Case management federation

Supported in:

The case management federation feature lets secondary customers have their own separate Google SecOps platform, rather than having their Google SecOps instance as an environment in the platform. This feature is primarily intended for Managed Security Service Providers (MSSPs), but it can also be used by enterprises that prefer separate platforms for different geographic locations. All case metadata is synchronized with the primary provider's platform. This lets the primary provider view, access, and act on their secondary customer's cases. Secondary customers can choose which of their environments, and therefore which cases, are accessible to their primary platform provider.

If a primary platform analyst clicks a remote case link and has permission to access that case's environment, they will be redirected to the separate (also referred to as remote or secondary) platform. There, they can sign in with their email and password. They remain logged in to the secondary platform only for the duration of that session.

Set up metadata sync on the primary platform

Perform the following procedures on the local primary platform.

Set up the remote platform display name

  1. Using the POST method, run the /api/external/v1/federation/platforms endpoint with the unique display name for the remote platform. Display names can be up to 255 characters long. The following example is for reference only. 
    curl -X POST https://federation.siemplify-soar.com/api/external/v1/federation/platforms \
-H "Content-Type: application/json" \
-d '{
    "displayName": "Sample Platform",
    "host": "https://federation.siemplify-soar.com" 
}'
  2. Store the returned API key on your desktop for retrieval later on. You will need to give this API key to the secondary customer when they create the new Case Federation sync job.

Download Case Federation integration

  1. In the primary platform, go to Marketplace.
  2. Click the Case Federation integration configuration icon and select the Is Primary checkbox. Selecting this checkbox ensures the data is synced to your platform.
  3. Click Save.
  4. Go to Response > IDE.
  5. Click add Add.
  6. Select Job.
  7. Select Case Federation Sync Job in the Job Name field and Case Federation in the Integration field.
  8. Click Create.
  9. Don't configure any of the parameters in the Job except for the schedule. Google recommends setting one minute as the default sync time.

Create or edit a user on the primary platform

This procedure lets you create or edit a user with permissions to one or more remote platforms.
  1. In the primary platform, go to SOAR Settings > Advanced > IdP Group Mapping.
  2. Follow the instructions to add users as outlined in Map users in the SecOps platform.
  3. In the Platform field, select as many remote platforms as needed.
  4. Click Save.

Set up metadata sync on the remote platform

Perform the following procedures on the secondary customer's platform.

Download the Case Federation integration

  1. In the platform, go to the Marketplace.
  2. Click the Case Federation integration configuration icon and then click Save. Don't click Is Primary.
  3. Go to Response > IDE.
  4. Click add Add.
  5. Select Job.
  6. Select Case Federation Sync Job in the Job Name field and Case Federation in the Integration field.
  7. Click Create.
  8. In the Target Platform field, enter the hostname of the primary provider. The hostname is taken from the beginning of the primary provider's platform URL.
  9. In the API key field, enter the API key that your primary provider gave you.
  10. Configure the schedule with one minute as the default sync time.

Create or edit a user on the secondary platform

This procedure lets you grant permissions to specific environments for the relevant primary platform personas. This lets the primary analyst pivot to the relevant cases in the secondary platform.
  1. In the secondary platform, go to SOAR Settings > Advanced > IdP Group Mapping.
  2. Follow the instructions to add or edit users as outlined in Map users in the Google SecOps platform.
  3. In the Environment field, select the environments to which you want to grant primary platform analysts access.
  4. Click Save.

Pivot from the primary platform to the remote platform

The primary platform analyst can pivot from their local platform to the selected case in the remote (secondary) platform in both the case list view and the case side-by-side view in the Cases screen.
  1. Go the Cases page and select either the list view or the side-by-side view.
  2. Do one of the following:
    • In the side-by-side view, check the case queue for cases marked with an "R" (for remote). Click a case with this icon to be redirected to the remote platform.
    • If you are in the list view, scan through the Platform column to see from which platform the case originates and click the case ID to be redirected to the remote platform.
  3. Sign in to the remote platform with your email and password. If you are unable to sign in, the secondary customer has not granted you access to the environment from which the cases originate.

Need more help? Get answers from Community members and Google SecOps professionals.