I agree, it does seem like we have been waiting a long time for this.
From what I have been led to believe this will require a 7.4 type update and thus being able to passing this information via the API. This behind the scenes change will lead UBA being domain aware almost upon release.
7.4 is not expected until next year.
------------------------------
James Hill
------------------------------
Original Message:
Sent: Sat November 02, 2019 02:49 AM
From: Martijn Groenewegen
Subject: Qradar UBA , domain aware / multi-tenant
I know a long time ago we asked the same question and the answer was then " we are working on that" but the latest version of iba is still not domain aware since we are running a multi domain setup its basicly making UBA useless.
All reference sets are being filled as " shared data" instead of domain specific etc so a user event from one domain is adding to the risk score for a user in another domain
Learned peers have overlap with users from other domains
With all the work that has gone in underneath in Qradar it feels like the developpers of UBA are missing / arent using a lot of that functionality.
------------------------------
Martijn Groenewegen
------------------------------