Answer
An overlapping IP address is an IP address that is assigned to more than one device or logical unit, such as an event source type, on a network. If the same IP address is assigned to more than one event source, you can create domains to distinguish them.
Events that do not explicitly match a defined domain criteria are assigned to the default domain.
Domain-specific rules
If a rule has a domain test, you can restrict that rule so that it is applied only to events that are happening within a specified domain. An event that has a domain tag that is different from the domain that is set on the rule does not trigger an event response.
To create a rule that tests conditions on things that are happening across the entire system, set the domain condition to Any Domain.
Example 1: Assign log sources that have the same IP address to a domain
A company acquires other companies. Two of the acquisitions might have similar network structures. For example, both companies might use the same IP address for one of their log sources. To distinguish the origin of the events that come from one of these log sources, you can create two domains and assign each log source to a different domain. If required, you can also assign each Event Collector to same domain as the log source that sends events to them.
To assign log sources, log source groups, or Event Collectors to domains and then view incoming events by domain, follow these steps:
On the Admin tab, open Domain Management.
Click Add.
Create the domain and assign the event source to it.
On the Log Activity tab, create a search and in the Column Definition section, add Domain from the Available Columns list.
Example 2: Assign a custom property to a domain
You assign a custom property to a domain based on the capture result. You can assign the same custom property to multiple domains, however, the capture results must be different. A custom event property, such as userID, might evaluate to a user or list or users. The user can belong to only one domain.
To assign a custom property to a domain, follow these steps:
Source link:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.2.4/com.ibm.qradar.doc_7.2.4/c_qlm_ug_domain.html
An overlapping IP address is an IP address that is assigned to more than one device or logical unit, such as an event source type, on a network. If the same IP address is assigned to more than one event source, you can create domains to distinguish them.
Events that do not explicitly match a defined domain criteria are assigned to the default domain.
Domain-specific rules
If a rule has a domain test, you can restrict that rule so that it is applied only to events that are happening within a specified domain. An event that has a domain tag that is different from the domain that is set on the rule does not trigger an event response.
To create a rule that tests conditions on things that are happening across the entire system, set the domain condition to Any Domain.
Example 1: Assign log sources that have the same IP address to a domain
A company acquires other companies. Two of the acquisitions might have similar network structures. For example, both companies might use the same IP address for one of their log sources. To distinguish the origin of the events that come from one of these log sources, you can create two domains and assign each log source to a different domain. If required, you can also assign each Event Collector to same domain as the log source that sends events to them.
To assign log sources, log source groups, or Event Collectors to domains and then view incoming events by domain, follow these steps:
On the Admin tab, open Domain Management.
Click Add.
Create the domain and assign the event source to it.
On the Log Activity tab, create a search and in the Column Definition section, add Domain from the Available Columns list.
Example 2: Assign a custom property to a domain
You assign a custom property to a domain based on the capture result. You can assign the same custom property to multiple domains, however, the capture results must be different. A custom event property, such as userID, might evaluate to a user or list or users. The user can belong to only one domain.
To assign a custom property to a domain, follow these steps:
- On the Admin tab, in the Custom Event Properties window, ensure that you select Optimize parsing for rules, reports, and searches check box.
- On the Admin tab, open Domain Management.
- Click Add.
- In the Capture Result box, enter the text that matches the result of the regular expression (regex) filter.
Source link:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.2.4/com.ibm.qradar.doc_7.2.4/c_qlm_ug_domain.html
No comments:
Post a Comment