Rules and tuning for multitenancy in UEBA

The rules are enabled or disabled by default for every UEBA instance to support multitenancy in User Entity Behavior Analytics (UEBA) app 3.6.0 and later. If you require changes to rules for a subsets of instances, you need to manually change the rule behavior.

The following procedure must be completed by the QRadar® Admin or the MSSP admin.

By default, all rules are either enabled or disabled for every instance of UEBA. If you have a need to make any rule function for a subset of the instances, you will need to edit the rule as follows:
  1. Make a copy of the rule and rename the rule and event to fit the situation. For example, if Domain1 wants the rule "UBA : Terminated User Activity" enabled while the others do not, copy the rule and rename it "UBA : Terminated User Activity Domain1". Rename the event the same.
  2. In the new rule, add the test "when the domain is one of the following" and select the domains it should apply to. Move the test to the top of the list.
  3. If the rule is one that writes out to some reference data, change the setting from Shared Data to Domain Specific.
  4. Make sure the new rule is enabled.
  5. Save the rule.
  6. Make sure the original rule is disabled. Note: You should exclude the intended domain from the original rule if the rule is still needed after the copy is created.

Known issue

In QRadar 7.4.0 Fix Pack 1, there is no way to make the rule limiter domain aware. Each rule that applies to more than a single domain will be limited across domains. For example, if Domain1 and Domain2 both have a "John Doe" that triggers the same rule within the limitation time frame, only one of the users will be flagged by the rule.