This document explains how to specify an instance name when selecting the
dynamic mode option in a playbook step.
Dynamic mode is primarily used when building a playbook for multiple environments
(or all environments) in order for the playbook to dynamically select the instance
from the target environment at runtime.
The specify instance name field is used for when you have defined two or more
integration instances for each environment and want the playbook to select the
correct one automatically, without having to stop and wait for the analyst to manually choose.
Specify an instance name dynamically
When you create a playbook for multiple environments, select Dynamic
Mode in conjunction with Specify instance name so that you can
dynamically define which instance to use for each
action using free text or placeholders. You have the choice to use placeholders,
which let you define the
instance name a pattern, or you can use flow conditions, which let you define the
conditions of when to use each instance.
You can also specify a default fallback instance to use if the named instance
can't be found.
There are three main ways of specifying the instance name to use in the dynamic mode.
Option one: Use placeholders in the specify instance name field
If your instance names follow a predictable pattern, you can use alert placeholders
to define which instance to use. The following example uses the alert placeholder
in the Specify instance name field. Two instances are defined under
the Active Directory integration: ActiveDirectory_UK and ActiveDirectory_US.
The ingested alert contains a field called location. In order to
make use of this field, you can use the [alert.location] placeholder
in the Specify instance name field. In this scenario, within the
Active Directory playbook step, you would use ActiveDirectory_[alert.location]
in the Specify instance name field, and if the alert comes from America
and therefore the value of location = US, then the platform chooses the instance.
Option two: Use entity placeholders in the specify instance name field
and you need a way to return the correct entity only. This is achieved by using
both the entity placeholder and the Siemplify Power Ups Tool Buffer action to scope
the correct placeholder and return one result.
The following procedure shows how to set up retrieving the correct entity.
In the Tools_Buffer action, in the entities drop-down, select
the scope that you want to use; for example, Destination users.
In the Result Value field, insert the placeholder [Entity.location].
The result of this action will be the placeholder [Entity.location]
scoped to Destination users only.
In the next playbook step, for example, VirusTotal_Enrich Hash ,
select Dynamic mode and in the Specify instance name field,
select VirusTotal_[Tools_Buffer_1.ScriptResult]from the placeholder options.
Option Three: Use static instance name and the Flow condition step
If your instances names don't follow a predictable pattern, you can still
dynamically select an instance based on parameters of your alert using the conditions step.
The following example shows how to set up different conditional branches to return
the correct instance to be used. The example uses the Alert Rule Generator condition
and relies on two instances having been set up under the Email integration named
Email_1 and Email_2. Based on the condition result, the playbook will run on different
branches and therefore choose the correct instance. So if the Alert Rule Generator
equals Cloud Email, the playbook will run on the first branch which uses the instance named Email_1
In the flow condition step, enter the following information:
If the Alert Rule Generator equals Cloud Email detection then go to branch one.
If the Alert Rule generator equals on-premises Email then go to branch two.
In the first step of branch one, choose Dynamic Mode > Specify Instance name
and put Email_1.
In the first step of branch two, choose Dynamic Mode > Specify Instance name
and put Email_2.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eDynamic mode in playbooks allows for the automatic selection of integration instances at runtime, particularly useful in multi-environment setups.\u003c/p\u003e\n"],["\u003cp\u003eThe "Specify instance name" field in dynamic mode can utilize placeholders, enabling instance selection based on patterns derived from alert or entity data.\u003c/p\u003e\n"],["\u003cp\u003ePlaceholders in the "Specify instance name" field, like \u003ccode\u003e[alert.location]\u003c/code\u003e or \u003ccode\u003e[Entity.location]\u003c/code\u003e, dynamically assign instances based on alert or entity characteristics.\u003c/p\u003e\n"],["\u003cp\u003eThe Flow condition step allows for instance selection based on conditional logic, making it possible to map instances to specific alert or event properties, even without predictable naming patterns.\u003c/p\u003e\n"],["\u003cp\u003eA default fallback instance can be set to use if the dynamically named instance can not be found.\u003c/p\u003e\n"]]],[],null,["# Specify instance in dynamic mode\n================================\n\nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \nThis document explains how to specify an instance name when selecting the\ndynamic mode option in a playbook step.\nDynamic mode is primarily used when building a playbook for multiple environments\n(or all environments) in order for the playbook to dynamically select the instance\nfrom the target environment at runtime.\nThe specify instance name field is used for when you have defined two or more\nintegration instances for each environment and want the playbook to select the\ncorrect one automatically, without having to stop and wait for the analyst to manually choose.\n\nSpecify an instance name dynamically\n------------------------------------\n\nWhen you create a playbook for multiple environments, select **Dynamic\nMode** in conjunction with **Specify instance name** so that you can\ndynamically define which instance to use for each\naction using free text or placeholders. You have the choice to use placeholders,\nwhich let you define the\ninstance name a pattern, or you can use flow conditions, which let you define the\nconditions of when to use each instance.\nYou can also specify a default fallback instance to use if the named instance\ncan't be found.\nThere are three main ways of specifying the instance name to use in the dynamic mode.\n\n### Option one: Use placeholders in the specify instance name field\n\nIf your instance names follow a predictable pattern, you can use alert placeholders\nto define which instance to use. The following example uses the alert placeholder\nin the **Specify instance name** field. Two instances are defined under\nthe Active Directory integration: `ActiveDirectory_UK` and `ActiveDirectory_US`.\nThe ingested alert contains a field called `location`. In order to\nmake use of this field, you can use the `[alert.location]` placeholder\nin the **Specify instance name** field. In this scenario, within the\n**Active Directory** playbook step, you would use `ActiveDirectory_[alert.location]`\nin the **Specify instance name** field, and if the alert comes from America\nand therefore the value of location = US, then the platform chooses the instance.\n\n### Option two: Use entity placeholders in the specify instance name field\n\nand you need a way to return the correct entity only. This is achieved by using both the entity placeholder and the **Siemplify Power Ups Tool Buffer** action to scope the correct placeholder and return one result. \nThe following procedure shows how to set up retrieving the correct entity.\n\n1. In the **Tools_Buffer** action, in the entities drop-down, select the scope that you want to use; for example, **Destination users**.\n2. In the Result Value field, insert the placeholder `[Entity.location]`. The result of this action will be the placeholder `[Entity.location]` scoped to Destination users only.\n3. In the next playbook step, for example, **VirusTotal_Enrich Hash** , select **Dynamic mode** and in the **Specify instance name** field, select `VirusTotal_[Tools_Buffer_1.ScriptResult]`from the placeholder options.\n\n### Option Three: Use static instance name and the Flow condition step\n\nIf your instances names don't follow a predictable pattern, you can still\ndynamically select an instance based on parameters of your alert using the conditions step.\nThe following example shows how to set up different conditional branches to return\nthe correct instance to be used. The example uses the Alert Rule Generator condition\nand relies on two instances having been set up under the Email integration named\nEmail_1 and Email_2. Based on the condition result, the playbook will run on different\nbranches and therefore choose the correct instance. So if the Alert Rule Generator\nequals Cloud Email, the playbook will run on the first branch which uses the instance named Email_1\n\nIn the flow condition step, enter the following information:\n\n1. If the Alert Rule Generator equals Cloud Email detection then go to branch one.\n2. If the Alert Rule generator equals on-premises Email then go to branch two. [](/static/chronicle/images/soar/flowcondition.png)\n3. In the first step of branch one, choose **Dynamic Mode \\\u003e Specify Instance name** and put Email_1.\n4. In the first step of branch two, choose **Dynamic Mode \\\u003e Specify Instance name** and put Email_2.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
