Managing Data Redaction

Introduction

OverOps enables you to filter out any personal identifiable information (PII) and business sensitive information (such as telephone numbers, credit card numbers, user names. etc.) before it leaves your hosts. As such, you can specify four modes for redacting variable data during runtime:

  • Patterns-based filtering
  • Code Identifiers-based filtering
  • Classes-based filtering
  • Packages-based filtering

What does Redacting Include?

Redacting a class means that the system doesn't record instances of that specific class. Class methods and their variables - and any information that's extracted and travels between variables in either the redacted class or in another class that references the class and their extracted variables - are not included in this definition.

For each category, you can add, modify or remove filters using the Data Redaction filters.

📘

Note

Data Redaction is available to users with Admin or Owner privileges only; members have viewer permissions.

Viewing or Setting Data Redaction Filters

  1. Open Settings by clicking Settings in the top right corner of the OverOps dashboard.
686

This opens the Settings dashboard for the environment you're in (you can see the environment in the upper left corner of the screen).

1051
  1. In the left side menu, click Data Redaction under the "Security" section.
  2. To add or modify filters, proceed to the instructions in the sections according to the relevant filtering method.

Changes you make in the security settings are implemented automatically.

🚧

Important

Changes are applied to all errors and exceptions that OverOps captures from that point on.; however, changes to settings are not applied retroactively.

Patterns-based Filtering

When the Agent on one of the environments recognizes information that matches against sets of predefined regular expression patterns, that information is not collected. The pattern is matched to the value, not name of the variable. The following default patterns are included, but you can also specify your own patterns by following the instructions below:

  • Credit cards
  • Internet addresses
  • Phone numbers
  • Physical addresses
  • ID numbers
    Note that pattern-based filtering is enabled by default.
1605

Stop Filtering Data According to a Specific Pattern

Select the pattern type and with the slider turn off the specific pattern.
Patterns are written as Regular Expressions.

Adding and Removing Patterns

  1. In the Add field, enter the Regular Expression for the pattern and click Add.
    The Add Pattern dialog box opens.
  2. Give the pattern a name and click Save.
    Any expression matching this pattern will not be collected by OverOps.
  3. Repeat this process for any type of pattern (credit card, phone number, etc.).
  4. Alternatively, to import patterns from another environment field, select an environment using the drop down arrow and then click Import.
  5. To remove a pattern, hover over the pattern and click Delete.
    You'll be prompted to confirm the deletion.
    6.To add another type of pattern, click the Other tab and follow the steps above.

Code-based Filtering

👍

Case Sensitivity

Data redaction policies for code identifiers (variable names), classes and packages are case insensitive. This means that all uppercase and lowercase variations of the identifier will be redacted.

In this example, yes, setting a rule for accountname will also redact accountName, AccountName, ACCOUNTNAME, etc.

Code Identifier-based filtering

When an Agent on your server recognizes a variable name that matches a filter from the configured list, that information is not collected. Code identifiers are matched to the names - and not to the value of the variable. OverOps provides a large variety of default identifiers, and you can also add new identifiers as needed.

1596

Adding and Removing Code Identifiers

  1. To add an identifier, enter the code in the code identifier field and click Add. If adding multiple codes, remember to separate using commas without spaces or semi-colons without any space.
  2. To remove a variable from filtering, hover over the variable and click X.
    You'll be prompted to confirm the deletion.

Applying Code Identifiers Redaction Settings to Maps

Maps are a type of variable are comprised of a list of values - a key and a value (name: john doe). From version 4.43 and on, the Data Redaction feature enables you apply code identifiers redaction settings to maps, which allows you to redact map values associated with keys that are match the redacted identifier, e.g., map.put(“ssn”, “123-45-6789") will redact ssn.

When you define an identifier (above), the following values will be redacted:

  • Variables with matching names
  • Map keys with matching names

Classes-based filtering

From the Classes tab, you can add, modify, or remove entire classes from redaction. When the VM Agent recognizes a listed class, it will not send data from that class off the server.

1550

Adding and Removing Classes

  1. To add a class to the filter list, enter the class and click Add. If adding multiple classes, remember to separate using commas without spaces or semi-colons without any space.
  2. To remove a class, hover over the class and click X.
    You'll be prompted to confirm the deletion.

Packages-based filtering

From the Packages tab, you can add, modify, or delete entire packages of classes to redact. When the VM Agent recognizes a listed packages, it does not send data from that class off the server.

1559

Adding and Removing Packages

  1. To add a package to the filter list, enter the package and click Add. If adding multiple packages, remember to separate using commas without spaces or semi-colons without any space.
  2. To remove a package, hover over the class and click X.
    You'll be prompted to confirm the deletion.

Events with Data Redaction Displayed in OverOps

When the VM Agent recognizes information included in the Data Redaction settings, it does not record that data from the server. Events and exceptions that contain filtered PII, the sensitive data is presented in the Dashboard with an asterisk.

The examples below demonstrate how filtered data is displayed in each View:

  • Code View: Patterns, code identifiers, and classes are applied
  • Log View: Only patterns are applied
  • Env View: Only code identifiers are applied

Here's an example of the redacted data:

3344