Set up federated case access for SecOps

Supported in:

The case management federation feature lets secondary customers have their own separate Google Security Operations platform, rather than having their Google SecOps instance instead of operating as environments within a shared instance. This setup is ideal for Managed Security Service Providers (MSSPs) or enterprises that require independent platforms across geographic regions.

All case metadata is synchronized from the secondary (remote) platform to the primary provider's platform as follows:

  • Primary platform analysts can view, access, and act on federated cases if they've been granted access.

  • Secondary customers retain control over which environments and cases are accessible to the primary platform.

When a primary platform analyst opens a remote case link, the system redirects them to the remote platform, if they have the necessary permissions to access the case's environment. On the remote platform, the primary platform analyst can sign in with their email and password. Access requires valid credentials and is granted for the current session only.

Set up metadata sync on the primary platform

To enable metadata synchronization, perform the following steps on the primary platform:

Set up the remote platform display name

To setup a remote platform display name, follow these steps:

  1. In the following example, use the following curl command to assign a unique display name to the remote platform. Display names can be up to 255 characters. 
    curl -X POST
https://federation.siemplify-soar.com/api/external/v1/federation/platforms \
-H "Content-Type: application/json" \
-d '{
    "displayName": "Sample Platform",
    "host": "https://federation.siemplify-soar.com" 
}'
  2. Store the generated API key in a secure location. The secondary customer will use it to configure the new Case Federation sync job.

Download the Case Federation integration

To download the Case Federation integration, follow these steps:

  1. In the primary platform, go to Marketplace.
  2. Click Case Federation integration configuration, and then select the Is Primary checkbox to sync data to your platform.
  3. Click Save.

Create the Case Federation sync job

To create the Case Federation sync job, follow these steps:

  1. Go to Response > IDE, and then click addAdd.
  2. Select Job.
  3. In the Job Name field, select Case Federation Sync Job.
  4. In the Integration field, select Case Federation.

  5. Click Create.

    Set the schedule interval to one minute. Don't modify any other parameters.

Add primary (remote) platform access to users

To assign access to one or more remote platforms, follow these steps:
  1. In the primary platform, go to SOAR Settings > Advanced > IdP Group Mapping.
  2. Add or edit users, as needed. For more information on how to add users, see Map users in the SecOps platform.
  3. In the Platform field, select as many remote platforms as needed.
  4. Click Save.

Set up metadata sync on the secondary (remote) platform

To enable synchronization on the secondary platform, complete the following steps.

Download the Case Federation integration

To download the Case Federation integration, follow these steps:

  1. In the platform, go to the Marketplace.
  2. Click the Case Federation integration configuration and then click Save. Don't select the Is Primary checkbox.
  3. Go to Response > IDE, and then click addAdd.
  4. Select Job.
  5. In the Job Name field, select Case Federation Sync Job.
  6. In the Integration field, select Case Federation.
  7. Click Create.
  8. In the Target Platform field, enter the hostname of the primary provider. The hostname is taken from the beginning of the primary provider's platform URL.
  9. In the API key field, enter the API key provided by your primary provider.
  10. Set the default sync time to one minute.
  11. Click Save.

Grant access to primary users

This procedure lets you grant permissions to specific environments for the relevant primary platform personas. This lets the primary analyst pivot to the relevant cases in the secondary platform.

To create or edit a user on the secondary platform, follow these steps:

  1. In the secondary platform, go to SOAR Settings > Advanced > IdP Group Mapping.
  2. Add or edit users, as needed. For more information on how to add or edit users, see Map users in the Google SecOps platform.
  3. In the Environment field, select the environments that primary platform analysts can access.
  4. Click Save.

Access remote cases from the primary platform

Primary platform users can view remote cases either in the list view or side-by-side view on the **Cases** page

To open cases on the remote platform, follow these steps:

  1. On the Cases page, select either list view or the side-by-side view.
  2. Do any one of the following:
    • Side-by-side view
      1. In the case queue, look for cases marked with an "R" (for remote).
      2. Click a remote case to open it in the corresponding remote platform.
    • List view
      1. Locate remote cases in the Platform column.
      2. Click the case ID to open the case in the remote platform.

  3. Sign in to the remote platform with your email and password.

    If you can't sign in, it means that the secondary customer may not have granted you access to the case's source environment.

Need more help? Get answers from Community members and Google SecOps professionals.