Defining environments in connectors

Supported in:

There are multiple ways to define connectors as each connector has a different configuration.
The four main ways to define connectors are as follows:

  • Set static environment: the analyst defines the option in the Environment field in the specific connector on the Google Security Operations platform.
  • Extract environment dynamically: the analyst defines the option in the Environment Field Name field. The environment is extracted from that field.
  • Extract environment dynamically + regular expression pattern: the analyst defines the option in the Environment Regex Pattern field and the environment is extracted from that field by the regular expression pattern. Not all connectors support this option.
  • Using third-party multi-tenant mechanism: the analyst defines the option in the Environment field by the third-party tenant name. Some integrations have a built-in multi-tenant mechanism. These integration connectors have a checkbox that allows the analyst to set the Environment field by the third-party tenant name.

In some cases, the extracted environment field value is different from the Google Security Operations environment—for example, the Environment field is altostrat.com while the Google Security Operations environment is called altostrat.

To define alias names, navigate to SOAR Settings > Organization > Environments. Click add Add Environment in order to match the name in the integration with the name of the environment in the Google Security Operations platform.

If after the entire process, the connector has no environment or an empty environment (""), the default overrides the empty result. If the connector contains values that define an uncreated environment, then alerts are ingested in the database and playbooks start to run. As soon as the new environment is created, the cases and playbooks are displayed in the platform. In order for alerts that are related to non-existing environments to not be ingested into the database, you can contact Google Security Operations Support and request they make the change in the database configuration. For more information, see Open a ticket for Google Support.