Case management federation
The case management federation feature allows secondary customers to have their own standalone Google SecOps platform, instead of having their Google SecOps instance as an environment in the platform. This feature is primarily for use with MSSPs but can apply also to enterprises who prefer to have standalone platforms for different geographical locations. All the metadata of all the cases on the standalone platform is synchronized with the primary provider's local platform. This way the primary provider can both view and access their secondary customer's cases and perform actions on them. However, the secondary customers can decide for themselves which environments they want to share with their primary platform provider and therefore which cases they can access.
After the primary platform analyst clicks on a remote case link, if they have been granted permissions to that case environment, they are redirected to the standalone, also known as remote, platform where they can log in with their email and password. They will remain logged in to the remote platform for the duration of that session only.
Set up metadata sync on the primary platform
The following sections should be carried out on the local primary platform.Set up the remote platform display name
- Using the POST method, run the
/api/external/v1/federation/platforms
endpoint with the unique display name for the remote platform. There is a maximum of 255 characters for the display name. The following example is for reference only.curl -X POST https://federation.siemplify-soar.com/api/external/v1/federation/platforms \ -H "Content-Type: application/json" \ -d '{ "displayName": "Sample Platform", "host": "https://federation.siemplify-soar.com" }'
- Store the returned API key on your desktop for retrieval later on. You will need to give this API key to the secondary customer when they create the new Case Federation sync job.
Download Case Federation integration
- In the primary platform, go to the Marketplace.
- Click the Case Federation integration configuration icon and select the Is Primary checkbox and then click Save. Selecting this checkbox ensures the data is synced to your platform.
- Go to Response > IDE page.
- Click add Add.
- Select Job.
- Select Case Federation Sync Job in the Job Name field and Case Federation in the Integration field.
- Click Create.
- Do not configure any of the parameters in the Job except for the schedule. Google recommends setting one minute as the default sync time.
Create or edit a user on the primary platform
This procedure lets you create or edit a user with permissions to one or more remote platforms.- In the primary platform, go to SOAR Settings > Advanced > IdP Group Mapping.
- Follow the instructions to add users as written in Map users in the SecOps platform.
- In the Platform field, select as many remote platforms as needed.
- Click Save.
Set up metadata sync on the remote platform
The following sections should be carried out by the secondary customer on their platform.Download the Case Federation integration
- In the platform, go to the Marketplace.
- Click the Case Federation integration configuration icon and then click Save. Do not click Is Primary.
- Go to Response > IDE page.
- Click add Add.
- Select Job.
- Select Case Federation Sync Job in the Job Name field and Case Federation in the Integration field.
- Click Create.
- In the Target Platform field, enter the hostname of the primary provider. The hostname is taken from the beginning of the primary provider's platform URL.
- In the API key field, enter the API key that your primary provider gave you.
- Configure the schedule with one minute as the default sync time.
Create or edit a user on the secondary platform
This procedure lets you grant permissions to specific environments for the relevant primary platform personas. This allows the primary analyst to pivot to the relevant cases in the secondary platform.- In the secondary platform, go to SOAR Settings > Advanced > IdP Group Mapping.
- Follow the instructions to add or edit users as written in Map users in the SecOps platform.
- In the Environment field, select the required environments that you want to give primary platform analysts access to.
- Click Save.
Pivot from the primary platform to the remote platform
The primary platform analyst can pivot from their local platform to the selected case in the remote (secondary) platform in both the Case list view and the Case side-by-side view in the Cases screen.- Go the Cases page and select either the list view or the side-by-side view.
- If you are in the side by side view, look through the Cases queue to see which cases have the R (R for remote) icon and click the case to be redirected to the remote platform.
- If you are in the list view, scan through the Platform column to see which platform the case is coming from and click the case ID to be redirected to the remote platform.
- Log in to the remote platform with your email and password. If you are blocked from logging in, the secondary customer has not granted you access to the environment where the cases are coming from.