Connectors can be set up in various ways, as each connector has its own
configuration. Here are some ways an analyst can define connectors:
Set static environment: define the option in the Environment
field in the specific connector on the Google Security Operations platform.
Extract environment dynamically: define the option in the
Environment Field Name field. The environment is extracted from that
field.
Extract environment dynamically + regular expression pattern: define
the option in the Environment Regex Pattern field and
the environment is extracted from that field by the regular expression
pattern.
Using third-party multi-tenant mechanism: Define the
option in the Environment field by the third-party tenant name. Some
integrations have a built-in, multi-tenant mechanism. These integration
connectors have a checkbox that allows the analyst to set the Environment
field by the third-party tenant name.
In some cases, the extracted environment field value is different from the
Google SecOps environment. For example, the Environment
field is altostrat.com while the Google SecOps
environment is called altostrat.
Define alias names
Go to SOAR Settings > Organization
> Environments.
Click
add
Add Environment in order to match the name in the integration
with the name of the environment in the Google SecOps platform.
Troubleshooting
If after the entire process, the connector has no environment or an empty
environment (""), the default overrides the empty result. If the
connector contains values that define an uncreated environment, then alerts
are ingested in the database and playbooks start to run. As soon as the new
environment is created, the cases and playbooks are displayed in the platform.
In order for alerts that are related to non-existing environments to
not be ingested into the database, you can contact
Google SecOps Support
and request they make the change in the database configuration.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eConnectors in Google Security Operations (SOAR) can have their environments defined statically in the connector's \u003cstrong\u003eEnvironment\u003c/strong\u003e field.\u003c/p\u003e\n"],["\u003cp\u003eEnvironments for connectors can be dynamically extracted from a specified field, either as the full value or through a regular expression pattern, however not all connectors support dynamic extraction through regex.\u003c/p\u003e\n"],["\u003cp\u003eThird party integrations may have multi-tenant mechanisms that allows to set the environment field according to the third party tenant name.\u003c/p\u003e\n"],["\u003cp\u003eAnalysts can create environment aliases in Google Security Operations under \u003cstrong\u003eSOAR Settings > Organization > Environments\u003c/strong\u003e to match environment names from integrations with the platform's environment names.\u003c/p\u003e\n"],["\u003cp\u003eIf a connector has no environment or an empty one, a default environment will be applied, while if the connector contains values that define an uncreated environment, alerts will still be ingested and playbooks will run.\u003c/p\u003e\n"]]],[],null,["# Define environments in SOAR connectors\n======================================\n\nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n\nConnectors can be set up in various ways, as each connector has its own\nconfiguration. Here are some ways an analyst can define connectors:\n\n- **Set static environment:** define the option in the **Environment** field in the specific connector on the Google Security Operations platform.\n- **Extract environment dynamically** : define the option in the **Environment Field Name** field. The environment is extracted from that field.\n- **Extract environment dynamically + regular expression pattern** : define the option in the **Environment Regex Pattern** field and the environment is extracted from that field by the regular expression pattern. **Note:** Not all connectors support this option.\n- **Using third-party multi-tenant mechanism** : Define the option in the **Environment** field by the third-party tenant name. Some integrations have a built-in, multi-tenant mechanism. These integration connectors have a checkbox that allows the analyst to set the **Environment** field by the third-party tenant name.\n\n\nIn some cases, the extracted environment field value is different from the\nGoogle SecOps environment. For example, the **Environment**\nfield is `altostrat.com` while the Google SecOps\nenvironment is called *altostrat*.\n\nDefine alias names\n------------------\n\n1. Go to **SOAR Settings \\\u003e Organization\n \\\u003e Environments**.\n2. Click add **Add Environment** in order to match the name in the integration with the name of the environment in the Google SecOps platform.\n\nTroubleshooting\n---------------\n\n\nIf after the entire process, the connector has no environment or an empty\nenvironment (`\"\"`), the default overrides the empty result. If the\nconnector contains values that define an uncreated environment, then alerts\nare ingested in the database and playbooks start to run. As soon as the new\nenvironment is created, the cases and playbooks are displayed in the platform.\nIn order for alerts that are related to non-existing environments to\n*not* be ingested into the database, you can contact\n[Google SecOps Support](https://console.cloud.google.com/support)\nand request they make the change in the database configuration.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
