Supporting Multiple Instances
Users can configure multiple instances of the same integration for the same environment. This feature provides users with greater flexibility and granularity when creating and running Playbooks. For example, when building a Playbook which caters to a customer with two sites, each site using its own Active Directory, you can now configure two instances of the same integration for the same environment and choose between them within the Playbook step.
This feature is configured in the > Integrations and supported by the Choose Instance field in the Playbook step, as well as the multi-select environment option.
Configure Screen. Let’s take a look at the Configure Screen. This screen comes with two predefined options on the left. One is called Shared instances and the other is the Default Environment. In the screenshot below, we have defined a few other environments as well.
Shared Instances acts as a type of library for configured integrations that can be used for all environments that are created both now and in the future. The Shared instances repository also contains Chronicle SOAR predefined Integrations out of the box.
Any environment that you create in the Settings > Organizations > Environments tab will appear in the list on the left.
You can choose to filter the display of environments and hide empty environments. Enterprise customers will primarily be working with the default environment.
Configure Instance: You add an instance by selecting an environment on the left side of the page and then click on the icon on the top right. Select the Integration and then configure the parameters for the specific instance of that Integration. You must configure an instance of an Integration in order to use it in a Playbook. To reconfigure or edit this instance in the future, you can click on the Gear icon. To add two instances of the same Integration per environment, simply configure a second instance.
Select Environment. Now, let’s navigate to the Playbooks screen and take a look at the Multi-select environment option that appears when you create a new Playbook. You have two choices: one is to select All environments. This means that this Playbook will run on all current environments defined in the system as well as all environments that will be added in the future.
The second option is to select one or more environments for the Playbook to run on.
Note that selecting multiple or all environments will affect the type of Instance you can configure for the Playbook steps. Let’s delve deeper into this.
Configure Instance. Now we will navigate to a Playbook step that contains an Integration. What will appear in the Configure Instance field depends both on what Instances you created and also on what environments you chose when creating the Playbook.
If you chose All Environments or Several environments: the first option in configure instance is “Dynamic Mode”.
Dynamic Mode: Dynamic mode means that when the playbook is attached to an alert, Chronicle SOAR will try to pick the relevant instance from the options configured for the case environment
Fallback Instance: This is an optional field. If the user is using dynamic mode and there is no configured instance on this environment - a Fallback instance can be chosen from shared instances (which is available for playbooks in all environments).
If there is no available instance on the environment and the user hasn't configured a fallback instance - the action will fail unless configured as “skip if failed”. Using "skip if failed" is useful mainly for MSSPs who can decide whether to use their own paid tools if their customer doesn’t have a license for a specific tool - and who therefore want to bypass the instance.
Please note that fallback instance will not take place in dynamic mode if there is more than 1 instance configured for the environment. In this situation, the playbook will stop and ask the analyst to choose instance manually.
If you choose a single environment, then the Configure Instance will allow you to choose the Integration that you have configured for that specific Action, or the Shared Instance integration.
Let’s look at a few examples of this feature.
Use Case #1 Two Instances in a Default Environment
In this scenario, I have one enterprise network separated to two sites – US and UK. For each of the sites i want to have a separate Active Directory configuration.
Therefore, I need to configure two instances of ActiveDirectory integration for the same environment and then have the Playbook select the required one at runtime.
Install an Integration
- Navigate to Marketplace > Integrations.
- Search for the required Integration. For this example, we will be using Active Directory.
- Install it.
Configure an Instance
- Navigate to > Integrations.
- In the Environments list on the left, click on the Environment you want to create an Instance for. For this example, we will use the Default environment.
- On the top right of the screen, click the icon.
- In the Add Instance dialog box, select the required Integration from the drop-down list and click Save. In this example, we have selected Active Directory.
- Scroll to the required integration, and click on the icon on the right side. Add in all the relevant information and parameters. We will configure it for users in the US site. When finished, click Save. You can also click Test to make sure that the configuration works.
- Now, let’s add another instance of the Active Directory. And this time we will configure it for users in the UK site. Click Save when fully configured.
- Note that you can make changes at a later stage if needed. Once configured, the Instances can be used in Playbooks.
Use this Instance in Playbooks
- Navigate to Playbooks screen and click the icon to add a Playbook.
- Make sure to select the relevant folder and for this example, to choose the Default Environment. We will talk in more detail about which Environment to choose later on in this article.
- In the Actions, under Active_Directory, let’s choose Enrich Entities and drag it into a Step and then click on it.
- In the Choose Instance field, select the Instance – either UK site or US site that this Playbook will be triggered for.
Use Case # 2 Dynamic Mode in Multi Environments
In this scenario, as an MSSP, you have several different customers with each one defined in a different environment. At runtime of the Playbook, you want the Playbook to choose the environment “dynamically” based on which environment the case has come in from.
Define environments:
- Navigate to Settings > Organization > Environments screen.
- Click on the plus sign and define the required environment with the parameters.
- Create several new environments.
Install an Integration
- Navigate to Marketplace > Integrations.
- Search for the required Integration. For this example, we will be using VirusTotal.
- Install it.
Configure Instances
- Navigate to > Integrations, select each customer and click on the Configure tab.
- Configure each environment with the VirusTotal integration instance according to the needs of each customer.
Set up Playbooks
- Navigate to Playbooks screen.
- Create a Playbook making sure to select the environments you created and configured above.
- When using the VirusTotal ping action, select Dynamic Mode. This ensures that Siemplify will check which environment the case comes from at run time and apply that specific instance to it.