IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Need Support for Single Integration Server to Handle Multiple Child Orgs in MSSP Deployment.

    Posted 12 days ago

    Hi Team,

    I am working on an MSSP deployment of IBM SOAR where we are using:

    • One SOAR Platform

    • One Configuration Organization

    • Three Child Organizations (3 tenants)

    • One App Host VM

    • One Integration Server VM

    According to the current MSSP architecture documentation, IBM recommends:

    • One Integration Server for the Configuration Organization

    • One Integration Server for each Child Organization

    This results in a total of 4 Integration Servers for our use case.

    However, this becomes a challenge because my client does not agree to deploy multiple Integration Server VMs just to run a small custom app/function. They want to keep the infrastructure minimal and cost-effective.

    Problem:
    I have a custom Python function (custom app) that needs to be used by all three tenants.
    But the current MSSP architecture requires each child organization to have its own Integration Server for the app to execute, even when the logic is identical and shared across tenants.

    Request:
    Please let us know if there is any supported method or recommended approach to run a single Integration Server for multiple child organizations in an MSSP deployment, especially for lightweight custom applications.



    ------------------------------
    Arunkumar G
    ------------------------------


  • 2.  RE: Need Support for Single Integration Server to Handle Multiple Child Orgs in MSSP Deployment.

    Posted 11 days ago

    Hello,

    Check out app host servers https://www.ibm.com/docs/en/sqsp/51.0.0?topic=soar-apps-app-host. In MSSP configuration you can have 1 VM that is connected to each child organization using pairing https://www.ibm.com/docs/en/sqsp/51.0.0?topic=overview-create-app-host-pairing. For example, I have run 10 child organizations with 5 applications each on 1 app host server. So, you only need one VM if there are no problems with network access to intended resources. You will need more app host serves only if you run a lot of integration. App host server has one limit 110 containers per server, could be changed with support help, but I would recommend adding additional app host servers if needed as organization can be paired with more than one app host server.



    ------------------------------
    Andrius
    ------------------------------

    Original Message


  • 3.  RE: Need Support for Single Integration Server to Handle Multiple Child Orgs in MSSP Deployment.

    Posted 10 days ago

    What Andrius posted it's complely correct and I will add the following:

    • Integration Servers it's the old way of dowing things (can't remember the version), it has a lot of issues like incompatible versions of python codes, when one app crashes all the Integration server chrashes, all the logs are mixed, etc.
    • AppHost was designed to avoid that, each app instance uses it's a pod running on a K3S, with it's own tunnable config file, if the app crashes then the K3S is in charge of restart the pod.

    In other words you shoulnd't be using Integration Server unless you're building you own SOAR app and you're testing it, after that you can migrate that app from an Integration Server to a containerized version (you'll need your internal registry for that).


    hope it helps.

    Best Regards



    ------------------------------
    Juan Paulo
    IBM
    Santiago
    ------------------------------

    Original Message


Related Content