Federated tenants

The federated tenants feature provides a collective view of data from configured sub-tenants (child tenants). The feature streamlines the management of tenants across different business units and lets administrators efficiently manage detections from all tenants. The aggregated data provides comprehensive insights into network security within a unified interface.

A federated tenant is an umbrella account that aggregates data on configured sub-tenants; the federated account does not have a sensor directly associated with it and does not ingest its own data.

Investigator pages that support federated views include a Tenant menu that lets you choose the aggregate view (All Tenants) or select an individual tenant to view only their data.

_images/tenant-menu.png

Child tenants can only access data collected from the sensors configured specifically for their respective tenant.

Contact your Corelight account manager to set up federated tenants. You can federate existing tenants or add new tenants.

Federated tenants can view child tenant data on these pages:

  • Security Overview Page – provides an aggregate view of all tenants and the ability to switch to individual tenant views, allowing for comprehensive monitoring and management of security across the entire system.

  • Detections Page – provides an aggregate view of all tenants and the ability to switch to individual tenant views.

    Federated tenant users can take actions such as closing a detection, sending a detection to ServiceNow, or suppressing an entity from the federated tenant.

    All actions appear in the security audit and are logged against respective tenants. Detections cannot be assigned to users from a different tenant.

    Each detection identifies the associated tenant, both in the list/table view and in the details.

    _images/tenant-detection.png _images/tenant-detection-table.png

  • Dashboards – let you view data on LogScale dashboards across all tenants for a comprehensive view.

  • Logs – displays the logs for all tenants. Each log entry includes a sensor tag (system_name) for identification, enabling LogScale queries to retrieve logs from specific child tenants.

  • Alert Catalog – provides a per-tenant view only, ensuring admins focus on managing alerts specific to the selected tenant without interference from the data of other tenants. Admins in a federated account can switch the view between child tenants.

  • General Settings – admins can configure the tenant name, ensuring accurate and consistent tenant identification across the system. Admins must log in to a specific tenant to change the tenant name. (Admins from the federated tenant can log in to all child tenants as admin users.)

    To change a tenant name

    1. Log in to the individual tenant.

    2. Go to General Settings | Tenant Settings and click the Edit icon for the tenant.

    3. Edit the display name and click Save.

      Tenant names can include text, numbers, and special characters.

  • Security Audit – provides an aggregate view of all tenants and a per-tenant view of the audit logs.

Note

Account Settings are per tenant and do not have a federated view.

Other changes to note:

  • Integrations Page – is hidden for federated tenants. Admins must log in to a specific tenant to manage integrations.

  • User Management – displays only users from the federated tenant, ensuring that access to user information is restricted to the relevant tenant for enhanced security and data privacy. Admins must log in to a specific tenant to manage users for that tenant.

  • Investigator does not support duplicate email addresses. Federated tenant admins need to modify their email addresses to get access, typically by adding a plus (+) sign and an extra identifier.

  • Detections across child tenants do not have a unique detection ID. Within a child, a tenant detection ID is unique.