Redacting Data from Reports

Updated 3 weeks ago by Shimon Modi

This article explains how to use the Redaction feature to delete terms before a report is submitted to a TruSTAR enclave.

TruSTAR offers the ability to redact, or remove, information from a report before it is processed and saved in an enclave. The redaction technology is powered by a redaction algorithm that features:

  • Categorical redaction
  • Wildcard matching
  • Optimization for large datasets

You can use redaction on an ad-hoc basis when reviewing a report submission or you can create a list of terms to be used for all report submissions. The rest of this article explains how to create and manage the list of terms, known as a Redaction Map.

You must be an Administrator to edit the Redaction Map.

How It Works

TruSTAR’s Redaction feature operates on two inputs:

  • A TruSTAR Report
  • A map of redaction descriptors known as the Redaction Map

When a report is submitted, TruSTAR uses the Redaction Map to delete the terms you have specified for removal. The Redaction algorithm programatically strips the terms from every part of the report, including the metadata.

You can add or delete terms to redact whenever you want.

TruSTAR Incident Report

Technically, an incident report is a map-like data structure that contains both metadata about the report and the report contents. For example, here is a simplified version of what an incident report looks like in TruSTAR Station.

Map {
metadata: Map {
title: "Network Intrusion Detected",
region: "North America"
},
content: "Network intrusion was detected at our branch in..."
}

Redaction Map

The redaction map stores all the terms you want to delete from new reports. A simple redaction map might look like this:

Map {
company-name: List [
"Superb Security Corp",
"Superb Subsidiary"
],
ip-address: List [
"8.8.8.8"
],
email-address: List [
"*@superb-security.co"
]
}

This sample Redaction Map defines a number of things to redact from reports:

  • Company name "Superb Security Corp" and the name of the subsidiary "Superb Subsidiar"
  • An IP address that should be kept private ("8.8.8.8")
  • Every email address that ends in "@superb-security.co"

Editing the Redaction Map

The Redaction setting is where you can add or remove terms for the Redaction Map.

  1. Click the User Settings icon on the left-side menu in TruSTAR Station, then click Settings on the menu. This displays the settings available to you.
  2. Click Redaction to display the types of terms you can edit.
  3. To add a term, select the type of term you want to add, then type the term into the text box on the right side.
  4. To delete a term, click the X next to it in the list.

All changes are saved immediately in the Redaction Map.

Importing Terms

TruSTAR provides an easy way to add a list of terms to the Redaction Map, by importing a file in either JSON or .csv format.

  1. Click the User Settings icon on the left-side menu in TruSTAR Station, then click Settings on the menu. This displays the settings available to you.
  2. Click Bulk Import above the terms list. This displays the a dialog box.
  3. Check that the file you want to import meets the formats shown at the top of the dialog box.
  4. Drag and drop the file you want to import to the dialog box.
If there are issues with the information or format, such as duplicate terms or a misspelled type of information, TruSTAR displays the error messages after importing the file.

Exporting Terms

You can export the list of terms used for redaction, which may make it easier to review long, complex lists of terms.

  1. Click the User Settings icon on the left-side menu in TruSTAR Station, then click Settings on the menu. This displays the settings available to you.
  2. Click Redaction to display the types of terms you can edit.
  3. Click Export Library and choose the file format (JSON or .csv) that you want to use.

The file is immediately downloaded to your local workstation.


How Did We Do?