Since Source IP it's not a CEP (Custom Event Property), you may try to find if there is any other info different from Source IP, like any user or domain or interface info that comes on each Event, so you may parse that. With that you may select to which domain that event belongs.
For example if the events looks like this:
<134>Oct 29 11:39:36 filterlog[35956]: 108,,,1709061651,em1,.....
<134>Oct 29 11:48:25 filterlog[35956]: 4,,,1000000103,em4.....
The em1/em4 are the network interface. So I parse that as the that field and em1 = domainA, em4=domainB
------------------------------
Juan Paulo
IBM
Santiago
------------------------------
Original Message:
Sent: Tue October 29, 2024 04:36 AM
From: Aditya Cesario Saputra
Subject: Split Domain with same Log Source
Thanks Vishal for your insight.
If I use Custom Event Property, I should add one by one of IP Address right? Any trick to add by segment ip like /24 or etc
------------------------------
Aditya Cesario Saputra
Original Message:
Sent: Tue October 29, 2024 02:17 AM
From: Vishal Tangadkar
Subject: Split Domain with same Log Source
Hello Aditya,
If we have some kind of different property in these events we can use Custom Event Property :
Please go through below document
https://www.ibm.com/docs/en/qsip/7.5?topic=segmentation-example-domain-privilege-assignments-based-custom-properties
------------------------------
Vishal Tangadkar
IBM INDIA PVT LTD
Original Message:
Sent: Mon October 28, 2024 11:01 PM
From: Aditya Cesario Saputra
Subject: Split Domain with same Log Source
Hai All,
I have a firewall with many tenant behind the firewall. How to split log from one log source to spesific domain in qradar?
------------------------------
Aditya Cesario Saputra
------------------------------