Gemini in Google SecOps

For more information on Gemini, large language models, and responsible AI, see Gemini for Code . You can also see the Gemini documentation and release notes.

  • Availability: Gemini in Google SecOps is available globally. Gemini data is processed in the following regions: us-central1, asia-southeast1, and europe-west1. Customer requests are routed to the nearest region for processing.

  • Pricing: For information about pricing, see Google Security Operations pricing

  • Gemini security: For information on Gemini security features in Google Cloud, see Security with generative AI

  • Data governance: For information about Gemini data governance practices, see How Gemini for Google Cloud uses your data

  • Certifications: For information on Gemini certifications, see Certifications for Gemini

  • SecLM platform: Gemini for Google SecOps uses a range of large language models through the SecLM platform, including the specialized Sec-PaLM model. Sec-PaLM is trained on data including security blogs, threat intelligence reports, YARA and YARA-L detection rules, SOAR playbooks, malware scripts, vulnerability information, product documentation, and many other specialized datasets. For more information, see Security with generative AI

The following sections provide documentation for the Google SecOps features powered by Gemini:

Use Gemini to investigate security issues

Gemini provides investigation assistance which can be accessed from any part of Google SecOps. Gemini can assist with your investigations by providing support for the following:

  • Search: Gemini can help you build, edit, and run searches targeted toward relevant events using natural language prompts. Gemini can also help you iterate on a search, adjust the scope, expand the time range, and add filters. You can complete all these tasks using natural language prompts entered into the Gemini pane.
  • Search summaries: Gemini can automatically summarize search results after every search and subsequent filter action. The Gemini pane summarizes the results of your search in a concise and understandable format. Gemini can also answer contextual follow-up questions about the summaries it provides.
  • Rule generation: Gemini can create new YARA-L rules from the UDM search queries it generates.
  • Security questions and threat intelligence analysis: Gemini can answer general security domain questions. Additionally, Gemini can answer specific threat intelligence questions and provide summaries about threat actors, IOCs, and other threat intelligence topics.
  • Incident remediation: Based on the event information returned, Gemini can suggest follow on steps. Suggestions might also appear after filtering search results. For example, Gemini might suggest reviewing a relevant alert or rule or filtering for a specific host or user.

You can use Gemini to generate UDM search queries from the Gemini pane or when using UDM search.

For best results, Google recommends using the Gemini pane to generate search queries.

Generate a UDM search query using the Gemini pane

  1. Sign into Google SecOps and open the Gemini pane by clicking the Gemini logo.
  2. Enter a natural language prompt and press Enter. The natural language prompt must be in English.

    Open Gemini pane and enter

    Figure 1: Open Gemini pane and enter prompt

  3. Review the generated UDM search query. If the generated search query meets your requirements, click Run search.

  4. Gemini produces a results summary along with suggested actions.

  5. Enter natural language follow-up questions about the search results provided by Gemini to continue your investigation.

Example search prompts and follow-up questions
  • Show me all failed logins for the last 3 days
    • Generate a rule to help detect that behavior in the future
  • Show me events associated with the principle user izumi.n
    • Who is this user?
  • Search for all of the events associated with the IP in the last 3 hours
    • List all of the domains in the results set
    • What types of events were returned?
  • Show me events from my firewall in the last 24 hours
    • What were the 16 unique hostnames in the results set?
    • What were the 9 unique IPs associated with the results set?

Generate a UDM search query using natural language

Using the Google SecOps Search feature, you can enter a natural language query about your data and Gemini can translate this into a UDM search query which you can run against UDM events.

For better results, Google recommends using the Gemini pane to generate search queries.

To use a natural language search to create a UDM search query, complete the following steps:

  1. Sign in to Google SecOps.
  2. Navigate to Search.
  3. Enter a search statement in the natural language query bar and click Generate Query. You must use English for the search.

