Domain definition and tagging

Domains are defined based on IBM QRadar input sources. When events and flows come into QRadar, the domain definitions are evaluated and the events and flows are tagged with the domain information.

Specifying domains for events

The following diagram shows the precedence order for evaluating domain criteria for events.

Precedence order for evaluation domain criteria for events — Figure 1. Precedence order for events

Important: Events generated by the custom rule engine (CRE) are not assigned a domain based on custom event properties because they are not parsed as events from external log sources.

These are the ways to specify domains for events:

Custom properties

You can apply custom properties to the log messages that come from a log source.

Important: When you create your custom event property, ensure that the Enable for use in Rules, Forwarding Profiles and Search Indexing check box is selected.

To determine which domain that specific log messages belong to, the value of the custom property is looked up against a mapping that is defined in the Domain Management editor.

This option is used for multi-address-range or multi-tenant log sources, such as file servers and document repositories.

Disconnected Log Collector: You can use a Disconnected Log Collector (DLC) for domain mapping. DLCs append their universally unique identifiers (UUIDs) to the Log Source Identifier value of the events they collect. Appending the UUID to the Log Source Identifier value ensures that the Log Source Identifier is unique.

Log sources: You can configure specific log sources to belong to a domain.
This method of tagging domains is an option for deployments in which an Event Collector can receive events from multiple domains.

Log source groups: You can assign log source groups to a specific domain. This option allows broader control over the log source configuration.
Any new log sources that are added to the log source group automatically get the domain tagging that is associated with the log source group.

Event collectors: If an event collector is dedicated to a specific network segment, IP address range, tenant, geographic location, or business unit, you can flag that entire event collector as part of that domain.
All events that arrive at that event collector belong to the domain that the event collector is assigned to, unless the log source for the event belongs to another domain based on other tagging methods higher in precedence, such as a custom property.

Important:
If a log source is redirected from one event collector to another in a different domain, you must add a domain mapping to the log source to ensure that events from that log source are still assigned to the right domain.

Unless the log source is mapped to the right domain, nonadmin users with domain restrictions might not see offenses that are associated with the log source.

Specifying domains for flows

The following diagram shows the precedence order for evaluating domain criteria for flows.

Precedence order for evaluation domain criteria for flows — Figure 2. Precedence order for flows

These are the ways to specify domains for flows:

Flow collectors: You can assign specific QFlow collectors to a domain.
All flow sources that arrive at that flow collector belong to the domain; therefore, any new auto-detected flow sources are automatically added to the domain.
Flow sources: You can designate specific flow sources to a domain.
This option is useful when a single QFlow collector is collecting flows from multiple network segments or routers that contain overlapping IP address ranges.

Flow VLAN ID

You can designate specific VLANs to a domain.

This option is useful when you collect traffic from multiple network segments, often with overlapping IP ranges. This VLAN definition is based on the Enterprise and Customer VLAN IDs.

The following information elements are sent from QFlow when flows that contain VLAN information are analyzed. These two fields can be assigned in a domain definition:

PEN 2 (IBM), element ID 82: Enterprise VLAN ID
PEN 2 (IBM), element ID 83: Customer VLAN ID

Specifying domains for scan results

Important: The IBM QRadar Vulnerability Manager scanner is end of life (EOL) in 7.5.0 Update Package 6, and is no longer supported in any version of IBM QRadar. For more information, see QRadar Vulnerability Manager: End of service product notification (https://www.ibm.com/support/pages/node/6853425).

You can also assign vulnerability scanners to a specific domain so that scan results are properly flagged as belonging to that domain. A domain definition can consist of all QRadar input sources.

For more information about assigning your network to preconfigured domains, see Network hierarchy.

Precedence order for evaluating domain criteria

When events and flows come into the QRadar system, the domain criteria is evaluated based on the granularity of the domain definition.

If the domain definition is based on an event, the incoming event is first checked for any custom properties that are mapped to the domain definition. If the result of a regular expression that is defined in a custom property does not match a domain mapping, the event is automatically assigned to the default domain.

If the event does not match the domain definition for custom properties, the following order of precedence is applied:

DLC
Log source
Log source group
Event Collector

If the domain is defined based on a flow, the following order of precedence is applied:

Flow source
Flow Collector

If a scanner has an associated domain, all assets that are discovered by the scanner are automatically assigned to the same domain as the scanner.

Forwarding data to another QRadar system

Domain information is removed when data is forwarded to another QRadar system. Events and flows that contain domain information are automatically assigned to the default domain on the receiving QRadar system. To identify which events and flows are assigned to the default domain, you can create a custom search on the receiving system. You might want to reassign these events and flows to a user-defined domain.