Use the Alert Response Recommender

Supported in:

This document explains how to use the Alert Response Recommender pilot, an experiment in the Google Security Operations Labs. The pilot significantly reduces the time analysts spend on investigations. It analyzes historical data from similar, previously closed alerts with a Large Language Model (LLM). By providing actionable recommendations, the Alert Response Recommender helps streamline the triage process and accelerate case resolution.

For more information about the Google SecOps Labs, see Use Gemini and Google SecOps experiments.

Before you begin

To use the Alert Response Recommender pilot, locate the alert ID to investigate, then run the experiment on the Labs page.

Locate the alert ID or ticket ID

  1. Go to the Cases page, select the case you want to investigate from the queue.

  2. Navigate to the Case Overview.

  3. Go to the Alerts widget and click View Details for the specific alert you need.

  4. In the side drawer that appears, go to the Case section and copy the Ticket ID or Alert ID.

Run the experiment

  1. On the Google SecOps page, click experiment Labs.

  2. In the Alert Response Recommender card, click Try.

  3. In the Open Alert ID field, enter the Ticket ID or Alert ID you copied.

  4. Click Submit.

Review the output

Once the pilot has analyzed the data, it generates a recommendation based on an analysis of similar historical alerts. The output includes these key sections:

  • Analyst Actions: Recommended manual steps.

  • Content Hub (Marketplace) Actions: Suggested actions within the Content Hub (Marketplace).

  • Closure Recommendation: A suggested reason to close the alert.

The output also includes a detailed breakdown of the analysis, with a list of similar historical alerts, their closure reasons, and playbook usage.

  • Example output:

    ```none Recommendations

    Step 1: Recommendation for Analyst Actions

    No specific manual analyst actions are recommended based on the provided data.

    Step 2: Recommendation for Content Hub Actions

    No Content Hub actions are recommended based on the provided data.

    Step 3: Closure Recommendation

    Close the alert as "Maintenance".

    Recommendations Are Based on the Following Similar Historical Closed Alerts

    Step 4: Identify Similar Alerts

    The following characteristics are shared between the current alert and the similar alerts:

    • AlertRuleGenerator: "Data Exfiltration"
    • AlertProduct: "DLP_Product"
    • AlertDisplayName: "DATA EXFILTRATION"
    • AlertVendor: "DLP"
    • AlertSourceSystemName: "Arcsight"
    • AlertIsManual: false
    • AlertOriginalName: "DATA EXFILTRATION"
    • AlertSourceIdentifier: "Simulation"
    • AlertUsefulness: "None"
    • AlertPriority: "High"
    • All EntityIdentifiers are identical.

    The similar alerts are:

    • DATA EXFILTRATION_96C92028-70E5-4947-87DF-CC64133B2583
    • DATA EXFILTRATION_79D74832-4C9D-4315-AD0C-77F640A1766A
    • DATA EXFILTRATION_6C6713D6-8A50-48AB-B168-FE23791EC86C
    • DATA EXFILTRATION_C6493390-3544-46A6-A219-0DDC64FE8547
    • DATA EXFILTRATION_B44A1099-2DBD-4F02-9173-5931C538AE9D

    Step 5: Analyze Playbook Usage in Similar Alerts

    No playbooks were used in the identified similar alerts.

    Step 6: Analyze Case Closure Information

    All similar alerts, except DATA EXFILTRATION_8D4E6467-F503-447A-8B38-BC521296E194, have the closure reason as "Maintenance", with a root cause of "Lab Test". The alert DATA EXFILTRATION_8D4E6467-F503-447A-8B38-BC521296E194 has the closure reason "NotMalicious". Comments in most cases contain the word "test" along with the Case closed by Siemplify API information. ```

Limitations

To ensure you interpret the recommendations correctly, be aware of the following limitations:

  • Dependence on historical data: The quality and relevance of the recommendations are directly tied to the historical data available. If there isn't enough similar data, the advice may be limited or less accurate.

  • Limited alert types: The recommendations may be less effective for some alert types, particularly if they're new or have few precedents.

  • Minimum alerts required: The Alert Response Recommender must find at least one similar historical alert to provide a recommendation. If no similar alerts are found, it can't provide a useful analysis. The application will notify you of this by showing an empty Identify Similar Alerts tab.

Need more help? Get answers from Community members and Google SecOps professionals.