Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Domain Definition and Tagging

Domains are defined based on JSA input sources. When events and flows come into JSA, the domain definitions are evaluated and the events and flows are tagged with the domain information.

Specifying Domains for Events

The following diagram shows the precedence order for evaluating domain criteria for events.

Figure 1: Precedence Order for EventsPrecedence Order for Events

These are the ways to specify domains for events:

  • Event collectors--If an event collector is dedicated to a specific network segment or IP address range, you can flag that entire event collector as part of that domain.

    All log sources that arrive at that event collector belong to the domain; therefore, any new auto-detected log sources are automatically added to the domain.

    Note:

    If an event source is redirected from one event collector to another in a different domain, you must update its log source in one of the following ways:

    • Edit the log source to update the event collector information.

    • Delete the log source and deploy the full configuration so that the event source is auto-detected on the new event collector.

    Unless the log source is updated, non-admin users with domain restrictions might not see offenses that are associated with the log source.

  • Event collectors and data gateways –– If an event collector or data gateway is dedicated to a specific network segment or IP address range, you can flag that entire event collector or data gateway as part of that domain.

    All log sources that arrive at that event collector or data gateway belong to the domain; therefore, any new autodetected log sources are automatically added to the domain.

    Note:

    If an event source is redirected from one event collector or data gateway to another in a different domain, you must update its log source in one of the following ways:

    • Edit the log source to update the event collector or data gateway information.

    • Delete the log source and deploy the full configuration so that the event source is auto-detected on the new event collector or data gateway.

    Unless the log source is updated, non-admin users with domain restrictions might not see offenses that are associated with the log source.

  • Log sources--You can configure specific log sources to belong to a domain.

    This method of tagging domains is an option for deployments in which an Event Collector can receive events from multiple domains.

    This method of tagging domains is an option for deployments in which an event collector or data gateway can receive events from multiple domains.

  • Log source groups--You can assign log source groups to a specific domain. This option allows broader control over the log source configuration.

    Any new log sources that are added to the log source group automatically get the domain tagging that is associated with the log source group.

  • Custom properties--You can apply custom properties to the log messages that come from a log source.

    To determine which domain that specific log messages belong to, the value of the custom property is looked up against a mapping that is defined in the Domain Management editor.

    This option is used for multi-address-range or multi-tenant log sources, such as file servers and document repositories.

Specifying Domains for Flows

The following diagram shows the precedence order for evaluating domain criteria for flows.

Figure 2: Precedence Order for FlowsPrecedence Order for Flows

These are the ways to specify domains for flows:

  • Flow processors-- You can assign specific Flow processors to a domain.

    All flow sources that arrive at that flow processor belong to the domain; therefore, any new auto-detected flow sources are automatically added to the domain.

  • Flow processors and data gateways-- You can assign specific data gateways to a domain.

    All flow sources that arrive at that flow processor or data gateway belong to the domain; therefore, any new autodetected flow sources are automatically added to the domain.

  • Flow sources-- You can designate specific flow sources to a domain.

    This option is useful when a single Flow processor is collecting flows from multiple network segments or routers that contain overlapping IP address ranges.

    This option is useful when a single flow processor or data gateway is collecting flows from multiple network segments or routers that contain overlapping IP address ranges.

  • Flow VLAN ID —You can designate specific VLANs to a domain.

    This option is useful when you collect traffic from multiple network segments, often with overlapping IP ranges. This VLAN definition is based on the Enterprise and Customer VLAN IDs.

    The following information elements are sent from Flow Processor when flows that contain VLAN information are analyzed.

Specifying Domains for Scan Results

You can also assign vulnerability scanners to a specific domain so that scan results are properly flagged as belonging to that domain. A domain definition can consist of all JSA input sources.

For information about assigning your network to preconfigured domains, see Network Hierarchy.

Precedence Order for Evaluating Domain Criteria

When events and flows come into the JSA system, the domain criteria is evaluated based on the granularity of the domain definition.

If the domain definition is based on an event, the incoming event is first checked for any custom properties that are mapped to the domain definition. If the result of a regular expression that is defined in a custom property does not match a domain mapping, the event is automatically assigned to the default domain.

If the event does not match the domain definition for custom properties, the following order of precedence is applied:

  1. Log source

  2. Log source group

  3. Event Collector

  4. Event collector or data gateway

If the domain is defined based on a flow, the following order of precedence is applied:

  1. Flow source

  2. Flow Processor or data gateway

If a scanner has an associated domain, all assets that are discovered by the scanner are automatically assigned to the same domain as the scanner.

Forwarding Data to Another JSA System

Domain information is removed when data is forwarded to another JSA system. Events and flows that contain domain information are automatically assigned to the default domain on the receiving JSA system. To identify which events and flows are assigned to the default domain, you can create a custom search on the receiving system. You might want to reassign these events and flows to a user-defined domain.