@TerjeOlsen

Two things to confirm/try:
1. Can you include your QRadar version?
2. Can you try adding the log source itself directly to the domain to see if it resolves the issue?

I was talking with someone about this recently as we are tracking an issue when a Log Source Group is added to a domain that individual log sources in the group or a sub-group might not get picked up properly by the domain association. As we process event data, log source groups are evaluated and meta data containing the domain tag is added to the event when we parse the data behind the scenes, but some of the group associations are not picked up properly. This is why I think you are seeing this issue only on a specific log source type. I believe the work around for this is to temporarily add your Firesight Mgmt Center log source to the domain while we work on this issue to confirm or if we need to investigate further.

Also, if this were my system I would definitely also open a ticket to get your customer number added to this issue for verification purposes. I believe that you are hitting issue 180055 <-- give that number to the support rep after you verified that adding the log source directly resolves the issue. They can use this info to prove out the problem or just add your name to link you to the issue.

I think there is an APAR pending for this issue, but I am going to follow-up and verify the APAR status. Since there is no APAR yet, I gave you the direct issue number that should help the investigation move along. I do know that this is a pending 7.3.1 update as this was reported by another user. However, without your version info it is hard to confirm, but what you described and what they reported sounds very similar.

Feel free to reference this forum post in your case and the support rep can ping me if they have questions. If you are on 7.3.1, I believe this is known/reported. However, let me know if you have follow-up questions.

~ Jonathan