Creating Virtual Tenants

What is a TrackMe Virtual Tenant

About TrackMe Virtual Tenants

• In TrackMe, Virtual Tenants are basically similar to a Virtual instance of TrackMe which handles the application life cycle from A to Z.

• A virtual tenant is an independent application space that can be dedicated according to your needs, addressing any of your requirements in terms of scoping and segmentation.

• When you access TrackMe after the initial deployment, the application comes with no Virtual Tenants created yet.

Purposes of Virtual Tenants:

• A specific segmentation which makes sense for you, a company or a country, a set of dedicated Splunk clusters or indexes

• Specific TrackMe components

• A space you want to dedicate for a given team, for example a dedicated space for your application monitoring teams

• A technology related space, say a tenant handles firewall data for your security teams while another handles performance data for operational teams

• Strong needs in role based access control, where different teams (addressed by different roles) are responsible for specific data spaces

• And many more use cases

In TrackMe, a virtual tenant consists in the dynamic creation of all related knowledge objects through this interface, which allows you to perform their main setup such as root constraints, ownership and role based access control.

You can experiment, create, delete the entire space and related objects, disable and re-enable, update and change roles and ownership!

Types of Virtual Tenants

In TrackMe, Virtual Tenants are linked to TrackMe components, the following types of Virtual Tenants are available currently:

• splk-feeds Virtual Tenants, which include the following components (and can be enabled independently): splk-dsm / splk-dhm / splk-mhm

• splk-wlk Virtual Tenants, which stands for the TrackMe Workload component

• splk-flx Virtual Tenants, which stands for TrackMe Flex Magic components

• splk-cim Virtual Tenants, which stands for TrackMe Common Information Model compliance tracking

Creating a Splunk Feeds (splk-feeds) Virtual Tenant

splk-feeds wizard

A wizard guides through the creation of a Splunk feeds tracking Virtual Tenant, these guides steps allow you to:

• define the name (tenant_id) and description of the tenant

• choose which splk-feeds components will be enabled in the tenant (splk-dsm / splk-dhm / splk-mhm)

• for each component, define its main options such as the target Splunk environment (local or remote), data discovery scope, custom break by, etc

• define the Role Based Access Control policies (RBAC, administration and user roles, knowledge objects owner)

• define the Virtual Tenant indexes

Tenant identifier (tenant_id), Tenant Alias (tenant_alias) and Description (tenant_desc)

Hint

Tenant Alias since TrackMe 2.0.83

• Since TrackMe 2.0.83, you can define and update at any time the tenant alias

• Unlike the tenant_id which is immutable, the tenant_alias can be updated at any time

• The tenant alias is the name of the tenant as shown in the Virtual Tenant UI, it is also used to order the list of tenants in the UI

• The alias is optionnally defined during the Virtual Tenant creation, and can later on be updated in Configure / Virtual Tenants account

In this step, you define the unique identifier for the tenant (tenant_id) and optionally and alias and its description:

The tenant_id is to be unique amongst all the created tenants and is immutable, this field name is used in every piece of data (events and metrics) generated by TrackMe. (Note: the tenant_id is an indexed field)

splk-dsm

The component splk-dsm stands for Splunk Data Source Monitoring, it consists in tracking Splunk data with various powerful features, in a nutshell:

• Tracking Splunk feeds from the lens of the index / sourcetype

• Optionally, add a concept of custom break by to add a custom indexed or search type available field

• TrackMe will then generate and maintain entities accordingly, generate Key Performance Indicators, track outliers behaviour (Machine Learning), Data quality, etc

The main options to consider in the wizard:

• Create tracker now: you can choose to create a tracker within the wizard and during the Virtual Tenant creation time, which creates an Hybrid Tracker. (Hybrid trackers can as well be created at any time in the Virtual Tenant)

• Splunk deployment: you can set if the data is locally available, or if the target is a Splunk remote deployment

• Splunk root search constraint: defines the root search constraint that applies for the discovery and management of feeds entities

• Restrict indexes discovery: in addition with the root search constraint, you can define the indexes discovery using explicit and wildcard based index patterns

• Advanced options: define settings for the Hybrid tracker, if enabled, and other component specific options if any (custom break by, etc)

• Test now: allows you to test in preview the execution and entities discovery

local versus remote deployment:

In TrackMe, when defining Virtual Tenants and trackers, you can always choose between the local deployment, and a Splunk remote deployment if you have configured any,

When switching to a remote target, TrackMe will perform a connectivity and authentication test, and show the result:

Testing the Hybrid tracker:

You can test your configuration at anytime using the “Test now” button, this performs a preview search accordingly to your target and settings:

A notification will appear at the bottom of the screen depending on if there are entities that could be found or not.

