Supporting multiple instances

Users can configure multiple instances of the same integration for the same environment. This feature provides users with greater flexibility and granularity when creating and running playbooks. For example, when building a playbook which caters to a customer with two sites, each site using its own Active Directory, you can now configure two instances of the same integration for the same environment and choose between them within the playbook step.

This feature is configured in Response > Integrations Setup and supported by the Choose Instance field in the playbook step, as well as the multi-select environment option.

Integrations page. Let's take a look at the Integrations page. This page comes with two predefined options on the left. One is called Shared Instances and the other is the Default Environment. In the screenshot below, we have defined a few other environments as well.

supportingmultinstances1

Shared Instances acts as a type of library for configured integrations that can be used for all environments that are created both now and in the future. The Shared Instances repository also contains Google Security Operations predefined integrations out of the box.
Any environment that you create in Settings > Organizations > Environments will appear in the list on the left.
You can choose to filter the display of environments and hide empty environments. Enterprise customers will primarily be working with the default environment.

Configure Instance: You add an instance by selecting an environment on the left side of the page and then click add Create a new instance on the top right. Select the integration and then configure the parameters for the specific instance of that integration. You must configure an instance of an integration in order to use it in a playbook. To reconfigure or edit this instance in the future, you can click settings Configure Instance. To add two instances of the same integration per environment, simply configure a second instance.

Select environment. Now, let's navigate to the Playbooks page and take a look at the multi-select environment option that appears when you create a new Playbook. You have two choices: one is to select All Environments. This means that this playbook will run on all current environments defined in the system as well as all environments that will be added in the future.
The second option is to select one or more environments for the playbook to run on.

Selecting multiple or all environments will affect the type of instance you can configure for the playbook steps. Let's delve deeper into this.

Configure Instance. Now you will navigate to a playbook step that contains an integration. What will appear in the Configure Instance field depends both on what instances you created and also on what environments you choose when creating the playbook.
If you choose All Environments or several environments: the first option in configure instance is "Dynamic Mode".
Dynamic Mode: Dynamic mode means that when the playbook is attached to a case, Google Security Operations will try to access the instance of the integration configured for the case environment
Fallback Instance: This is an optional field. If the user is using dynamic mode and there is no configured instance on this environment - a fallback instance can be chosen from shared instances (which is available for playbooks in all environments).

If there is no available instance on the environment and the user hasn't configured a fallback instance - the action will fail unless configured as “skip if failed”. Using "skip if failed" is useful mainly for MSSPs who can decide whether to use their own paid tools if their customer doesn't have a license for a specific tool - and who therefore want to bypass the instance.

Please note that fallback instance will not take place in dynamic mode if there is more than 1 instance configured for the environment. In this situation, the playbook will stop and ask the analyst to choose instance manually.

If you choose a single environment, then the Configure Instance will allow you to choose the Integration that you have configured for that specific Action, or the Shared Instance integration.

Let's look at a few examples of this feature.

Use Case #1 Two Instances in a Default Environment

In this scenario, I have one enterprise network separated to two sites – US and UK. For each of the sites I want to have a separate Active Directory configuration.
Therefore, I need to configure two instances of ActiveDirectory integration for the same environment and then have the Playbook select the required one at runtime.

Install an integration

  1. Navigate to Google Security Operations Marketplace > Integrations.
  2. Search for the required integration. For this example, you will be using Active Directory.
  3. Install it.
    supportingmultinstances4

Configure an Instance

  1. From the left navigation, navigate to Response > Integrations Setup.
  2. In the Environments list on the left, click on the environment you want to create an instance for. For this example, you will use the Default Environment.
  3. On the top right of the page, click add Create a new instance.
    configintegrations2
  4. In the Add Instance dialog box, select the required integration from the list and click Save. In this example, select Active Directory.
    supportingmultinstances6
  5. Scroll to the required integration, and click settings Configure Instance. Add in all the relevant information and parameters. You will configure it for users in the US site. When finished, click Save. You can also click Test to make sure that the configuration works.
    supportingmultinstances7
  6. Now, let's add another instance of the Active Directory. And this time you will configure it for users in the UK site. Click Save when fully configured.
  7. Note that you can make changes at a later stage if needed. Once configured, the instances can be used in playbooks.

Use this instance in playbooks

  1. Navigate to Playbooks page and click add Add New Playbook or Block to add a playbook.
  2. Make sure to select the relevant folder and for this example, to choose the Default Environment. We will talk in more detail about which environment to choose later on in this article.
  3. In the Actions, under ActiveDirectory, choose Enrich entities and drag it into a step and then double-click on it.
  4. In the Choose Instance field, select the Instance – either UK site or US site that this Playbook will be triggered for. 
    supportingmultinstances8

Use Case # 2 Dynamic Mode in Multi Environments

In this scenario, as an MSSP, you have several different customers with each one defined in a different environment. At runtime of the Playbook, you want the Playbook to choose the environment "dynamically" based on which environment the case has come in from.

Define environments:

  1. Navigate to Settings > Organization > Environments.
  2. Click add Add Environment and define the required environment with the parameters.
  3. Create several new environments.

Install an integration

  1. Navigate to Google Security Operations Marketplace > Integrations.
  2. Search for the required integration. For this example, you will be using VirusTotal.
  3. Install it.

Configure instances

  1. From the left navigation, navigate to Response > Integrations Setup, select each customer and click the Configure tab.
  2. Configure each environment with the VirusTotal integration instance according to the needs of each customer.

Set up playbooks

  1. Navigate to the Playbooks page.
  2. Create a playbook making sure to select the environments you created and configured above.
  3. When using the VirusTotal ping action, select Dynamic Mode. This ensures that Google Security Operations will check which environment the case comes from at run time and apply that specific instance to it.