IBM QRadar

🏁 Introduction :

In today’s security operations environments, large enterprises and Managed Security Service Providers (MSSPs) often manage security data for multiple business units, departments, or even external clients - all within a single IBM QRadar deployment. This introduces the need for multi-tenancy, where each tenant operates in an isolated environment while sharing the same underlying QRadar infrastructure.

The User and Entity Behavior Analytics (UEBA) app in QRadar adds advanced behavioral modeling and anomaly detection capabilities by learning normal user and entity activities. However, in a multi-tenant setup, the UEBA app must be carefully configured to ensure each tenant’s behavioral data remains isolated and analytics are performed only on their respective events.

This step-by-step guide walks you through how to configure and validate multi-tenancy for the UEBA app in QRadar, ensuring that each tenant receives accurate behavioral insights without data overlap or privacy risks. You’ll learn how to align UEBA’s learning models with QRadar domains, manage data sources per tenant, and verify that UEBA dashboards reflect tenant-specific activities.

💡 Why Multi-Tenancy is Required :

In a shared QRadar environment, UEBA analyzes all available data by default. Without multi-tenancy, behavior models can mix events from different clients or departments - leading to false anomalies, privacy risks, and compliance issues.
Enabling multi-tenancy ensures data isolation, accurate behavior analytics, and secure visibility for each tenant within the same QRadar deployment.

🧠 Example Use Case :

Imagine an MSSP using QRadar to monitor three clients - Bank A, Retail B, and Healthcare C.
Without multi-tenancy, UEBA could accidentally correlate login anomalies from Bank A with users from Retail B, producing false positives.
With proper multi-tenant configuration, each organization’s UEBA instance or domain-specific model runs independently, maintaining clean, reliable insights.

🔹 Value Addition: Making the Most of Multi-Tenant UEBA

A well-designed multi-tenant UEBA setup goes beyond isolation — it enables both shared intelligence and operational efficiency. Each tenant maintains full data separation, but SOC teams can still identify high-level trends across clients. For example, if several tenants experience a sudden spike in “impossible travel” logins, analysts can correlate it as a wider campaign while respecting privacy boundaries.

Clients benefit from strong confidentiality and faster threat detection, while SOC analysts gain a unified view of cross-tenant risk without manual correlation.

Tenant-specific UEBA models further increase accuracy by aligning behavioral baselines to each client’s unique environment. A healthcare tenant’s 24×7 user activity differs from a manufacturing tenant’s daytime patterns - customized thresholds reduce false positives and enhance analyst confidence.

Automation and observability amplify these advantages. Using APIs or orchestration tools, MSSPs can onboard new tenants in minutes while maintaining consistent configurations. Tenant-level dashboards then give both clients and analysts clear insight into anomaly trends, UEBA performance, and compliance posture - creating a scalable, intelligent, and trusted foundation for modern SOC operations.

⚙️ Prerequisites :

Before configuring multi-tenancy for the UEBA app, make sure you have:

• QRadar Admin access with permissions to manage domains and apps

• QRadar version 7.5.0 GA or later (with domain support enabled)

• UEBA app installed on the Console or App Host (latest version recommended)

• The Machine Learning app is optional, but it must be installed if you want to provide access to tenants.
• IBM QRadar Hub app installed on the Console or App Host (latest version recommended)

🪜 Step-by-Step Configuration for Multi-Tenancy in UEBA :

Follow these steps to configure and validate UEBA for a multi-tenant (domain-based) QRadar setup.

Step 1: Define IBM Sense Log Source for Each Domain

Each tenant domain requires its own IBM Sense log source to enable UEBA processing.

• Go to Admin → Log Sources → Add and create a new IBM Sense log source for every domain.

• Note the unique IBM identifier generated for each log source - you’ll use it when configuring the corresponding UEBA instance.

• Only the admin (default) UEBA instance has a Sense log source created automatically; you must manually create one for all additional tenants.

Screenshot below shows how the Log Sources appears after creation.

Step 2: (Optional) Determine Data Provisioning

Decide which data sources will feed each tenant’s UEBA instance:

1. Go to Admin → Log Source Groups → Add and create a new log source group (if needed).

2. Assign specific log sources, log source groups, or event collectors to each domain.

3. If using a log source group, add the IBM Sense log source (from Step 1) to the group.

Step 3: Define Tenants in Tenant Management

This step ensures each tenant is properly registered, scoped, and connected to its data sources for UEBA analytics.