Restricting indexes discovery:

You can restrict the scope of the Virtual Tenant, either by customising the root search constraint, or specifying indexes patterns:

Both the search constraint and indexes discovery configuration can be updated later on in the Virtual Tenant configuration.

Advanced options:

This screen allows you to customise the Hybrid tenant creation, as well as defining additional options specifics to the component.

splk-dhm

The component splk-dhm stands for Splunk Data Host Monitoring, it consists in tracking Splunk data from the lens of an endpoint concept:

• Track sourcetypes activity per endpoint

• Define the concept of endpoint (default to the host Metadata, but can be updated to any custom field)

• Monitor independently or as a whole the data availability per endpoint, apply policies, etc!

The main options to consider in the wizard:

• Create tracker now: you can choose to create a tracker within the wizard and during the Virtual Tenant creation time, which creates an Hybrid Tracker. (Hybrid trackers can as well be created at any time in the Virtual Tenant)

• Splunk deployment: you can set if the data is locally available, or if the target is a Splunk remote deployment

• Splunk root search constraint: defines the root search constraint that applies for the discovery and management of feeds entities

• Restrict indexes discovery: in addition with the root search constraint, you can define the indexes discovery using explicit and wildcard based index patterns

• Advanced options: define settings for the Hybrid tracker, if enabled, and other component specific options if any (custom break by, etc)

• Test now: allows you to test in preview the execution and entities discovery

splk-mhm

The component splk-mhm stands for Splunk Metric Host Monitoring, it consists in tracking Splunk metrics from the lens of an endpoint concept:

• Track metric categories availability per endpoint

• Define the concept of endpoint (default to the host Metadata, but can be updated to any metric dimension)

• Apply policies, etc

The main options to consider in the wizard:

• Create tracker now: you can choose to create a tracker within the wizard and during the Virtual Tenant creation time, which creates an Hybrid Tracker. (Hybrid trackers can as well be created at any time in the Virtual Tenant)

• Splunk deployment: you can set if the data is locally available, or if the target is a Splunk remote deployment

• Splunk root search constraint: defines the root search constraint that applies for the discovery and management of feeds entities

• Restrict indexes discovery: in addition with the root search constraint, you can define the indexes discovery using explicit and wildcard based index patterns

• Advanced options: define settings for the Hybrid tracker, if enabled, and other component specific options if any (custom break by, etc)

• Test now: allows you to test in preview the execution and entities discovery

RBAC, ownership and indexes

Common to all Virtual Tenants, the final step allows you to define your RBAC policy, the knowledge object owner and the indexes that will be used in the scope of this Virtual Tenant:

RBAC:

• define the user roles required for the administration of the Tenant, users members of these roles can access and administrate the tenant

• define the user roles required for the usage of the Tenant without modification privileges, users members of these roles can access the tenant but cannot perform any kind of modifications

Owner:

• defines the Splunk user owning all the tenant related knowledge objects

• executions of the Tracker for instance will be executed on behalf of this user

• any further knowledge object, such as a new Hybrid tracker, that you would create later on will be automatically assigned to this user

Indexes:

• defines the Splunk indexes for this tenant

• the indexes need to have been defined prior to this step

splk-feeds REST

TrackMe provides a deep REST API for every action that is available in the application, for a full list of endpoints and options, consult the REST API reference user interface:

• Navigation bar / API & Tooling / TrackMe REST API Reference

Example, you can create a new Virtual Tenant for splk-dsm with the following SPL command:

| trackme url="/services/trackme/v2/vtenants/admin/add_tenant" mode="post" body="{ 'tenant_desc': 'Demo tenant', 'tenant_name': 'mytenant', 'tenant_roles_admin': 'trackme_admin', 'tenant_roles_user': 'trackme_user', 'tenant_owner': 'admin', 'tenant_idx_settings': 'global', 'tenant_dsm_enabled': 'true', 'tenant_dsm_sampling_obfuscation': 'disabled', 'update_comment': 'Created for the purpose of the documentation.'}"

Creating a CIM compliance (splk-cim) Virtual Tenant

splk-cim wizard

When creating a new splk-cim Virtual Tenant, you only need to specify the tenant identifier and description, as well as the RBAC, ownership and indexes policies.

