Example: Domain Privilege Assignments Based on Custom Properties
If your log files contain information that you want to use in a domain definition, you can expose the information as a custom event property.
You assign a custom property to a domain based on the capture result. You can assign the same custom property to multiple domains, but the capture results must be different.
For example, a custom event property, such as
userID, might evaluate to a single user or a list of users. Each user can
belong to only one domain.
In the following diagram, the log sources contain user identification
information that is exposed as a custom property,
userID. The event collector returns two user files, and each user is assigned
to only one domain. In this case, one user is assigned to Domain:
9 and the other user is assigned to Domain: 12.
If the capture results return a user that is not assigned to a specific user-defined domain, that user is automatically assigned to the default domain. Default domain assignments require manual intervention. Perform periodic searches to ensure that all entities in the default domain are correctly assigned.
Before you use a custom property in a domain definition, ensure that Optimize parsing for rules, reports, and searches is checked on the Custom Event Properties window. This option ensures that the custom event property is parsed and stored when JSA receives the event for the first time. Domain segmentation doesn't occur if this option is not checked.