Cadet 1st Class Cadet 1st Class
Cadet 1st Class
736 views

Best mechanism to obfuscate fields at point of collection to a specific mapping table

Hi All,

I am looking for a design pattern to obfuscate certain fields, as close to point of collection as possible, to a specific value so ideally at the Connector I would use a mapping table where I could map the username (for example) to another specified value.

I know there is the "Fields to Obfuscate" feature within the Connector which will produce the MD5 hash of the fields specified however we have a requirement to map to a specific set of mappings.

If you are looking for posts that talk about the built in function please see:

https://protect724.arcsight.com/message/23344#23344

https://protect724.arcsight.com/message/23343#23343

There is still an outstanding question regarding the MD5 hashing itself:

https://protect724.arcsight.com/message/13232#13232


Any help on this topic gratefully received. I have considered placing a custom Connector in the transmission path to perform this function:

SmartConnector --> Custom Connector performing mapping --> Transmission to Logger (compressed)

but wonderer if there is another way?

Many thanks,

Tim

Labels (3)
0 Likes
3 Replies
Absent Member.
Absent Member.

Hi,

I am having the same issue. I need to replace real user names with a custom mapping to anonymized names. This mapping ensures reversing the process is possible only for people with access to the mapping list.

Did you ever solve this or did you build a custom connector? If yes, did you use a FlexConnector or some home brew perl/sed/whatever script to mangle the data before forwarding to the connector? Additionally, I am not sure how to self-mangle usernames in case of the Windows Unified connector.

Any hints are welcome

Cheers

JP

0 Likes
Micro Focus Expert
Micro Focus Expert

I'm thinking that you could use map files to map your custom value into a field, based on the known value of the first field. However,

- this method doesn't destroy or obfuscate the known value in the first field. Perhaps combining the obfuscation function with a map file would solve the problem, but it would depend on which function is performed first, both are at the connector.

- If this method works, then there would be no need for a FlexConnector (Custom Connector)

- I haven't tried this yet, but I wonder if you could use subsequent map files to then replace the value of the first known good field, with a dummy value.

I'm willing to assist in the iterations here if you are interested.


0 Likes
Absent Member.
Absent Member.

HI

Could use map files as Aaron suggested.

Option 1: for known usernames to obfuscated

     event.destinationUserName,set.event.destinationUserName

     abcd,xxxx

Option 2: For any usernames to obfuscated

     regex.event.destinationUserName,set.event.destinationUserName

     .*?,xxxx

Make sure to include conditions to replace usernames in specific events. The above will replace all usernames(dst) from all device logs to xxxx

Cheers

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.