QRadar XDR

  • 1.  MultiTenancy data migration

    Posted Thu July 15, 2021 04:15 PM
    Ciao, 
    i have this scenario:
    Customer on Multi Tenant enviroment want to move to dedicated enviroment. On multi tenant I have a dedicated collector for the customer. 
    I made some research but i still have some doubt since this particular scenario.
    1. can I remove the collector from multi tenant enviroment and assign this to new one? The managed host has the console ip "cabled" in it's configuration - how can i replace to the new console ? I need to insall a new console and also a new collector ?
    2. how can i migrate data (events, rule, log sources) from the multi tenant to  the dedicatet enviroment? about events I took a look at syncAriel.sh script, but it doesn't seem that it is possible to decide to migrate events for 1 domain only. About rules, log sources, etc, I would like to use CMT since it seems has the possibility to export by domain. 

    Is there anyone who has already faced a similar case and wants to give me some advice?
    Thanks in advance. 
    Andrea

    ------------------------------
    Andrea Neumann
    ------------------------------


  • 2.  RE: MultiTenancy data migration

    Posted Fri July 16, 2021 04:59 AM

    Hi Andrea,
    we had a similar scenario some time ago.

    1st of all. CMT is the right tool for al kind of migrations. Be as specific as possible when copying data. If you are not familiar with CMT have a look at Ralph Blog available on our website. 

    before you should reinstall  your collector as well as your dedicated QRadar console. This is much faster than any other way.

    ariel data sync is not needed from my perspective. You setup the new environment as a clone and switch it on as soon you are ready. We call this a Big Bang scenario. No need to migrate historic data as they still exist in your old environment. Of course you need to switch off your old collector. If your collector is hardware based I would work around using a virtual collector for setting all up and testing it before Big Bang. 



    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------



  • 3.  RE: MultiTenancy data migration

    Posted Tue July 20, 2021 03:24 AM
    Ciao Karl, thanks fot the good tips.
    I will not complicate my life and I will keep the data on the two infrastructures until the end of the retention. Regarding the CMT I will make exports as granular as possible, 
    thanks again for taking the time to answer me



    ------------------------------
    Andrea Neumann
    ------------------------------