Domains and Log Sources in Multitenant Environments
Use domains to separate overlapping IP addresses, and to assign sources of data, such as events and flows, into tenant-specific data sets.
When events or flows come into JSA, JSA evaluates the domain definitions that are configured, and the events and flows are assigned to a domain. A tenant can have more than one domain. If no domains are configured, the events and flows are assigned to the default domain.
Domains are virtual buckets that you use to segregate data based on the source of the data. They are the building blocks for multitenant environments. You configure domains from the following input sources:
Event and flow processors
Log sources and log source groups
A multitenant deployment might consist of a basic hardware configuration that includes one JSA Console, one centralized event processor, and then one event collector for each customer. In this configuration, you define domains at the collector level, which then automatically assigns the data that is received by JSA to a domain.
To consolidate the hardware configuration even further, you can use one collector for multiple customers. If log or flow sources are aggregated by the same collector but belong to different tenants, you can assign the sources to different domains. When you use domain definitions at the log source level, each log source name must be unique across the entire JSA deployment.
If you need to separate data from a single log source and assign it to different domains, you can configure domains from custom properties. JSA looks for the custom property in the payload, and assigns it to the correct domain. For example, if you configured JSA to integrate with a Check Point Provider-1 device, you can use custom properties to assign the data from that log source to different domains.
Automatic Log Source Detection
When domains are defined at the collector level and the dedicated
event collector is assigned to a single domain, new log sources that
are automatically detected are assigned to that domain. For example,
all log sources that are detected on
Event_Collector_1 are assigned to
Domain_A. All log sources
that are automatically collected on
Event_Collector_2 are assigned to
When domains are defined at the log source or custom property level, log sources that are automatically detected and are not already assigned to a domain are automatically assigned to the default domain. The MSSP administrator must review the log sources in the default domain and allocate them to the correct client domains. In a multitenant environment, assigning log sources to a specific domain prevents data leakage and enforces data separation across domains.