IBM QRadar

Hello, how does the Qradar identifies the log source groups? What I am trying to find out is, if I have for example two log source groups with name Linux, but each of them is under different root logs source group name, for example:
1, Server/Linux
2, OS/Linux

Will there be any problem with the fact I have two groups with same names? Like some conflict?

Thank you for reply!
Regards
TT

------------------------------
Tomas Tyser
------------------------------

Tomas
logsource groups are identified via logsource parameters. You can assign multiple groups without conflict. In your case it would be 4 different groups.
QRadar GUI provides multiple syntax and semantic checks so there is little chance to enter something real stupid. If your configuration makes sense is another question. 

in this case it does. just give it a try.

------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
------------------------------

Original Message:
Sent: Wed October 26, 2022 09:26 AM
From: Tomas Tyser
Subject: Log Source Groups Names

Hello, how does the Qradar identifies the log source groups? What I am trying to find out is, if I have for example two log source groups with name Linux, but each of them is under different root logs source group name, for example:
1, Server/Linux
2, OS/Linux

Will there be any problem with the fact I have two groups with same names? Like some conflict?

Thank you for reply!
Regards
TT

------------------------------
Tomas Tyser
------------------------------

Just to add to Karl's comments, Log Source groups have their own internal IDs and parent IDs (which is how the hierarchy is defined), so if you have two groups with the same name, the system will still understand them to be different groups. Searchs, rules, etc that reference rules do so by ID internally so even if you have duplicate names the linkages are still deterministic. The only time duplicate names may get you in trouble is in cases where you're composing something else (search, rule, retention bucket, routing rule, etc) and have a log source group selector that doesn't show you the hierarchical view (or otherwise notes the parent group) - if you can only pick from a list of names, you won't know which one you're picking. As far as I know we always show the necessary context (we do in the four examples I just provided), but it's possible there is a case where we don't, in which case you may need to do a quick test of the thing you just configured to verify you used the correct group. Alternatively you can use the REST APIs (via the interactive documentation page in the UI), which expose the IDs of the log source groups, to see if the reference in the thing you just made is correct.

Cheers
Colin

------------------------------
COLIN HAY
IBM Security
------------------------------

Original Message:
Sent: Wed October 26, 2022 09:26 AM
From: Tomas Tyser
Subject: Log Source Groups Names

Hello, how does the Qradar identifies the log source groups? What I am trying to find out is, if I have for example two log source groups with name Linux, but each of them is under different root logs source group name, for example:
1, Server/Linux
2, OS/Linux

Will there be any problem with the fact I have two groups with same names? Like some conflict?

Thank you for reply!
Regards
TT

------------------------------
Tomas Tyser
------------------------------