It has been announced, that soon we can expect a new version of UBA extension to QRadar functionality. The new version with number 3.6 will bring a number of new features including the most overlooked by the customers, the Multi-Tenancy support.
In order to avail this great new feature of QRadar, the software installation needs to be updated to at least version of 7.4.0 FP1 and also QRadar App Assistant installed in version 3.0 is expected. QAA app is needed for installs of tenant instances.
For Multi-Tenant installation we will need to create a number of new IBM Sense Log Sources for each domain (currently we have only one Sense Log Source) and configure Multi-Tenancy as this is available in QRadar (with at least one tenant in each Domain).
Apart from this new UBA will need QR Admin account which will be responsible for setup and can view and make changes to all UBA accounts and domains. This user will install and configure Machine Learning for every UBA instances, although it will not have the own installation of ML. Currently, installed ML should be uninstalled and new instance deployed for each tenant.
A user with Tenant Admin privileges can view and make changes to the specific tenant UBA as well as can create custom models in Machine Learning or manage UBA instance.
Due to current limitation in QRadar architecture (there is only one Custom Rule Engine) rules are system-specific but not for one domain only. Nevertheless you can easily duplicate existing rules and add additional condition “when the domain is one of the following…” which separate rules for each Domains. In case of Reference Sets the similar approach is possible and these can be domain specific.
There will be other new features added to UBA 3.6, like new rules for Office 365, import of users list from CSV format files or new Dashboard Filters which help admins in day-to-day work with this great QRadar extension. Once it will be available to download I start to test it and provide more details about these features.