Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Managing Multi-tenanted Apps

 

The QRadar Assistant app 3.0.0 supports multitenant environments in QRadar 7.4.0 Fix Pack 1 and later.

With QRadar Assistant 3.0.0 and later, you can manage instance for these apps (such as User Behavior Analytics, Pulse, Log Source Management App) in a multi-tenant environment.

Overview

You can create multiple instances and associate one instance to a security profile. By assigning domain to different security profiles, you can segregate the events and flows that an instance consumed. For example, you install an multi-tenated app "Hello App" in a multi-divisional organizations. You may want to create some security profiles like "Green Office", "Blue Office" with different domains attached. And then you're able to create multiple instances as "Hello App-Green Office", "Hello App-Blue Office" in a single, shared deployment.

Use security profiles and user roles to manage privileges for large groups of users in your environment. Security profiles and user roles ensure that users have access to only the information that they are authorized to see.

Multi-tenanted Apps

You may create multiple instances for a multi-tenanted app to segregate different users' use. However, not every app is supports multi-tenancy or needs to have multiple instances. In that case, you would have only one instance (a "default instance") after the extension installed. The "default instance" is an instance that is globally viewable for all users, and you can control the permission via user role settings as in QRadar V7.3.x.

Configuring QRadar for Creating Multiple Instances

You must configure QRadar administrative settings to create multiple instances.

You can only create multiple instances with the QRadar Assistant 3.0.0 and QRadar 7.4.0 Fix Pack 1 and later.

  1. Create a security profile that would be associated later for the instance.
  2. Create domains and associated those with the security profile specified in Step 1.
  3. Create a user role that can access this app.
  4. Create a user and associate to the specific security profile and user role.
  5. Deploy changes.
  1. Create a security profile "Blue Office."

  2. Create a user role named "DevOps."

  3. Create a user named "blue-dev" to be associate with the security profile "Blue Office" and the user role "DevOps."

  4. Deploy changes.

  5. Create a new instance for the user "blue-dev."

Creating an Instance

With Assistant 3.0.0 and later in a multi-tenant environment, Admin users can create instance from a multi-tenanted app.

You must complete the steps described in Configuring QRadar for creating multiple instances. Only Admin users can create new instances.

Every extension instance must be associated with a security profile. If an instance requires an authorized service token, the authorized service must be assigned with the same security profile.

The option Create New Instance is not available in the following situations.

  • The extension does not support multitenancy: The extension is not multitenancy aware and the option Create New Instance is not available.

  • The extension only allows one instance to be created: Apps like Pulse, Log Source Management App, and Assistant that are for administrative purposes can only have one instance.

  1. Click the Assistant app icon, and then click Applications.
  2. Ensure you're in the List View in Application Manager.
  3. In the Installed Extensions section, click the ellipsis icon in the Options column of the extension for which you want to create an instance, and then click Create New Instance.
  4. In the Create New Instance window, follow the onscreen instructions to specify the Security profile and User role, and then click Confirm and Create. After the instance is created, you can expand the table and see a new row for this instance.Note

    Regarding the Installed Extension table,

    • The Total Memory column shows the overall storage space used for all instances on the corresponding extension. You can expand each row of the extension table to see more details.

    • Each row of the instance table is a grouped result. If an installed extension has two or more apps, it would still show only one row in the instance table but the memory consumption is a summation of all apps.

  5. Deploy changes in QRadar administrator page if the user roles are newly added.

Managing Instances

You can restart, stop, or configure an extension instance.

Stopping an extension instance will force logging off all users of that instance.

  1. Click the Assistant app icon, and then click Applications.
  2. Select the extension name whose instance you want to manage, and click the ellipsis icon in the Options column of the extension you want to manage.

    Field

    Description

    Start All Instances

    Start a stopped instance.

    Stop All Instances

    Stop an active instance.

    Delete All Instances

    Remove the instance.

    Create New Instance

    Create a new instance.

    Check for Updates

    Navigate to Full view for extension information.

    Uninstall Extension

    Navigate to Extension Management for PREVIEWING and Uninstall procedure.

    Note: You need to uninstall all non-admin instances before uninstalling the extension.

  3. Click the ellipsis icon in the Options column of the instance you want to manage.

    Field

    Description

    Start Instance

    Start a stopped instance.

    Stop Instance

    Stop a running instance.

    Delete Instance

    Remove the instance.

    Configure Instance

    This option is only available to the instances that has exported the configuration endpoints. After clicking this option, a sliding panel would be displayed with the configuration page embedded in an iframe. Admin users can use the page to configure the instance associated with a specific security profile.

    View as [Security Profile Name]

    This option is only available for the instances that are associated with a non-admin security profile. Admin user can use this function to override the permission temporarily and to see all instances associated with the specified security profile.

    Note: You need to refresh the browser to see the additional instances granted by the override permission.

    Hide

    This option is only available after View as [Security Profile] is selected. Click Hide to toggle the overriding permission of the Admin user.