UEBA user roles for multitenancy

The User Entity Behavior Analytics (UEBA) app 3.6.0 and later supports multitenant environments in QRadar® 7.4.3 Fix Pack 6 and later.

In a multitenant deployment, you ensure that customers see only their data by creating domains that are based on their QRadar input sources. By creating security profiles and user roles, you can manage privileges for large groups of users within the domain. User roles ensure that users have access to only the information that they are authorized to see.

Note: UEBA 3.6.0 (and later) does not support multiple domains under one security profile. A security profile can only have one domain assigned to it in order for UEBA to work as expected.

For UEBA to work with QRadar, the QRadar Admin can create user roles that designate a "UEBA tenant admin" and any non-admin users or "UEBA tenant". Each role has distinct responsibilities and associated activities.

QRadar admin/MSSP admin

The QRadar Admin/MSSP admin owns and manages the first or "admin" instance of UEBA. The QRadar admin is responsible for completing the following tasks:
  • Setting up the first "admin" instance and the other non-admin UEBA instances.
  • Configuring non-admin instances with the appropriate tenant_admin token and instance identifiers
  • Determining the size and installing Machine Learning for any instance that requires it. Note: The size of the Machine Learning instance must be the same for every instance. For example: If instance A uses a 5 GB Machine Learning instance, instances B and C must either use no Machine Learning or also 5 GB.
  • Upgrading all apps or systems.
  • Managing all system settings and rule configurations. Note: Rules are shared for every instance.

UEBA tenant admin

The UEBA tenant admin is responsible for the following tasks:
  • Configuring UEBA Settings (specifically Application Settings)
  • Configuring Machine Learning settings.
  • Adding users to the trusted user list and deleting users.
  • Setting the Machine Learning priority.
  • Investigating users with QRadar Advisor with Watson.
  • Configuring user imports.
  • Creating domain filters.
  • Creating and enabling custom machine learning models.
  • Creating GDPR reports.
Complete the following procedure to create a role for the tenant admin user.
  1. On the navigation menu ( Navigation menu icon ), click Admin.
  2. In the System Configuration section, click User Management, and then click the User Roles icon.
  3. Create a new role for the tenant admin user. For example, tenant_admin.
  4. Select the checkboxes as indicated in the following screen shot to add the permissions to the role.
  5. Click Save.
User role permissions for tenant admin

UEBA tenant user

The UEBA tenant user has limited ability to manage the UEBA instance but can do the following:
  • View and analyze user data in UEBA.
  • Internally investigate users.
Complete the following procedure to create a role for the UEBA tenant user.
  1. On the navigation menu ( Navigation menu icon ), click Admin.
  2. In the System Configuration section, click User Management, and then click the User Roles icon.
  3. Create a new role for a tenant user. For example, tenant_user.
  4. Select the checkboxes as indicated in the following screen shot to add the permissions to the role.
  5. Click Save.
User role permissions for tenant user