Domain Definition and Tagging
Domains are defined based on JSA input sources. When events and flows come into JSA, the domain definitions are evaluated and the events and flows are tagged with the domain information.
Specifying Domains for Events
The following diagram shows the precedence order for evaluating domain criteria for events.
These are the ways to specify domains for events:
-
Custom properties--You can apply custom properties to the log messages that come from a log source.
To determine which domain that specific log messages belong to, the value of the custom property is looked up against a mapping that is defined in the Domain Management editor.
This option is used for multi-address-range or multi-tenant log sources, such as file servers and document repositories.
-
Disconnected Log Collector--
You can use a Disconnected Log Collector (DLC) for domain mapping. DLCs append their universally unique identifiers (UUIDs) to the Log Source Identifier value of the events they collect. Appending the UUID to the Log Source Identifier value ensures that the Log Source Identifier is unique.
-
Log sources--You can configure specific log sources to belong to a domain.
This method of tagging domains is an option for deployments in which an Event Collector can receive events from multiple domains.
-
Log source groups--
You can assign log source groups to a specific domain. This option allows broader control over the log source configuration.
Any new log sources that are added to the log source group automatically get the domain tagging thatis associated with the log source group.
Event collectors--If an event collector is dedicated to a specific network segment or IP address range, you can flag that entire event collector as part of that domain.
All log sources that arrive at that event collector belong to the domain; therefore, any new auto-detected log sources are automatically added to the domain.
Note:If an event source is redirected from one event collector to another in a different domain, you must update its log source in one of the following ways:
Edit the log source to update the event collector information.
Delete the log source and deploy the full configuration so that the event source is auto-detected on the new event collector.
Unless the log source is updated, non-admin users with domain restrictions might not see offenses that are associated with the log source.
Specifying Domains for Flows
The following diagram shows the precedence order for evaluating domain criteria for flows.
These are the ways to specify domains for flows:
Flow processors-- You can assign specific Flow processors to a domain.
All flow sources that arrive at that flow processor belong to the domain; therefore, any new auto-detected flow sources are automatically added to the domain.
Flow processors and data gateways-- You can assign specific data gateways to a domain.
All flow sources that arrive at that flow processor or data gateway belong to the domain; therefore, any new autodetected flow sources are automatically added to the domain.
Flow sources-- You can designate specific flow sources to a domain.
This option is useful when a single Flow processor is collecting flows from multiple network segments or routers that contain overlapping IP address ranges.
This option is useful when a single flow processor or data gateway is collecting flows from multiple network segments or routers that contain overlapping IP address ranges.
Flow VLAN ID —You can designate specific VLANs to a domain.
This option is useful when you collect traffic from multiple network segments, often with overlapping IP ranges. This VLAN definition is based on the Enterprise and Customer VLAN IDs.
The following information elements are sent from Flow Processor when flows that contain VLAN information are analyzed.
Specifying Domains for Scan Results
You can also assign vulnerability scanners to a specific domain so that scan results are properly flagged as belonging to that domain. A domain definition can consist of all JSA input sources.
For information about assigning your network to preconfigured domains, see Network Hierarchy.
Precedence Order for Evaluating Domain Criteria
When events and flows come into the JSA system, the domain criteria is evaluated based on the granularity of the domain definition.
If the domain definition is based on an event, the incoming event is first checked for any custom properties that are mapped to the domain definition. If the result of a regular expression that is defined in a custom property does not match a domain mapping, the event is automatically assigned to the default domain.
If the event does not match the domain definition for custom properties, the following order of precedence is applied:
-
DLC
Log source
Log source group
Event Collector
Event collector or data gateway
If the domain is defined based on a flow, the following order of precedence is applied:
Flow source
Flow Processor or data gateway
If a scanner has an associated domain, all assets that are discovered by the scanner are automatically assigned to the same domain as the scanner.
Forwarding Data to Another JSA System
Domain information is removed when data is forwarded to another JSA system. Events and flows that contain domain information are automatically assigned to the default domain on the receiving JSA system. To identify which events and flows are assigned to the default domain, you can create a custom search on the receiving system. You might want to reassign these events and flows to a user-defined domain.