    Enter a natural language search and click Generate

    Figure 2: Enter a natural language search and click Generate Query

    The following are some examples of statements that might generate a useful UDM search:

    • network connections from to
    • failed user logins over the last 3 days
    • emails with file attachments sent to or
    • all Cloud service accounts created yesterday
    • outbound network traffic from or
    • all network connections to or
    • service accounts created in Google Cloud yesterday
    • Windows executables modified between 8 AM and 1 PM on May 1, 2023
    • all activity from winword.exe on lab-pc
    • scheduled tasks created or modified on exchange01 during the last week
    • email messages that contain PDF attachments
    • emails sent by sent from on September 1
    • any files with the hash 44d88612fea8a8f36de82e1278abb02f
    • all activity associated with user ""
  4. If the search statement includes a time-based term, the time picker is automatically adjusted to match. For example, this would apply to the following searches:

    • yesterday
    • within the last 5 days
    • on Jan 1, 2023

    If the search statement cannot be interpreted, you will see the following message:
    "Sorry, no valid query could be generated. Try asking a different way."

  5. Review the generated UDM search query.

  6. (Optional) Adjust the search time range.

  7. Click Run Search.

  8. Review the search results to determine if the event is present. If needed, use search filters to narrow the list of results.

  9. Provide feedback about the query using the Generated Query feedback icons. Select one of the following:

    • If the query returns the expected results, click the thumbs up icon.
    • If the query does not return the expected results, click the thumbs down icon.
    • (Optional) Include additional detail in the Feedback field.
    • To submit a revised UDM search query that helps improve results:
    • Edit the UDM search query that was generated.
    • Click Submit. If you did not rewrite the query, text in the dialog prompts you to edit the query.
    • Click Submit. The revised UDM search query will be sanitized of sensitive data and used to improve results.

Generate a YARA-L rule using Gemini

  1. Use a natural language prompt to generate a rule (for example, create a rule to detect logins from bruce-monroe). Press Enter. Gemini generates a rule to detect the behavior you've searched for in the Gemini pane.

  2. Click Open in rule editor to view and modify the new rule in the Rules Editor. You can only create single-event rules using this feature.

    For example, using the previous rule prompt, Gemini generates the following rule:

    rule logins_from_bruce_monroe {
        author = "Google Gemini"
        description = "Detect logins from bruce-monroe"
        $e.metadata.event_type = "USER_LOGIN"
        $e.principal.user.userid = "bruce-monroe"
        $principal_ip = array($e.principal.ip)
        $target_ip = array($
        $target_hostname = $
        $action = array($e.security_result.action)
  3. To activate the rule, click Save New Rule. The rule appears in the list of rules to the left. Hold the pointer over the rule, click the menu icon, and toggle the Live Rule option to the right (green). For more information, see Manage rules using Rules Editor.

Provide feedback on the generated rule

You can provide feedback on the generated rule. This feedback is used to improve the accuracy of the rule generation feature.

  • If the rule syntax was generated as expected, click the thumbs up icon.
  • If the rule syntax is not what you expected, click the thumbs down icon. Check the option that best indicates the issue you found with the generated rule syntax. (Optional) Include additional details in the Describe your feedback field. Click Submit Feedback.

Assistance with threat intelligence and security questions

Gemini can answer questions related to threat intelligence about topics such as threat actors, their associations, and their behavior patterns, including questions about MITRE TTPs.

Threat intelligence questions are limited to information available to your Google SecOps product edition. Answers to questions might vary depending on the product edition. Specifically, threat intelligence data is more limited in product editions other than Enterprise Plus because they don't include full access to Mandiant and VirusTotal.

Enter your questions into the Gemini pane.

  1. Enter a threat intelligence question. For example: What is UNC3782?

  2. Review the results.

  3. Investigate further by asking Gemini to create queries to look for specific IOCs referenced in the threat intelligence reports. Threat intelligence information is subject to available entitlements from your Google SecOps license.

Example: Threat intelligence and security questions

  • Help me hunt for APT 44
  • Are there any known attacker tools that use RDP to brute force logins?
  • Is suspicious?
  • What types of attacks may be associated with CVE-2020-14145?
  • Can you provide details around buffer overflow and how it can affect the target machine?

