Specify instance in dynamic mode
This document explains how to specify an instance name when selecting the dynamic mode option in a playbook step. Dynamic mode is primarily used when building a playbook for multiple environments (or all environments) in order for the playbook to dynamically select the instance from the target environment at runtime. The specify instance name field is used for when you have defined two or more integration instances for each environment and want the playbook to select the correct one automatically, without having to stop and wait for the analyst to manually choose.
Specify an instance name dynamically
When you create a playbook for multiple environments, select Dynamic Mode in conjunction with Specify instance name so that you can dynamically define which instance to use for each action using free text or placeholders. You have the choice to use placeholders, which let you define the instance name a pattern, or you can use flow conditions, which let you define the conditions of when to use each instance. You can also specify a default fallback instance to use if the named instance can't be found. There are three main ways of specifying the instance name to use in the dynamic mode.
Option one: Use placeholders in the specify instance name field
If your instance names follow a predictable pattern, you can use alert placeholders
to define which instance to use. The following example uses the alert placeholder
in the Specify instance name field. Two instances are defined under
the Active Directory integration: ActiveDirectory_UK
and ActiveDirectory_US
.
The ingested alert contains a field called location
. In order to
make use of this field, you can use the [alert.location]
placeholder
in the Specify instance name field. In this scenario, within the
Active Directory playbook step, you would use ActiveDirectory_[alert.location]
in the Specify instance name field, and if the alert comes from America
and therefore the value of location = US, then the platform chooses the instance.
Option two: Use entity placeholders in the specify instance name field
and you need a way to return the correct entity only. This is achieved by using both the entity placeholder and the Siemplify Power Ups Tool Buffer action to scope the correct placeholder and return one result.The following procedure shows how to set up retrieving the correct entity.
- In the Tools_Buffer action, in the entities drop-down, select the scope that you want to use; for example, Destination users.
- In the Result Value field, insert the placeholder
[Entity.location]
. The result of this action will be the placeholder[Entity.location]
scoped to Destination users only. - In the next playbook step, for example, VirusTotal_Enrich Hash ,
select Dynamic mode and in the Specify instance name field,
select
VirusTotal_[Tools_Buffer_1.ScriptResult]
from the placeholder options.
Option Three: Use static instance name and the Flow condition step
If your instances names don't follow a predictable pattern, you can still dynamically select an instance based on parameters of your alert using the conditions step. The following example shows how to set up different conditional branches to return the correct instance to be used. The example uses the Alert Rule Generator condition and relies on two instances having been set up under the Email integration named Email_1 and Email_2. Based on the condition result, the playbook will run on different branches and therefore choose the correct instance. So if the Alert Rule Generator equals Cloud Email, the playbook will run on the first branch which uses the instance named Email_1
In the flow condition step, enter the following information:
- If the Alert Rule Generator equals Cloud Email detection then go to branch one.
- If the Alert Rule generator equals on-premises Email then go to branch two.
- In the first step of branch one, choose Dynamic Mode > Specify Instance name and put Email_1.
- In the first step of branch two, choose Dynamic Mode > Specify Instance name and put Email_2.