Define environments in SOAR connectors

Connectors can be set up in various ways, as each connector has its own configuration. Here are some ways an analyst can define connectors:

• Set static environment: define the option in the Environment field in the specific connector on the Google Security Operations platform.
• Extract environment dynamically: define the option in the Environment Field Name field. The environment is extracted from that field.
• Extract environment dynamically + regular expression pattern: define the option in the Environment Regex Pattern field and the environment is extracted from that field by the regular expression pattern.
• Using third-party multi-tenant mechanism: Define the option in the Environment field by the third-party tenant name. Some integrations have a built-in, multi-tenant mechanism. These integration connectors have a checkbox that allows the analyst to set the Environment field by the third-party tenant name.

In some cases, the extracted environment field value is different from the Google SecOps environment. For example, the Environment field is altostrat.com while the Google SecOps environment is called altostrat.

Define alias names

1. Go to SOAR Settings > Organization > Environments.
2. Click add Add Environment in order to match the name in the integration with the name of the environment in the Google SecOps platform.

Troubleshooting

If after the entire process, the connector has no environment or an empty environment (""), the default overrides the empty result. If the connector contains values that define an uncreated environment, then alerts are ingested in the database and playbooks start to run. As soon as the new environment is created, the cases and playbooks are displayed in the platform. In order for alerts that are related to non-existing environments to not be ingested into the database, you can contact Google SecOps Support and request they make the change in the database configuration.