Obfuscate Private Data

The Data Privacy Officer (DPO) role can identify meta keys that contain sensitive data and should display obfuscated data. This topic explains how the administrator maps those meta keys to display a hashed value instead of the actual value.

The following caveats apply to hashed meta values:

  • NetWitness supports two storage methods for hashed meta values, HEX (default) and string.
  • When a meta key is configured to display a hashed value, all security roles see only the hashed value in the Incidents module.
  • You use hashed values the same way you use actual values. For example, when you use a hashed value in rule criteria the results are the same as if you used the actual value.

This topic explains how to obfuscate private data in NetWitness Respond. Refer to the "Data Privacy Management Overview" topic in the Data Privacy Management Guide for additional information about data privacy. Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.

Mapping File to Obfuscate Meta Keys

In NetWitness Respond, the mapping file for data obfuscation is data_privacy_map.js. In it you type an obfuscated meta key name and map it to the actual meta key name.

The following example shows the mappings to obfuscate data for two meta keys, ip.src and user.dst:

'ip.src.hash' : 'ip.src',
'user.dst.hash' : 'user.dst'

You determine the naming convention for obfuscated meta key names. For example, ip.src.hash could be ip.src.private or ip.src.bin. You must choose one naming convention and use it consistently on all hosts.

Prerequisites

  • DPO role must specify which meta keys require data obfuscation.
  • Administrator role must map meta keys for data obfuscation.

Procedure

  1. Open the data privacy mapping file:
    /var/lib/netwitness/respond-server/scripts/data_privacy_map.js
  2. In the obfuscated_attribute_map variable , type the name of a meta key to hold obfuscated data. Then map it to the meta key that does not contain obfuscated data according to this format:
    'ip.src.hash' : 'ip.src'
  3. Repeat step 2 for every meta key that should display a hashed value.
  4. Use the same naming convention as in step 2 and use it consistently on all hosts.
  5. Save the file.
    All mapped meta keys will display hashed values instead of actual values.
    In the following figure, a hashed value displays for the destination IP address in the Event Details:
    netwitness_eventdtlsiphashed.png

    New alerts will display obfuscated data.

Note: Existing alerts still display sensitive data. This procedure is not retroactive.