Gemini can answer questions related to threat intelligence about
topics such as threat actors, their associations, and their behavior patterns,
including questions about MITRE TTPs.
Threat intelligence questions are limited to information available to your
Google SecOps product edition. Answers to
questions might vary depending on the product edition. Specifically, threat
intelligence data is more limited in product editions other than Enterprise Plus
because they don't include full access to Mandiant and VirusTotal.
Ask Gemini questions
Open the Gemini pane.
Enter a threat intelligence question. For example: What is UNC3782?
Review the results.
Investigate further by asking Gemini to create queries to look for
specific indicators of compromise (IOCs) referenced in the threat intelligence reports. Threat
intelligence information is subject to available entitlements from your
Google SecOps license.
Links are provided to any rule sets that might be available for monitoring the type of security issue you entered into Gemini.
At the bottom of the Gemini pane, click Sources and related content. Gemini provides links to some of the articles that were the sources for the content used in the summary.
Example: Threat intelligence and security questions
Help me hunt for APT 44
Are there any known attacker tools that use RDP to brute force logins?
Is 103.224.80.44 suspicious?
What types of attacks may be associated with CVE-2020-14145?
Can you provide details around buffer overflow and how it can affect the
target machine?
Gemini and MITRE
The MITRE ATT&CK® Matrix is a knowledge base that
documents the TTPs used by real-world cyber adversaries. The MITRE Matrix
provides an understanding of how your organization might be targeted and
provides a standardized syntax for discussing attacks.
You can ask Gemini questions about MITRE tactics, techniques, and
procedures (TTPs), and receive contextually relevant answers that include the
following MITRE details:
Tactic
Technique
Sub-technique
Detection suggestions
Procedures
Mitigations
Gemini returns a link to the curated detections
Google SecOps makes available for each TTP. You can also ask
Gemini follow up questions to gain additional insight on a MITRE TTP
and how it might impact your enterprise.
Delete a chat session
You can delete your chat conversation session or delete all chat sessions.
Gemini maintains all user conversation histories privately and adheres
to Google Cloud's responsible AI
practices. User history is never used to train models.
In the Gemini pane, select Delete chat from the menu at the
top right.
Click Delete chat at the bottom right to delete the current chat
session.
Optional: To delete all chat sessions, select Delete all chat sessions
and then click Delete all chats.
Provide feedback
You can provide feedback to responses generated by the Gemini AI
investigation assistance. Your feedback helps Google improve the feature and the
output generated by Gemini.
In the Gemini pane, click thumb_upThumb Up or thumb_downThumb Down.
Optional: Click thumb_downThumb Down and provide feedback.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eGemini can assist with threat intelligence inquiries, offering details on threat actors, their connections, and attack methodologies, including MITRE TTPs.\u003c/p\u003e\n"],["\u003cp\u003eThe depth of threat intelligence available through Gemini is contingent on the user's Google SecOps product edition, with Enterprise Plus providing the most comprehensive data through Mandiant and VirusTotal access.\u003c/p\u003e\n"],["\u003cp\u003eUsers can interact with Gemini by asking specific questions, such as identifying threat actors or suspicious IP addresses, and subsequently review results or request queries for IOCs.\u003c/p\u003e\n"],["\u003cp\u003eGemini provides links to relevant rule sets, resources, and articles that contribute to the content, while also allowing for feedback on the quality of its responses.\u003c/p\u003e\n"],["\u003cp\u003eConversations within Gemini can be managed through deletion, and Google assures that user history is kept private and is not used to train the models.\u003c/p\u003e\n"]]],[],null,["# Answer Threat Intelligence questions with Gemini\n================================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n\nGemini can answer questions related to threat intelligence about\ntopics such as threat actors, their associations, and their behavior patterns,\nincluding questions about [MITRE TTPs](#mitre).\n\nThreat intelligence questions are limited to information available to your\n[Google SecOps product edition](/security/products/security-operations#pricing). Answers to\nquestions might vary depending on the product edition. Specifically, threat\nintelligence data is more limited in product editions other than Enterprise Plus\nbecause they don't include full access to Mandiant and VirusTotal.\n\nAsk Gemini questions\n--------------------\n\n1. Open the Gemini pane.\n\n2. Enter a threat intelligence question. For example: `What is UNC3782?`\n\n3. Review the results.\n\n4. Investigate further by asking Gemini to create queries to look for\n specific indicators of compromise (IOCs) referenced in the threat intelligence reports. Threat\n intelligence information is subject to available entitlements from your\n Google SecOps license.\n\n5. Links are provided to any rule sets that might be available for monitoring the type of security issue you entered into Gemini.\n\n6. At the bottom of the Gemini pane, click **Sources and related content**. Gemini provides links to some of the articles that were the sources for the content used in the summary.\n\n| **Note:** If Gemini responds to a prompt with text written by someone else, the original source is cited in the *Referenced Sources* section of the Gemini pane. For more information, see [How and when Gemini\n| cites sources](/gemini/docs/discover/works#how-when-gemini-cites-sources).\n\n### Example: Threat intelligence and security questions\n\n- `Help me hunt for APT 44`\n- `Are there any known attacker tools that use RDP to brute force logins?`\n- `Is 103.224.80.44 suspicious?`\n- `What types of attacks may be associated with CVE-2020-14145?`\n- `Can you provide details around buffer overflow and how it can affect the\n target machine?`\n\n### Gemini and MITRE\n\nThe [MITRE ATT\\&CK® Matrix](https://attack.mitre.org/) is a knowledge base that\ndocuments the TTPs used by real-world cyber adversaries. The MITRE Matrix\nprovides an understanding of how your organization might be targeted and\nprovides a standardized syntax for discussing attacks.\n\nYou can ask Gemini questions about MITRE tactics, techniques, and\nprocedures (TTPs), and receive contextually relevant answers that include the\nfollowing MITRE details:\n\n- Tactic\n- Technique\n- Sub-technique\n- Detection suggestions\n- Procedures\n- Mitigations\n\nGemini returns a link to the curated detections\nGoogle SecOps makes available for each TTP. You can also ask\nGemini follow up questions to gain additional insight on a MITRE TTP\nand how it might impact your enterprise.\n\n### Delete a chat session\n\nYou can delete your chat conversation session or delete all chat sessions.\nGemini maintains all user conversation histories privately and adheres\nto Google Cloud's [responsible AI\npractices](/duet-ai/docs/discover/responsible-ai). User history is never used to train models.\n\n1. In the Gemini pane, select **Delete chat** from the menu at the top right.\n2. Click **Delete chat** at the bottom right to delete the current chat session.\n3. Optional: To delete all chat sessions, select **Delete all chat sessions** and then click **Delete all chats**.\n\n### Provide feedback\n\nYou can provide feedback to responses generated by the Gemini AI\ninvestigation assistance. Your feedback helps Google improve the feature and the\noutput generated by Gemini.\n\n1. In the Gemini pane, click thumb_up **Thumb Up** or thumb_down **Thumb Down**.\n2. Optional: Click thumb_down **Thumb Down** and provide feedback.\n3. Click **Send feedback**.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