The configuration process of entities is handled once the tenant has been created within the Tenant user interface:

splk-cim REST

You can create a new splk-cim Virtual Tenant using the following SPL command:

| trackme url="/services/trackme/v2/vtenants/admin/add_tenant" mode=post body="{ 'tenant_desc': 'SIEM', 'tenant_name': 'mytenant', 'tenant_roles_admin': 'trackme_admin', 'tenant_roles_user': 'trackme_user', 'tenant_owner': 'admin', 'tenant_idx_settings': 'global', 'tenant_cim_enabled': 'true'}"

Creating an Splunk Flex Object (splk-flx) Virtual Tenant

splk-flx wizard

When creating a new splk-flx Virtual Tenant, you only need to specify the tenant identifier and description, as well as the RBAC, ownership and indexes policies.

The configuration process of entities is handled once the tenant has been created within the Tenant user interface:

splk-flx REST

You can create a new splk-wlk Virtual Tenant using the following SPL command:

| trackme url="/services/trackme/v2/vtenants/admin/add_tenant" mode=post body="{ 'tenant_desc': 'SIEM', 'tenant_name': 'mytenant', 'tenant_roles_admin': 'trackme_admin', 'tenant_roles_user': 'trackme_user', 'tenant_owner': 'admin', 'tenant_idx_settings': 'global', 'tenant_flx_enabled': 'true'}"

Creating a Splunk Workload Virtual Tenant

splk-wlk wizard

When creating a Splunk Workload Virtual Tenant, you will specify various options as the tracker configuration is handled during the Virtual Tenant creation phase:

Splunk deployment type

Define the type of deployment:

• If you select Splunk Cloud, a tracker will be created to monitor the Splunk SVC consumption summary metrics.

Splunk deployment target

Define the target:

• If local, the searches are going to be performed locally, which the introspection, scheduler and other types of searches are running against data that can be searched on the Search Head hosting TrackMe

• You can as well set a remote deployment account, which can target one or more Splunk REST API endpoints

• TrackMe will adapt transparently searches as needed to use the splunkremotesearch command with the appropriate account

Root search constraint

Multiple Search Head Tiers

• When you have multiple logical Search Head tiers (for intance a Search Head Cluster and one or more Standalone Search Heads), it is very important to restrict the root constraint and target only these Search Head members

• To do so, ensure to use the host Metadata, either explicitly (host=myserver1 OR host=server2) or any equalivent technique of your choice (subsearch, lookups, etc)

• You can for instance dedicate a Tenant per Search Head tier which is the easiest solution, alternatively you can also use the Grouping option and manual definition of the Workload trackers for advanced setups with multiple Search Head tiers within the same tenant

Search constraint:

• You can optionally define additional search filters to be used for the introspection, scheduler and Splunk Cloud SVC metrics

• This can be useful to define the scope of the Workload tenant, filtering on Splunk applications or Splunk host related metadata (host, splunk_server)

ML Outliers

Define ML outliers models at the entity discovery phase:

• When TrackMe will discover entities, it can automatically create and train ML models

• The default behaviour is to train ML models against the elapsed metric (the search run time from the introspection perspective)

Inactive entities

Automatically purge inactive scheduled entities after a given period of time:

• This settings influences the behaviour of the “inactive_entities” Workload tracker

• When the tracker runs, it inspects entities which have not been active for a period of time, and depending on this value, it will automatically removes these entities from the KVstore collections

splk-wlk REST

You can create a new splk-wlk Virtual Tenant using the following SPL command:

| trackme url="/services/trackme/v2/vtenants/admin/add_tenant" mode=post body="{ 'tenant_desc': 'SIEM', 'tenant_name': 'mytenant', 'tenant_roles_admin': 'trackme_admin', 'tenant_roles_user': 'trackme_user', 'tenant_owner': 'admin', 'tenant_idx_settings': 'global', 'tenant_wlk_enabled': 'true'}"