Supporting multiple instances
Users can configure multiple instances of the same integration for the same environment. This feature provides users with greater flexibility and granularity when creating and running playbooks. For example, when building a playbook which caters to a customer with two sites, each site using its own Active Directory, you can now configure two instances of the same integration for the same environment and choose between them within the playbook step.
This feature is configured in Response > Integrations Setup and supported by the Choose Instance field in the playbook step, as well as the multi-select environment option.
Integrations page. Let's take a look at the Integrations page. This page comes with two predefined options on the left. One is called Shared Instances and the other is the Default Environment.
Shared Instances acts as a type of library for configured integrations that
can be used for all environments that are created both now and in the future.
The Shared Instances repository also contains Google Security Operations predefined
integrations out of the box.
Any environment that you create in
Settings > Organizations > Environments will appear in the list on
the left.
You can choose to filter the display of environments and hide
empty environments. Enterprise customers will primarily be working with the
default environment.
Configure Instance: You add an instance by selecting an environment on the left side of the page and then click add Create a new instance on the top right. Select the integration and then configure the parameters for the specific instance of that integration. You must configure an instance of an integration in order to use it in a playbook. To reconfigure or edit this instance in the future, you can click settings Configure Instance. To add two instances of the same integration per environment, simply configure a second instance.
Select environment.
Now, go to the Playbooks page and take a look at the
multi-select environment option that appears when you create a new Playbook.
You have two choices: one is to select All Environments. This means that this
playbook will run on all current environments defined in the system as well as
all environments that will be added in the future.
The second option is to select one or more environments for the playbook to run on.
Selecting multiple or all environments will affect the type of instance you can configure for the playbook steps. Let's delve deeper into this.
Configure Instance. Now you will navigate to a playbook step that contains an integration. What will appear in
the Configure Instance field depends both on what instances you created and
also on what environments you choose when creating the playbook.
If you choose All Environments or several environments: the first option in configure instance is "Dynamic Mode".
Dynamic Mode: Dynamic mode means that when the playbook is attached to a case, Google Security Operations will try to access the
instance of the integration configured for the case environment
Fallback Instance: This is an optional field. If the user is using dynamic mode and there is no configured
instance on this environment - a fallback instance can be chosen from shared instances (which is available for playbooks in all environments).
If there is no available instance on the environment and the user hasn't configured a fallback instance - the action will fail unless configured as “skip if failed”. Using "skip if failed" is useful mainly for MSSPs who can decide whether to use their own paid tools if their customer doesn't have a license for a specific tool - and who therefore want to bypass the instance.
Note that fallback instance won't take place in dynamic mode if there is more than 1 instance configured for the environment. In this situation, the playbook will stop and ask the analyst to choose instance manually.
If you choose a single environment, then the Configure Instance will allow you to choose the Integration that you have configured for that specific Action, or the Shared Instance integration.
Let's look at a few examples of this feature.
Use Case #1 Two Instances in a Default Environment
In this scenario, I have one enterprise network separated to two sites –
US and UK. For each of the sites I want to have a separate Active Directory
configuration.
Therefore, I need to configure two instances of
ActiveDirectory integration for the same environment and then have the
Playbook select the required one at runtime.
Install an integration
- Navigate to Google Security Operations Marketplace > Integrations.
- Search for the required integration. For this example, you will be using Active Directory.
- Install it.
Configure an Instance
- Go to Response > Integrations Setup.
- In the Environments list on the left, select the environment you want to create an instance for. For this example, you will use Default Environment.
- Click add Create a new instance.
- In the Add Instance dialog, select the required integration from the list and click Save. In this example, select Active Directory.
- Go to the required integration, and click settings Configure Instance. Add in all the relevant information and parameters. You will configure it for users in the US site. When finished, click Save. You can also click Test to make sure that the configuration works.
- Now, add another instance of the Active Directory. This time, you will configure it for users in the UK site. Click Save when fully configured.
- Note that you can make changes at a later stage if needed. Once configured, the instances can be used in playbooks.
Use this instance in playbooks
- Navigate to Playbooks page and click add Add New Playbook or Block to add a playbook.
- Make sure to select the relevant folder and for this example, to choose the Default Environment. We will talk in more detail about which environment to choose later on in this document.
- In the Actions, under ActiveDirectory, choose Enrich entities and drag it into a step and then double-click on it.
- In the Choose Instance field, select the Instance – either UK site or US site that this Playbook will be triggered for.
Use Case # 2 Dynamic Mode in Multi Environments
In this scenario, as an MSSP, you have several different customers with each one defined in a different environment. At runtime of the Playbook, you want the Playbook to choose the environment "dynamically" based on which environment the case has come in from.
Define environments:
- Navigate to Settings > Organization > Environments.
- Click add Add Environment and define the required environment with the parameters.
- Create several new environments.
Install an integration
- Navigate to Google Security Operations Marketplace > Integrations.
- Search for the required integration. For this example, you will be using VirusTotal.
- Install it.
Configure instances
- From the left navigation, navigate to Response > Integrations Setup, select each customer and click the Configure tab.
- Configure each environment with the VirusTotal integration instance according to the needs of each customer.
Set up playbooks
- Navigate to the Playbooks page.
- Create a playbook making sure to select the environments you created and configured previously.
- When using the VirusTotal ping action, select Dynamic Mode. This ensures that Google Security Operations will check which environment the case comes from at run time and apply that specific instance to it.