Gemini and MITRE

The MITRE ATT&CK® Matrix is a knowledge base that documents the TTPs used by real-world cyber adversaries. The MITRE Matrix provides an understanding of how your organization might be targeted and a provides a standardized syntax for discussing attacks.

You can ask Gemini questions about MITRE tactics, techniques, and procedures (TTPs) and receive contextually relevant answers that include the following MITRE details:

  • Tactic
  • Technique
  • Sub-technique
  • Detection suggestions
  • Procedures
  • Mitigations

Gemini returns a link to the curated detections Google SecOps makes available for each TTP. You can also ask Gemini follow up questions to gain additional insight on a MITRE TTP and how it might impact your enterprise.

Delete a chat session

You can delete your chat conversation session or delete all chat sessions. Gemini maintains all user conversation histories privately and adheres to Google Cloud's responsible AI practices . User history is never used to train models.

  1. In the Gemini pane, select Delete chat from the menu at the top right.
  2. Click Delete chat at the bottom right to delete the current chat session.
  3. (Optional) To delete all chat sessions, select Delete all chat sessions and then click Delete all chats.

Provide feedback

You can provide feedback to responses generated by the Gemini AI investigation assistance. Your feedback helps Google improve the feature and the output generated by Gemini.

  1. In the Gemini pane, select the thumbs up or thumbs down icon.
  2. (Optional) If you select thumbs down, you can add additional feedback about why you chose the rating.
  3. Click Send feedback.

AI Investigation widget

The AI Investigation widget looks at the whole case (alerts, events, and entities) and provides an AI-generated case summary of how much attention the case might require. The widget also summarizes the alerts data for a better understanding of the threat, and provides recommendations for next steps to be taken for effective remediation.

The classification, summary, and recommendations all include an option to leave feedback as to the level of the AI accuracy and usefulness. The feedback is used to help us improve accuracy.

The AI Investigation widget is displayed under the Case Overview tab in the Cases page. If there is only one alert in the case, you need to click the Case Overview tab to see this widget.


The AI Investigation widget is not displayed for cases that are created manually or request cases that are initiated from Your Workdesk.

Provide feedback for the AI Investigation widget

  1. If the results are acceptable, click the thumbs up icon. You can add more information in the Additional Feedback field.

  2. If the results were not as expected, click the thumbs down icon. Select one of the options provided and add any other additional feedback that you think relevant.

  3. Click Send Feedback.

Remove the AI Investigation widget

The AI Investigation widget is included in the default view.

To remove the AI Investigation widget from the default view, do the following:

  1. Navigate to SOAR Settings > Case Data > Views.

  2. Select Default Case View from the left side-panel.

  3. Click the Delete icon on the AI Investigation widget.

Create playbooks with Gemini

Gemini can help you streamline the process of creating playbooks by turning your prompts into a functional playbook that helps resolve security issues.

Create a playbook using prompts

  1. Navigate to Response > Playbooks.
  2. Select the add add icon and create a new playbook.
  3. In the new playbook pane, select Create Playbooks using AI.
  4. In the prompt pane, enter a comprehensive and well-structured prompt in English. For more information on how to write a playbook prompt, see Writing prompts for Gemini playbook creation.
  5. Click Generate Playbook.
  6. A preview pane with the generated playbook is displayed. If you want to make changes, click edit and refine the prompt.
  7. Click Create Playbook.
  8. If you want to make changes to the playbook once it is displayed in the main pane, select Create Playbooks using AI and rewrite your prompt. Gemini will create a new playbook for you.

Provide feedback for playbooks created by Gemini

  1. If the playbook results are good, click the thumbs up icon. You can add more information in the Additional Feedback field.
  2. If the playbook results were not as expected, click the thumbs down icon. Select one of the options provided and add any other additional feedback that you think relevant.

Writing prompts for Gemini playbook creation

The Gemini playbook feature has been designed to create playbooks based on the natural language input you provide. You need to enter clear and well structured prompts in the Gemini playbook prompts box which then generates a Google SecOps playbook, which includes triggers, actions, and conditions. The quality of the playbook is influenced by the accuracy of the prompt provided. Well-formulated prompts containing clear and specific details produce more effective playbooks.

