QRadar configurations for setting up multitenancy in UBA

You must configure your QRadar® system to support UBA 3.6.0 and later in a multitenant environment.

You must have QRadar administrator privileges to set up your multitenant environment. For more information, see QRadar administration.

For more information about multitenancy in QRadar, see Multitenant management.

Table 1. QRadar configurations to support UBA multitenancy. The following table outlines the steps that must be completed before you begin to configure your UBA instances. The steps outlined in the table are executed from the QRadar Admin settings.
Step   More information
1 Define IBM Sense log source for each domain.

(System Configuration > Data Sources > Log sources)

Each domain requires it's own IBM Sense log source for each UBA instance to function properly. Important: When the log source is defined, take note of each unique IBM identifier for use when configuring the tenant UBA instance. The identifier that is used in creating the IBM Sense log source for each instance is also added to the settings for each instance. This identifier tells the UBA instance which log source will be used in processing its sense events.

Note: Only the first or "admin" instance of UBA will have an IBM Sense log source created by default. You must create an IBM Sense log source for additional UBA tenants.
Domains and log sources in multitenant environments
2 Optional: Determine data provisioning.

(System Configuration > Data Sources > Log Source Groups)

You can assign specific log sources, log source groups, or event collectors to provide data for each domain. You can create the log source groups. Assign the IBM Sense from step one to the specific group if one is created.

3 Define a set of tenants in Tenant Management

(System Configuration > User Management > Tenant Management)

Provisioning a new tenant
4 Define a set of domains in Domain Management

(System Configuration > Domain Management)

Associate the IBM Sense log source from step 1 (if log source groups are not used), and log source groups, logs sources, or event collectors from step 2. Add a tenant from step 3. Each domain must have a unique tenant and log source or log source group.

Creating domains
5 Optional: Define networks in Network Hierarchy

(System Configuration > Network Hierarchy)

Note: This is only necessary if you want each tenant to have specific network hierarchy

Network hierarchy updates in a multitenant deployment
6 Create a profile for each domain in Security Profiles

(System Configuration > User Management > Security Profiles)

Associate the previously defined domain, log source, or log source group, and network.

Note: Permission precedence must be set to No restrictions.
Security profiles

Create roles in User Roles and then deploy changes.

(System Configuration > User Management > User Roles)

QRadar admin/MSSP admin: Install and configure each UBA and Machine Learning instance. See QRadar admin/MSSP admin for details.

Tenant admin: UBA Admin role for administering a UBA and Machine Learning instance. See UBA tenant admin for details.

Tenant user: UBA Analyst role for reviewing data in UBA. See UBA tenant user for details.

Note: User Analytics, Machine Learning, and QRadar Advisor with Watson™ might not be available at this point.

On the Admin tab, click Deploy changes.

User roles

8 Create service tokens in Authorized Services

(System Configuration > User Management > Authorized Services)

Associate to profile from step 6 and role from step 7. Each tenant admin requires an authorization service token.

Configuring the authorization token in QRadar settings
9 Create users in Users

(System Configuration > User Management > Users)

Create tenant admin and tenant users. Associate each to the specific role, profile, and tenant.

Creating a user account
10 Deploy changes On the Admin tab, click Deploy changes.
The following diagram illustrates the configuration steps:
Configuration for QRadar and UBA multitenancy