Installing and configuring UEBA instances to support multitenancy

You can set up UEBA to work in a multitenant environment in QRadar® 7.4.3 Fix Pack 6 or later.

Before you begin

You must complete the steps that are outlined in the table on the QRadar configurations for setting up multitenancy in UEBA page on a system with QRadar 7.4.3 Fix Pack 6 or later.

Before you attempt to configure any UEBA instance, make sure you have an Admin instance of UEBA installed by completing the following steps Installing the User Entity Behavior Analytics app.

Attention:

Installing instances requires IBM QRadar Hub app 3.0.0 or later. For more information, see IBM QRadar Hub.
Do not uninstall the Admin or shared instance.

The following procedure must be completed by the QRadar Admin or the MSSP admin.

Find the User Entity Behavior Analytics extension in the IBM QRadar Hub app.
Select Options > Create new instance.
Choose the security profile for the instance and click Next.

Note: If there are no instances created, create an Admin instance first. If there is an Admin or Shared instance, create the first tenant instance. If the tenant security profile is not listed, ensure that you have created a security profile and deployed changes.
Associate the app to any other roles that are listed and click Next.
Review the summary and click Confirm and Create.
After the instance is created, select the instance and then click Options > Configure Instance > UBA Settings.
On the UBA Settings page, add the service token for the tenant admin that is responsible for the instance of UEBA. Note: Make sure to choose the correct token.
Enter the identifier set for the IBM Sense log source for this instance's domain. For more information, see step 1 of QRadar configurations for setting up multitenancy in UBA.
Save the configuration.
Optional: If this instance of UEBA will also host Machine Learning, see the following topic Installing and configuring Machine Learning in Multitenancy.

Repeat these steps for all instances of UEBA that you want.