Architecture and overview

The IBM® Security QRadar SOAR for Managed Security Service Providers (MSSPs) architecture consists of two IBM Security QRadar Suite account types: one Provider account and one or more Standard accounts. Standard accounts are sub-accounts under the Provider account and each Standard account represents the case data of one customer in the SOAR MSSP deployment.

Provider account: The Provider account is used to create and maintain administration and configuration settings, which are then pushed to the Standard accounts. The Provider account also contains a cases dashboard that shows an overall view of all of the cases from the Standard accounts. This provides analysts with an overarching view of all of the cases that they are managing for all customers in the SOAR MSSP deployment. The Provider account does not contain any actual case data, but analysts can click a case to go to the case in the Standard account to which it belongs.
Standard accounts: Standard accounts contain case data for each customer account that is managed by the managed security service provider. Standard accounts are used to store each customer's data separately. Each Standard account contains case data, users, and groups for one customer and the configuration data that is pushed from the Provider account. Users in a Standard account cannot view cases in other Standard accounts, unless they have also been granted access to that Standard account.; When creating a Standard account, the administrator creates it from the Provider account and it becomes part of the Provider account hierarchy.

Note: Your organization's SOAR environment might also have non-MSSP accounts, referred to in this document as non-MSSP accounts. These accounts are not created from a Provider account and are not part of a Provider account hierarchy. These Standard accounts differ in functionality from the Standard accounts that are part of the SOAR MSSP deployment.

Use this guide and the System Administrator Guide to configure and administer MSSP for SOAR. Not all features available in a conventional Orchestration & Automation SOAR deployment are available in an MSSP deployment. Refer to Unsupported features for information about these features that are not currently supported for a SOAR MSSP deployment.