password, if this password is lost, then the obfuscated data cannot be deobfuscated.
  • During the configuration, the system creates a key, this key needs to be downloaded and saved properly, if this key is lost, then the obfuscated data cannot be deobfuscated.

Add a new data obfuscation profile

  1. Go to Qradar, then to Admin, there in the Data Sources section click Data Obfuscation Management:
    image 12703
  2. Click Add.
    image 12704
  3. A new window pops up, enter the Profile Name and the password. It is important to save this password as it is asked when someone tries to make modification to the obfuscation configuration and to see the obfuscated data. 
    image 12705
    Once done click Save
  4. After Save another window pops up to download the key, it is important to save this key as this information is asked too when a configuration change is needed: 
    image-20220713154024-1

Add a new Data Obfuscation Expression

A data obfuscation expression is the configuration that tells Qradar where to find the data that needs to be obfuscated.  

An expression needs to be added by each field and log source type, one profile can have multiple expressions.

There are two methods, Field Name and Regex, the Field Name option provides the option to pick from a field name list, the next steps explain how to configure a regex.

For example, if the Account number information on the next event is the sensitive information that needs to be obfuscated:

<38>Sep 24 11:21:28 10.10.10.1 TransactionNumber=”1234567890” Amount=”1,234” 
AccountNumber=”1234-567-890” Owner=”John Johnson” City=”Alberta”.

Follow the next steps:

  1. To open the Data Obfuscation Expression section, double-click the profile name or select the profile name and click View Contents:
    image 12706
  2. Click Add.
    image-20220714074646-1
  3. Give it a name, select a Domain (if needed), then select RegEx:
    image 12707
  4. After the RegEx option is selected, enter the regex that matches the field to obfuscate. 

    Then, pick the Log Source Type and in if needed pick the Log Source and the Level Category, to apply the configuration on all the Log Source Type, choose <any> for the other options:
    image 12708
    Finally, click Save.

Enable the Data Obfuscation

By default, the profile and the expression are disabled, they have to be enabled to see the changes on the data.

  1. To enable the expression, select the expression and click Enable/Disable:
    image 12709
  2. To enable the profile, select the profile and click Enable/Disable:
    image 12710

Lock the profile

Finally, to avoid any change by a third person on the obfuscation configuration, lock the profile.

This action locks the obfuscation and if a change is needed on this profile and its expressions, QRadar requests the key and the password:
image 12715

To lock the profile, select the profile and click the Lock/Unlock button:
image 12714

Result:

After that, the data passes from plan text (check Account Number column):
image 12712

To encrypted (check Account Number column):
image 12713

How to See Obfuscated Data

  1. Go to the Log Activity, then open the event, search for the field, this field has a small padlock on it:
    image 12716
  2. Click the padlock, a new window is displayed asking for the Key and the Password, add this information, then click Upload:
    image 12717
  3. After the key and the password are entered, the obfuscated information is shown:
    image-20220713160123-2

Additional Information

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"TS009943445","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
20 July 2022

UID

ibm16603527