An administrator is about to integrate logs from a custom firewall in a QRadar deployment using syslog. The SIEM has two domains, namely Domain A and Domain B.
While reviewing the following sample logs, the administrator notices a “context” keyword:
May 14 11:05:01 192.168.1.23 20190514 11:05:00 context=contextA permit 192.168.1.24 source: 10.10.1.15; source_port: 64094; destination: 10.10.13.34; service: 53; protocol: udp;
May 13 12:07:01 192.168.1.23 20190513 11:07:00 context=contextB permit 192.168.1.25 source: 10.10.1.15; source_port: 64094; destination: 10.10.13.34; service: 53; protocol: udp;
Which options assign the “contextA” logs to DomainA and the “contextB” logs to domain B? (Choose two.)
A . Create a single log source, create a “Context” custom event property, and assign the log to both domains using a custom rule.
B . Create two individual log sources by configuring a separated logging instance for each context on the firewall and assign each log source to the correct domain.
C . Create a single log source, create a “Context” custom event property, and assign the log to the correct domain using custom event property value.
D . Create two individual log sources using the context value as log source identifier and assign each log source to the correct domain.
E . Create a single log source, create a “Context” custom event property, and assign the log to the correct domain using a custom rule.
Answer: BD