Stay organized with collections
Save and categorize content based on your preferences.
Set up federated case access for SecOps
Supported in:
Google secops
The case management federation feature lets secondary customers
have their own separate Google Security Operations platform, rather than having their
Google SecOps instance instead of operating as environments within a
shared instance. This setup is ideal for Managed Security Service Providers (MSSPs)
or enterprises that require independent platforms across geographic regions.
All case metadata is synchronized from the secondary (remote) platform to the primary provider's platform as follows:
Primary platform analysts can view, access, and act on federated cases if they've been granted access.
Secondary customers retain control over which environments and cases are accessible to the primary platform.
When a primary platform analyst opens a remote case link, the system redirects them to the remote platform, if they have the necessary permissions to access the case's environment. On the remote platform, the primary platform analyst can sign in with their email and password. Access requires valid credentials and is granted for the current session only.
Set up metadata sync on the primary platform
To enable metadata synchronization, perform the following steps on the primary platform:
Set up the remote platform display name
To setup a remote platform display name, follow these steps:
In the following example, use the following curl command to assign a unique display name to the remote platform. Display names can be up to 255 characters.
In the Platform field, select as many remote platforms as needed.
Click Save.
Set up metadata sync on the secondary (remote) platform
To enable synchronization on the secondary platform, complete the following steps.
Download the Case Federation integration
To download the Case Federation integration, follow these steps:
In the platform, go to the Marketplace.
Click the Case Federation integration configuration and then
click Save. Don't select the Is Primary checkbox.
Go to Response>IDE, and then click addAdd.
Select Job.
In the Job Name field, select Case Federation Sync Job.
In the Integration field, select Case Federation.
Click Create.
In the Target Platform field, enter the hostname of the primary provider.
The hostname is taken from the beginning of the primary provider's platform URL.
In the API key field, enter the API key provided by your primary provider.
Set the default sync time to one minute.
Click Save.
Grant access to primary users
This procedure lets you grant permissions to specific environments
for the relevant primary platform personas. This lets the primary analyst
pivot to the relevant cases in the secondary platform.
To create or edit a user on the secondary platform, follow these steps:
In the secondary platform, go to SOAR Settings > Advanced >
IdP Group Mapping.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eCase Management Federation in Google SecOps allows secondary customers to have their own standalone platforms while synchronizing case metadata with a primary provider's platform.\u003c/p\u003e\n"],["\u003cp\u003eThe primary platform can view and access secondary customer cases, with secondary customers controlling which environments and cases are shared.\u003c/p\u003e\n"],["\u003cp\u003eSetting up the federation involves configuring both the primary and remote (secondary) platforms, including setting up a sync job, defining the remote platform display name, and downloading the Case Federation integration.\u003c/p\u003e\n"],["\u003cp\u003eUsers on both primary and secondary platforms must be configured, with the secondary platform specifying which environments the primary platform analysts have access to.\u003c/p\u003e\n"],["\u003cp\u003ePrimary platform analysts can access cases on remote platforms by clicking on a remote case link, and they will be redirected and logged into the remote platform for that session.\u003c/p\u003e\n"]]],[],null,["# Set up federated case access for SecOps\n=======================================\n\nSupported in: \nGoogle secops\n**Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/). \nThe case management federation feature lets secondary customers\nhave their own separate Google Security Operations platform, rather than having their\nGoogle SecOps instance instead of operating as environments within a\nshared instance. This setup is ideal for Managed Security Service Providers (MSSPs)\nor enterprises that require independent platforms across geographic regions.\n\nAll case metadata is synchronized from the secondary (remote) platform to the primary provider's platform as follows:\n\n- Primary platform analysts can view, access, and act on federated cases if they've been granted access.\n\n- Secondary customers retain control over which environments and cases are accessible to the primary platform.