Configure AI SOC MSSP

use this guide to configure client and central tenants after you install the ai soc mssp solution layers for install order and first validation, see getting started for mssp docid\ ivvy6gxajwc34xvmnnqc choose your path if you are configuring go to core client tenant assets (pat, cookie, reporting workspaces) configure the client tenant /#configure the client tenant central ingestion webhook and central tenant readiness configure the central tenant /#configure the central tenant mssp sync assets on a client tenant configure mssp client sync assets /#configure mssp client sync assets optional mssp client alert webhook optional mssp client alert ingestion webhook /#optional mssp client alert ingestion webhook credential and asset overview asset or credential tenant purpose turbine tenant credentials client personal access token (pat) for core ai soc playbooks in the client tenant ai soc tenant configuration client cookie based swimlane api access for core hero ai and related flows ai soc mssp client configuration client central endpoints, ti cache mapping, tenant base url ai soc mssp central sync client webhook basic auth and privatetoken for central api calls ingest record from client webhook central receives case and ti cache updates from client tenants privatetoken on ai soc mssp central sync is not the same as personal access token on turbine tenant credentials the client pat serves core ai soc in the client tenant; the central sync privatetoken is an admin pat authorized for the central tenant configure the client tenant complete these steps in each client tenant after ai soc core solution and ai soc mssp client extension are installed turbine tenant credentials (pat) navigate to orchestration → assets open turbine tenant credentials configure the asset inputs personal access token valid swimlane pat for core playbook api calls host client swimlane host (match your tenant url format) tenant id client tenant identifier account id swimlane account identifier save the asset and activate it if your change process requires active status ai soc tenant configuration open ai soc tenant configuration under orchestration → assets configure base url client swimlane host account id swimlane account identifier tenant id client tenant identifier cookie session cookie as jwt=\<token> only; do not include a refresh token save and activate the asset when required for additional core asset detail, see configure custom assets docid\ qdckijlols 7dwzjgrbqk soc reporting and roi calculator confirm the soc reporting application and soc reporting workspace are installed confirm the roi calculator application and roi calculator workspace are installed open each workspace once to verify default dashboards load for your rbac role configure the central tenant complete these steps in the central tenant after ai soc mssp central solution is installed central ingestion webhook navigate to orchestration → playbooks open the playbook that contains the ingest record from client webhook sensor select the ingest record from client sensor under authentication, set username and password for incoming client sync requests the package may ship with a default username until you change it; use credentials you will copy to each client ai soc mssp central sync asset enable the sensor if it is disabled after install copy the webhook url from the sensor configuration save the playbook record the webhook url, username, and password in your onboarding worksheet for additional client tenants central playbooks and applications confirm the ingest record from client webhook uses the same basic authentication credentials you configure in each client ai soc mssp central sync asset in orchestration → playbooks , confirm these central mssp playbooks are present and enabled per your change process catch records from client upsert central case management record set requires re enrichment open the ai soc mssp central workspace and confirm it loads for mssp analyst roles confirm these applications are visible and accessible central case management threat intelligence artifact cache usage statistics open central case management and confirm list views can filter or display client name (or equivalent client identifier fields) after the first sync the central mssp solution does not ship separate central configuration assets in current packages central setup is webhook authentication, playbook enablement, workspace access, and application visibility configure mssp client sync assets complete these steps in each client tenant after the central ingestion webhook is configured open assets under orchestration configure ai soc mssp client configuration ( ai soc mssp client configuration ) field what to enter client name standard mssp client or tenant display name central webhook url central tenant mssp ingestion webhook url central tenant id central tenant identifier account id swimlane account identifier (central account when syncing cross account) central tiac app id central threat intelligence artifact cache application identifier central tiac observable field id central ti cache observable field identifier tenant base url central swimlane host used for https api calls from the client tenant configure ai soc mssp central sync ( ai soc mssp central sync ) under authorization , set username and password to match the central ingest record from client webhook credentials set privatetoken to a valid swimlane admin personal access token for central api operations save and verify both mssp assets are active find central ti cache identifiers in the central tenant , open threat intelligence artifact cache copy the application identifier from the application url or application settings (format varies by environment) open application field settings and copy the observable field identifier used for ti cache observables enter both values in the client ai soc mssp client configuration asset optional mssp client alert ingestion webhook in the client tenant, open sensors and locate alert ingestion ai soc mssp client if your mssp design uses this path for alert ingress, enable the sensor and configure authentication per your security standard route external alert sources to the webhook url only after credentials and tls requirements are approved configuration checklist client tenant turbine tenant credentials and ai soc tenant configuration are configured ai soc mssp client configuration and ai soc mssp central sync are active client name matches how you identify the customer in central views central tenant ingest record from client webhook is enabled with known credentials central mssp playbooks are enabled per your change process central case management and threat intelligence artifact cache are accessible next steps if you need to go to install solution layers and run first validation getting started for mssp docid\ ivvy6gxajwc34xvmnnqc add another customer tenant onboard a client tenant docid\ fgkw7if8vsr9 hchdexus work day to day in the central tenant use ai soc mssp central docid\ gualyzlqa 7acfkpszhcq troubleshoot sync issues validate and troubleshoot mssp sync docid\ qyesknwk rnsc1w1uax d