1. Go to Admin → Tenant Management → Add and create a new tenant.

2. Set an event rate limit to control the volume of events the tenant can send to UEBA.

Screenshot below shows how the Tenants appears after creation.

Step 4: Define domains in Domain Management

This step ensures that each tenant is properly mapped to its domain and data sources for accurate UEBA analytics.

1. Go to Admin → Domain Management → Add and create a new domain (if not already created).

2. For each tenant:

   • Associate the IBM Sense log source from Step 1 (if not using log source groups), or associate the log source group created in Step 2.

   • Add the relevant event collector.

3. Ensure each domain has a unique tenant assigned. After creating the domain, select it from the list and click Assign Tenant to link the tenant to the domain.

Screenshot below shows how the Tenants appears after creation.

Step 5: (Optional) Define Networks in Network Hierarchy

Before starting this step, Go to Admin tab, click Deploy Changes to apply all previous configurations.

1. Go to Admin → Network Hierarchy → Add and create a new network hierarchy for each domain.

2. Assign network ranges as needed for each domain.

Note: This step is optional and only required if you want each tenant to have a domain-specific network hierarchy. 

Step 6: Create a Security Profile for Each Domain

1. Go to Admin → Security Profiles → Add and create a new security profile.

2. Associate the previously defined domain, along with its IBM Sense log source or log source group and network hierarchy.

3. Save the profile to ensure that UEBA can correctly process events for that tenant/domain.

This step links each domain’s data and network context to a security profile, enabling accurate UEBA analytics per tenant.

Screenshot below shows how the Security Profile appears after creation.

Step 7: Create Role in User Management and Deploy Changes

1. Go to Admin → User Roles → Add and create a new role.

2. Assign the appropriate Security Profile to the role (see attached screenshot below).

3. After creating the role, go to the Admin tab and click Deploy Changes to apply the configuration.

This ensures that users assigned to the role have the correct tenant-specific access in UEBA.

Step 8: Create Users

1. Go to Admin → Users → Add and create a new user.

2. Create a Tenant Admin and, during creation, associate the user with:

   • The role created in Step 7

   • The security profile created in Step 6

   • The tenant created in Step 3

3. After creating the user, go to the Admin tab and click Deploy Changes to apply the configuration.

This ensures that each tenant has an admin with the correct access and permissions for UEBA.

Step 9: Create Service Tokens in Authorized Services

1. Go to Admin → Authorized Services → Add and create a new token.

2. During creation, associate the token with:

   • The role created in Step 7

   • The security profile created in Step 6

   • The tenant created in Step 3

3. Important: Copy and securely save the token after creation - it will be needed when configuring the UEBA tenant’s instance.

Step 10: Create a Tenant’s Instance

1. Go to IBM QRadar Hub App → Applications → Manage.

2. Click the three-dot icon for the UEBA app and select Create New Instance.

3. Select the Security Profile created in Step 6 and click Next.

4. Select the User Role created in Step 7 and click Next.

5. Click Finish — the new instance will start creating immediately.

6. Wait until the instance status shows Running.

7. Click the three-dot icon for the newly created instance and select Configure Instance → UEBA Settings.

8. Enter the Authorized Service Token created in Step 9.

9. Enter the IBM Sense Log Source Identifier from Step 1 — ensure it is correct to allow proper event processing.

10. Important: Once configuration is complete, refresh the browser to see the newly configured instance tab.

This step creates a tenant-specific UEBA instance with all the required security profiles, roles, and log sources configured.

🧠 Conclusion :

Setting up multi-tenancy in QRadar UEBA ensures that each tenant has isolated data, dedicated security profiles, and controlled access, allowing for accurate behavioral analytics without data leakage. By following this step-by-step guide, administrators can efficiently create and manage tenant instances, configure roles, users, log sources, and network hierarchies, and provide secure access via service tokens.

Proper configuration not only enhances security and compliance but also optimizes UEBA model accuracy for each tenant, enabling actionable insights across your environment.

💡 References :

• QRadar UEBA App Guide

• Multitenancy in UEBA