Managing Multitenant Apps
QRadar Assistant app 3.0.0 supports multitenant environments in QRadar 7.4.0 Fix Pack 1 or later.
With QRadar Assistant 3.0.0 or later, you can manage instance for these apps (such as QRadar User Behavior Analytics, QRadar Pulse, QRadar Log Source Management App) in a multitenant environment.
You can create multiple instances and associate one instance to a security profile. By assigning a domain to different security profiles, you can segregate the events and flows that from different instances. For example, you install a multitenant app "Hello App" in a multi-divisional organization and you want to create some security profiles such as "Green Office", "Blue Office" with different domains. After you create the security profiles, you create multiple instances like "Hello App-Green Office" and "Hello App-Blue Office" in a single shared deployment.
Use security profiles and user roles to manage privileges for large groups of users in your environment. Security profiles and user roles ensure that users have access to only the information that they are authorized to see.
Multitenant Apps
You can create multiple instances for a multitenant app to segregate different users. However, not every QRadar app is supports multitenancy, or needs to have multiple instances. In most cases, you would have only one instance (default instance) after the extension is installed. The default instance is globally viewable for all users; you can assign the permissions in the user role settings in JSA 7.3.1 or later.
Configuring QRadar for Creating Multiple Instances
You must configure QRadar administrative settings to create multiple instances.
You can only create multiple instances with the QRadar Assistant 3.0.0 and QRadar 7.4.0 Fix Pack 1 and later.
Create a security profile that would be associated later for the instance.
-
Create domains and associated those with the security profile specified in Step 1.
Create a user role that can access this app.
Create a user and associate to the specific security profile and user role.
Deploy changes.
Create a security profile "Blue Office."
Create a user role named "DevOps."
Create a user named "blue-dev" to be associate with the security profile "Blue Office" and the user role "DevOps."
Deploy changes.
Create a new instance for the user "blue-dev."
Creating an Instance
With Assistant 3.0.0 and later in a multi-tenant environment, Admin users can create instance from a multi-tenanted app.
You must complete the steps described in Configuring QRadar for creating multiple instances. Only Admin users can create new instances.
Every extension instance must be associated with a security profile. If an instance requires an authorized service token, the authorized service must be assigned with the same security profile.
The option Create New Instance is not available in the following situations.
The extension does not support multitenancy: The extension is not multitenancy aware and the option Create New Instance is not available.
The extension only allows one instance to be created: Apps like Pulse, Log Source Management App, and Assistant that are for administrative purposes can only have one instance.
Click the Assistant app icon, and then click Applications.
Ensure you're in the List View in Application Manager.
In the Installed Extensions section, click the ellipsis icon in the Options column of the extension for which you want to create an instance, and then click Create New Instance.
In the Create New Instance window, follow the onscreen instructions to specify the Security profile and User role, and then click Confirm and Create. After the instance is created, you can expand the table and see a new row for this instance.
Note:Regarding the Installed Extension table,
The Total Memory column shows the overall storage space used for all instances on the corresponding extension. You can expand each row of the extension table to see more details.
Each row of the instance table is a grouped result. If an installed extension has two or more apps, it would still show only one row in the instance table but the memory consumption is a summation of all apps.
Deploy changes in QRadar administrator page if the user roles are newly added.
Managing Instances
You can restart, stop, or configure an extension instance.
Stopping an extension instance will force logging off all users of that instance.
Click the Assistant app icon, and then click Applications.
Select the extension name whose instance you want to manage, and click the ellipsis icon in the Options column of the extension you want to manage.
Field
Description
Start All Instances
Start a stopped instance.
Stop All Instances
Stop an active instance.
Delete All Instances
Remove the instance.
Create New Instance
Create a new instance.
Check for Updates
Navigate to Full view for extension information.
Uninstall Extension
Navigate to Extension Management for PREVIEWING and Uninstall procedure.
Note:You need to uninstall all non-admin instances before uninstalling the extension.
Click the ellipsis icon in the Options column of the instance you want to manage.
Field
Description
Start Instance
Start a stopped instance.
Stop Instance
Stop a running instance.
Delete Instance
Remove the instance.
Configure Instance
This option is only available to the instances that has exported the configuration endpoints. After clicking this option, a sliding panel would be displayed with the configuration page embedded in an iframe. Admin users can use the page to configure the instance associated with a specific security profile.
View as [Security Profile Name]
This option is only available for the instances that are associated with a non-admin security profile. Admin user can use this function to override the permission temporarily and to see all instances associated with the specified security profile.
Note:You need to refresh the browser to see the additional instances granted by the override permission.
Hide
This option is only available after View as [Security Profile] is selected. Click Hide to toggle the overriding permission of the Admin user.