Support multiple instances

Supported in:

You can configure multiple instances of the same integration within the same environment. This feature provides users with greater flexibility and granularity when you create and run playbooks. For example, you can build a playbook for a customer with two sites, each using separate Active Directories, and then select the appropriate integration instance within each playbook step.

This feature is configured in Response > Integrations Setup and supported by the Choose Instance field in the playbook step, as well as the multi-select environment option.

Integrations page

On the Integrations page, there are two predefined options listed on the left: Shared Instances and Default Environment.

Shared Instances acts as a type of library for configured integrations that are used for all environments that are created both now and in the future. The Shared Instances repository also contains Google SecOps predefined integrations out of the box.

Any environment that you create in Settings > Organizations > Environments will appear in the list on the left.

You can filter the display of environments and hide empty environments. Enterprise customers work primarily with the default environment.

Add and configure an Instance

  1. Add an environment on the left side of the page.
  2. Click add Create a new instance on the top right.
  3. Select the integration and then configure the parameters for the specific instance of that integration. You must configure an instance of an integration in order to use it in a playbook.

To reconfigure or edit this instance in the future, click settings Configure Instance. To add two instances of the same integration per environment, configure a second instance.

Select an environment

The multi-select environment feature is available when creating a new playbook. Go to the Playbooks page to see it. Do one of the following:
  • Select All Environments to run the playbook on all environments defined in the system.
  • Select one or more environments for the playbook to run on.

The selection of multiple or all environments restricts the instance type configurable for playbook steps. A more detailed explanation follows.

Configure an Instance

Go to a playbook step that contains an integration. What appears in the Configure Instance field depends both on what instances you created and on what environments you choose when creating the playbook.


If you choose All Environments or several environments: the first option in Configure instance is Dynamic Mode.

Dynamic Mode

Dynamic mode means that when the playbook is attached to a case, Google SecOps will try to access the instance of the integration configured for the case environment.

Fallback Instance

This is an optional field. If you're using dynamic mode and there's no configured instance on this environment, a fallback instance can be selected from shared instances (which is available for playbooks in all environments).

If there's no available instance on the environment and you haven't configured a fallback instance, the action will fail unless configured as “skip if failed”. Using "skip if failed" is useful mainly for MSSPs who can decide whether to use their own paid tools if their customer doesn't have a license for a specific tool - and who therefore want to bypass the instance.

Note that the fallback instance won't occur in dynamic mode if there is more than one instance configured for the environment. In this situation, the playbook will stop and ask the analyst to choose the instance manually.

If you choose a single environment, Configure Instance lets you choose the Integration that you've configured for that specific Action, or the Shared Instance integration.

Use Case #1: Two Instances in a default Environment

This scenario involves an enterprise network divided into two sites: US and UK. Each site requires a distinct Active Directory configuration. Therefore, configure two instances of Active Directory integration for the environment, which lets the playbook select the appropriate instance during runtime.

Install an integration

  1. Go to Google SecOps Marketplace > Integrations.
  2. Search for the required integration. For this example, use Active Directory.
  3. Install the integration.

Configure an Instance

  1. Go to Response > Integrations Setup.
  2. In the Environments list on the left, select the environment you want to create an instance for. For this example, use Default Environment.
  3. Click add Create a new instance.
  4. In the Add Instance dialog, select the required integration from the list and click Save. In this example, select Active Directory.
  5. Go to the required integration, and click settings Configure Instance. Enter all the relevant information and parameters. For this example, configure it for users in the US site. When finished, click Save.
  6. Optional: click Test to make sure that the configuration works.
  7. Add another instance of the Active Directory. In this example, configure it for users in the UK site. Click Save when fully configured.
  8. Note that you can make changes at a later stage if needed. Once configured, the instances can be used in playbooks.

Use this instance in playbooks

  1. Go to Playbooks and click add Add New Playbook or Block to add a playbook.
  2. Make sure to select the relevant folder and for this example, to choose the Default Environment.
  3. In Actions, under ActiveDirectory, choose Enrich entities and drag it into a step and then double-click it.
  4. In the Choose Instance field, select the Instance — either UK site or US site — that this playbook will be triggered for. 

Use Case #2: Dynamic Mode in multi environments

In this scenario, as an MSSP, you have several different customers with each one defined in a different environment. At runtime of the playbook, you want the playbook to choose the environment "dynamically" based on which environment the case has come in from.

Define environments

  1. Go to Settings > Organization > Environments.
  2. Click add Add Environment and define the required environment with the parameters.
  3. Create several new environments.

Install an integration

  1. Go to Google SecOps Marketplace > Integrations.
  2. Search for the required integration. For this example, select and install VirusTotal.

Configure instances

  1. From the left navigation, go to Response > Integrations Setup, select each customer, and click Configure.
  2. Configure each environment with the VirusTotal integration instance according to the needs of each customer.

Set up a playbook

  1. Go to the playbooks page.
  2. Create a playbook making sure to select the environments you created and configured previously.
  3. When using the VirusTotal ping action, select Dynamic Mode. This ensures that Google SecOps checks which environment the case comes from at runtime and applies that specific instance to it.

Need more help? Get answers from Community members and Google SecOps professionals.