Multitenancy in UEBA

The User Entity Behavior Analytics (UEBA) app supports multitenant environments in QRadar®. You can create multiple tenants from a single deployment instead of managing multiple deployments.

Multitenant environments allow Managed Security Service Providers (MSSPs) and multi-divisional organizations to provide security services to multiple client organizations from a single, sharedIBM® QRadar deployment. You don't have to deploy a unique QRadar instance for each customer.

You can create multiple tenants from a single deployment instead of managing multiple deployments. For example, as an MSSP partner, you might host 20 clients on a single instance of QRadar with each client managing approximately 1000 employees.

Important: When you are logged in to QRadar as an MT site admin, by default you see two tenants, one of which is the Admin tenant. Use the IBM QRadar Hub app to modify which other tenant you see by default.

Overview

Multitenancy in UEBA requires the QRadar Administrator or an MSSP Administrator (QRadar Admin) to complete several setup procedures that include specific configuration tasks in supported versions of QRadar. The QRadar Admin must use the IBM QRadar Hub app 3.0 or later to install and configure the first or "admin" UEBA instance and the additional non-admin or tenant instances. After the non-admin instances are established, the QRadar Admin must also assign user roles and specific permissions. The user roles for the non-admin instances include "UEBA tenant admin" and "UEBA tenant" users.

High-level architecture diagram for multitenancy in UEBA

Deployment guidance

The number of UEBA instances that are supported is directly related to the QRadar environment. In general, tenants should be added one at a time and after each addition, you should verify that QRadar is healthy and the remaining apps are also performing as expected.

QRadar system performance was confirmed on three different environments that differed in the number of users and Events Per Second (EPS). Each environment contained a QRadar Console with 128 GB RAM and 56 Cores, Event Processor with 128 GB RAM and 56 Cores, and an App Host with 372 GB RAM and 72 Cores.
  • The first system successfully ran 30 instances of UEBA with 5000 users on each instance with an EPS of 800.
  • The second system successfully ran 8 instances of UEBA with 40000 users on each instance with an EPS of 1500.
  • The third system successfully ran 6 instances of UEBA with 100000 users on each instance with an EPS of 2500.

These guidelines ensure the proper functioning of your QRadar system and UEBA. If errors are encountered within your QRadar environment, consider increasing RAM or adding an Event Processor.

QRadar Admin or MSSP Admin role

Important: The QRadar Admin must set up the first or "admin" instance of UEBA. After the admin instance of UEBA is established with an admin token, more UEBA instances can then be created. When running multiple instances of UEBA, the admin instance is used solely to upgrade Machine Learning (ML app) and install content but it does not process data or perform any other functions. Do not remove the admin instance.

Security profiles

UEBA does not support multiple domains under one security profile. A security profile can only have one domain assigned to it for UEBA to work as expected.

Dashboard

On the Dashboard, only the QRadar Admin can see the rules installation status for the UEBA tenant admin user and the UEBA tenant user. The UEBA tenant admin user and the UEBA tenant user always see a green status of rules on the dashboard.

If you have Machine Learning (ML app) installed, the status for Machine Learning on the Dashboard is always shown as green. If you do not have the ML app installed, the status that is shown is always gray.

Integration with QRadar Advisor with Watson

If you want to integrate QRadar Advisor with Watson in a UEBA multitenant environment, you should install QRadar Advisor with Watson version 2.5.2 or later.

Reference Data Import - LDAP app

You should not use the LDAP app in a multitenant environment because the LDAP app is not multi-domain or multitenant aware so any user will see any import.

Moving from a single instance of UEBA to multiple instances

For the best experience with multitenancy, it is recommended to start with a fresh installation of UEBA.

If you are moving from a single instance of UEBA to a multitenant setup, you will not be able to keep using the existing UEBA instance and also run multitenancy. As soon as a second instance of UEBA is seen in QRadar, the upgraded UEBA instance will change into a limited-functionality instance. Note that the data is not removed but it no longer gets updated. You also must uninstall the ML app before installing any additional instances.
Important: Do not uninstall the Admin or shared instance.

Upgrading

To upgrade UEBA with a multitenant setup, you should apply the upgrade to the Admin instance. All of the tenant instances will be upgraded along with it.

Warnings

You must set up your multitenant environment as specified or you could experience problems with UEBA and Machine Learning. Consider the following warnings:
  • Do not uninstall the Admin or shared instance.
  • Ensure any edits to reference sets in QRadar are domain specific, otherwise users might show up in unintended tenant instances.
  • Do not install Machine Learning (ML app) on the admin instance of UEBA.
  • The admin instance of UEBA is only responsible for updating rules and informing other (non-admin) instances about Machine Learning updates.
  • The admin instance of UEBA will not ingest user data.
  • Each instance can only have a single tenant and each tenant can only have a single domain.
  • Tenants cannot be provided an admin authorized service token.
  • The QRadar Admin should not add users to the trusted users list or remove users because it will also add trusted users and remove users for all tenant instances.