Architecture and deployment overview

The IBM Security® QRadar® SOAR for Managed Security Service Providers (MSSPs) add-on architecture consists of three different organization types: one configuration organization, one global dashboard, and multiple child organizations. The configuration organization is used to create and maintain the configuration settings, which are then propagated to the global dashboard and child organizations. The global dashboard contains one or more child organizations, where each child organization contains distinct customer data.

The following graphic shows the MSSP architecture. Users in a child organization cannot view incidents in other child organizations. Users in the global dashboard can view and respond to incidents from all child organizations. Users in the configuration organization can view and manage all of the organizations.

The administrator creates the organizations using the resutil tool:
  • A configuration organization that is used to create and manage administration and customization configuration which is propagated to the global dashboard and each of the child organizations. There is one configuration organization for each SOAR for MSSPs add-on deployment. The configuration organization does not contain any incident data and is used exclusively for configuration management.
  • A global dashboard that aggregates incident data from different customer accounts into a single dashboard. This provides analysts with an overview of all of the incidents that they are managing across all customer accounts. Analysts can then sort incidents by customer accounts and update them from the global dashboard. The global dashboard is a child of the configuration organization and inherits its configuration from the configuration organization.
  • Child organizations that contain incident data for each customer account that is managed by the managed security service provider. The child organizations store each customer's data separately. Each child organization contains incident data for one customer account and the configuration data inherited from the configuration organization. When creating a child organization type, the administrator specifies a parent organization, which is the global dashboard for the MSSP add-on deployment.

Use this guide and the System Administrator Guide to configure and administer SOAR for MSSPs add-on. Not all features available in a standard SOAR Platform deployment are available in a SOAR for MSSPs add-on deployment. Refer to Unsupported features for information about these features that are not currently supported for the MSSP add-on.

MSSPs add-on deployment overview

To use SOAR for MSSPs add-on, you require a separate license. To set up and configure the MSSP add-on, you must first install the SOAR Platform and then configure it for an MSSP deployment. When completing the SOAR for MSSPs add-on installation, do not configure LDAP, as it is not supported for MSSP at this time. It is also not necessary to create a regular SOAR organization for an MSSP deployment.

An overview of the installation and configuration steps to install and set up the SOAR Platform for MSSP is as follows:
  1. Install the SOAR Platform as described in Installing the SOAR Platform. Choose the installation guide for your installation type. Do not configure LDAP or create an organization, as described in the installation procedures.
  2. Complete the configuration steps to create MSSP-specific organizations described in this guide. See Creating and managing MSSP-specific organizations.
  3. Create groups, permissions, and users as described in this guide. See Changed in 51.0.1.0 Setting up MSSP users and permissions.
  4. Propagate the configuration, as described in Propagating configuration changes to MSSP organizations.

Unsupported features in an MSSP deployment

This version of SOAR for MSSPs add-on does not support the following features that are available in the SOAR Platform standard organizations.

  • LDAP is not supported.
  • Two factor authentication is not supported.
  • You cannot delete organizations.
  • You cannot delete workspaces.
  • You cannot delete groups.
  • The Playbook instances tab is not available.