Capabilities of playbook creation with Gemini

You can do the following with the Gemini playbook creation features:

  • Create new playbooks with the following items: actions, triggers, flows.
  • Use all downloaded commercial integrations.
  • Put specific actions and integration names in the prompt as playbook steps.
  • Understand prompts to describe the flow where specific integrations and names are not given.
  • Use condition flows as supported in SOAR response capabilities.
  • Detect which trigger is necessary for the playbook.

You can't do the following using prompts:

  • Update existing playbooks.
  • Create or use playbook blocks.
  • Use custom integrations.
  • Make use of parallel actions in playbooks.
  • Use integrations which have not been downloaded and installed.
  • Use integration instances.

Note that using parameters in prompts might not always result in the correct action being used.

Constructing effective prompts

Each prompt must include the following components:

  • Objective: what to generate
  • Trigger: how the playbook will be triggered
  • Playbook action: what it will do
  • Condition: conditional logic

Example of prompt using integration name

The following example shows a well structured prompt using an integration name:

Write a playbook for malware alerts. The playbook should take the file hash from the alert and enrich it with VirusTotal. If the file hash is malicious, quarantine the file.

This prompt contains the four components defined earlier:

  • Clear objective: Has a defined goal, handling malware alerts.
  • Specific trigger: Activation is based on a specific event, receiving a malware alert.
  • Playbook actions: Enhances a Google Security Operations SOAR entity with data from a third-party integration (VirusTotal).
  • Conditional response: Specifies a condition that is based on previous results. For example, if the file hash is found to be malicious, the file should be quarantined.

Example of prompt using a flow instead of an integration name

The following example shows a well structured prompt but describes the flow without mentioning the specific integration name.

Write a playbook for malware alerts. The playbook should take the file hash from the alert and enrich it. If the file hash is malicious, quarantine the file.

The Gemini playbook creation feature is capable of taking this description of an action—enrich a file hash—and looking through the installed integrations to find the one that best fits this action.

The Gemini playbook creation feature can only choose from integrations that are already installed in your environment.

Customized triggers

In addition to using standard triggers, a trigger can be customized in the playbook prompt. You can specify placeholders for the following objects:

  • Alert
  • Event
  • Entity
  • Environment
  • Free text

In the following example, free text is used to create a trigger that is executed for all emails from the suspicious email folder except for those emails that contain the word [TEST] in the email subject line.

Write a phishing playbook that will be executed for all emails from the 'suspicious email' folder ([Event.email_folder]) that the subject does not contain '[TEST]' ([Event.subject]). The playbook should take the file hash and URL from the alert and enrich it with VirusTotal. If the file hash is malicious, quarantine the file. if the URL is malicious, block it in the firewall.

Tips for writing prompts

  • Best practice is to use specific integration names: Specify integrations only if they are already installed and configured within your environment.
  • Take advantage of Gemini specialization: The Gemini playbook creation feature is specifically designed to build playbooks based on prompts that align with incident response, threat detection, and automated security workflows.
  • Detail the purpose, trigger, action, and condition.
  • Include clear objectives: Start with a clear objective, such as managing malware alerts, and specify triggers that activate the playbook.
  • Include conditions for actions, like enriching data or quarantining files, based on threat analysis. This clarity and specificity enhance the playbook's effectiveness and automation potential.

Examples of well structured prompts

Write a playbook for phishing alerts. The playbook enriches usernames, URLs and file hashes from the email and enriches them in available sources. If one of the findings is malicious, block the finding, remove the email from all the users' mailboxes and assign the case to Tier 2.

Create a playbook for my Google Cloud Anomalous Access alert. The playbook should enrich user account information with Google Cloud IAM, and then enrich the IP information with VirusTotal. If the user is an admin and the IP is malicious, the user account should be disabled in IAM.

Write a playbook for suspicious login alerts. The playbook should enrich the IP address with VirusTotal and get GeoIP information. If VirusTotal reported more than 5 malicious engines and the IP address is from Iran or China, block the IP address in Checkpoint Firewall and send an email notification to