Skip to main content
Question

SOAR Tent to Tenant Case Migration

  • October 30, 2025
  • 2 replies
  • 46 views
S
Forum|alt.badge.img+2

I have two separate tenants with two different siems. There is some overlap with logs but they're not all the same. If an alert fires in one tenant, I am trying to recreate the case with all the alerts grouped under it, case details, etc into the other tenant to have it worked by a separate team. I need to include each alert in the case along with the case wall comments.

 

Has anyone done this successfully with a playbook or is there a better way? Are the current api endpoints enough to do this? Worried about creating alert and get case alert because they use the post request 

2 replies

SoarAndy
Staff
Forum|alt.badge.img+12
  • SoarAndy
  • Staff
  • October 31, 2025

I assume this is a one time ‘copy’ to environment2, and is not for all Cases?

(If it is for all cases, just configure the Connector twice)

 

There is a way to copy Cases to new environments (the Environment dropdown near the top of the screen) but this will push original copies of the Alerts to the new Environment. The new environment will not copy case history, tags, it will not get completed enrichments, it might not trigger the same playbook.This feature is not about moving, it is about a MSSP/global escalating a tactical response to a strategic wide engagement across the wider business, as such the playbook will have a different nature with different comms, escalations etc. 

If you want to copy everything (remember that case wall comments are automatically out of date when the original close finishes), I would experiment with a playbook you can tactically add.  This playbook will GetCaseDetails, then loop through Alerts and push to the new Environment, then submit each case wall comment too.  There are considerations here:

- Alert grouping is configuration specific.  If Environment2 has a different grouping policy to Environment1 the resulting Case might look different.  

- Same consideration for Entity creation, blocklists, etc
- you lose repudiation, because “David commented” becomes “System comments that David originally commented”

- Timestamps reflect when the comment was submitted, so you would need to smuggle the comment into the body of the message

- loops have a max (100?) count, so if you have frequently large chats, you would either need to bulk some comments together or AI summarise them into a report and submit that as a more combined text.

The API calls should work, but this is a complex path with lots of caveats you will need to work around.

Or, have users in Environment B have RBAC to the case in Environment A

S
Forum|alt.badge.img+2
  • sarahhhh20
  • Author
  • November 13, 2025

Hey Andy this would be two separate tenants - not environments and entities would not be needed as the siems would be different as well. 

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.