\n\nWhen a primary platform analyst opens a remote case link, the system redirects them to the remote platform, if they have the necessary permissions to access the case's environment. On the remote platform, the primary platform analyst can sign in with their email and password. Access requires valid credentials and is granted for the current session only.\n\nSet up metadata sync on the primary platform\n--------------------------------------------\n\nTo enable metadata synchronization, perform the following steps on the primary platform:\n\n### Set up the remote platform display name\n\nTo setup a remote platform display name, follow these steps:\n\n1. In the following example, use the following `curl` command to assign a unique display name to the remote platform. Display names can be up to 255 characters. \n\n ```\n curl -X POST\n https://federation.siemplify-soar.com/api/external/v1/federation/platforms \\\n -H \"Content-Type: application/json\" \\\n -d '{\n \"displayName\": \"Sample Platform\",\n \"host\": \"https://federation.siemplify-soar.com\" \n }'\n ```\n2. Store the generated API key in a secure location. The secondary customer will use it to configure the new Case Federation sync job.\n\n### Download the Case Federation integration\n\nTo download the Case Federation integration, follow these steps:\n\n1. In the primary platform, go to **Marketplace**.\n2. Click **Case Federation integration configuration** , and then select the **Is Primary** checkbox to sync data to your platform.\n3. Click **Save**.\n\n### Create the Case Federation sync job\n\nTo create the Case Federation sync job, follow these steps:\n\n1. Go to **Response** \\\u003e **IDE** , and then click add**Add**.\n2. Select **Job**.\n3. In the **Job Name** field, select **Case Federation Sync Job**.\n4. In the **Integration** field, select **Case Federation**.\n5. Click **Create**.\n\n Set the schedule interval to one minute. Don't modify any other parameters.\n\n### Add primary (remote) platform access to users\n\nTo assign access to one or more remote platforms, follow these steps:\n\n1. In the primary platform, go to **SOAR Settings** \\\u003e **Advanced** \\\u003e **IdP Group Mapping**.\n2. Add or edit users, as needed. For more information on how to add users, see [Map users in the SecOps platform](/chronicle/docs/soar/admin-tasks/user-secops/map-users-in-the-secops-platform).\n3. In the **Platform** field, select as many remote platforms as needed.\n4. Click **Save**.\n\nSet up metadata sync on the secondary (remote) platform\n-------------------------------------------------------\n\nTo enable synchronization on the secondary platform, complete the following steps.\n\n### Download the Case Federation integration\n\nTo download the Case Federation integration, follow these steps:\n\n1. In the platform, go to the **Marketplace**.\n2. Click the **Case Federation integration configuration** and then click **Save** . Don't select the **Is Primary** checkbox.\n3. Go to **Response** \\\u003e **IDE** , and then click add**Add**.\n4. Select **Job**.\n5. In the **Job Name** field, select **Case Federation Sync Job**.\n6. In the **Integration** field, select **Case Federation**.\n7. Click **Create**.\n8. In the **Target Platform** field, enter the hostname of the primary provider. The hostname is taken from the beginning of the primary provider's platform URL.\n9. In the **API key** field, enter the API key provided by your primary provider.\n10. Set the default sync time to one minute.\n11. Click **Save**.\n\n### Grant access to primary users\n\nThis procedure lets you grant permissions to specific environments for the relevant primary platform personas. This lets the primary analyst pivot to the relevant cases in the secondary platform.\n\nTo create or edit a user on the secondary platform, follow these steps:\n\n1. In the secondary platform, go to **SOAR Settings \\\u003e Advanced \\\u003e\n IdP Group Mapping**.\n2. Add or edit users, as needed. For more information on how to add or edit users, see [Map users in the Google SecOps platform](/chronicle/docs/soar/admin-tasks/user-secops/map-users-in-the-secops-platform).\n3. In the **Environment** field, select the environments that primary platform analysts can access.\n4. Click **Save**.\n\nAccess remote cases from the primary platform\n---------------------------------------------\n\nPrimary platform users can view remote cases either in the list view or side-by-side view on the \\*\\*Cases\\*\\* page\n\nTo open cases on the remote platform, follow these steps:\n\n1. On the **Cases** page, select either **list view** or the **side-by-side view**.\n2. Do any one of the following:\n - **Side-by-side view**\n 1. In the case queue, look for cases marked with an \"R\" (for remote).\n 2. Click a remote case to open it in the corresponding remote platform.\n - **List view**\n 1. Locate remote cases in the **Platform** column.\n 2. Click the **case ID** to open the case in the remote platform.\n3. Sign in to the remote platform with your email and password.\n\n If you can't sign in, it means that the secondary customer may not have granted you access to the case's source environment.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
