Use Triage Agent to investigate alerts

Supported in:

Google secops

The Triage Agent is an AI-powered investigation assistant embedded in Google Security Operations. It determines if the alerts are true or false positives, then provides a summarized explanation for its assessment.

The Triage Agent analyzes alerts in Google SecOps using Mandiant principles and industry best practices. It evaluates incoming alerts, executes an investigation plan, and provides a structured analysis that includes both its findings and reasoning.

For a list of IAM permissions required for using the Triage Agent, see Triage Agent.

Investigation tools

The agent uses the following built-in tools to complete its analysis:

Dynamic search queries: Runs and refines searches in SecOps to collect additional context for the alert.
GTI enrichment: Enriches IoCs with Google Threat Intelligence (GTI) data, including domains, URLs, and hashes.
Command-line analysis: Analyzes command lines to explain actions in natural language.
Process tree reconstruction: Analyzes the processes in the alert to show the full sequence of related system activity.

Trigger the Triage Agent

You can trigger the Triage Agent automatically or manually. Each tenant can run up to 10 investigations per hour (5 manual and 5 automatic). Each investigation typically completes in 3-5 minutes and runs for a maximum of 20 minutes. There's no investigation queue. The Triage Agent doesn't automatically analyze alerts generated beyond the limit.

Automatic investigations

The agent automatically investigates alerts that contain events with the relevant metadata.log_type values.

The following table lists the supported metadata.log_type values and their sources:

Source	`metadata.log_type` values
Amazon	`AWS_CLOUDTRAIL`, `AWS_IAM`, `AWS_NETWORK_FIREWALL`, `AWS_VPC_FLOW`, `ELASTIC_EDR`
Cisco	`CISCO_ASA_FIREWALL, CISCO_FIREPOWER_FIREWALL, CISCO_ISE, CISCO_MERAKI`
CrowdStrike	`CROWDSTRIKE_IOC`, `CS_ALERTS`, `CS_CEF_EDR`, `CS_DETECTS`, `CS_EDR`, `CS_IDP`
Fortinet	`FORTINET_FIREWALL`, `FORTINET_FORTIEDR`, `FORTINET_WEBPROXY`
Google	`GCP_CLOUDAUDIT`, `GCP_CLOUDIDENTITY_DEVICES`, `GCP_CLOUDIDENTITY_DEVICEUSERS`, `GCP_DNS`, `GCP_NGFW_ENTERPRISE`, `GCP_VPC_FLOW`, `WORKSPACE_ACTIVITY`, `WORKSPACE_ALERTS`, `WORKSPACE_USERS`
Microsoft	`ADFS`, `AZURE_AD`, `AZURE_AD_AUDIT`, `AZURE_AD_CONTEXT`, `AZURE_AD_SIGNIN`, `AZURE_FIREWALL`, `AZURE_NSG_FLOW`, `GITHUB`, `MICROSOFT_DEFENDER_ATP`, `MICROSOFT_DEFENDER_ENDPOINT`, `MICROSOFT_DEFENDER_ENDPOINT_IOS`, `MICROSOFT_DEFENDER_IDENTITY`, `MICROSOFT_GRAPH_ALERT`, `OFFICE_365`, `SENTINELONE_ACTIVITY`, `SENTINELONE_ALERT`, `SENTINELONE_CF`, `SENTINEL_DV`, `SENTINEL_EDR`, `WINDOWS_AD`, `WINDOWS_DEFENDER_ATP`, `WINDOWS_DEFENDER_AV`, `WINDOWS_DHCP`, `WINDOWS_DNS`, `WINDOWS_FIREWALL`, `WINDOWS_SYSMON`, `WINEVTLOG`
Okta	`OKTA`, `OKTA_ACCESS_GATEWAY`, `OKTA_USER_CONTEXT`
Other	`BARRACUDA_FIREWALL`, `BOX`, `BRO_DNS`, `CB_APP_CONTROL`, `CB_DEFENSE`, `CB_EDR`, `CHECKPOINT_EDR`, `CHECKPOINT_FIREWALL`, `CLOUDFLARE_WAF`, `CYBERARK_EPM`, `CYBEREASON_EDR`, `DUO_AUTH`, `DUO_USER_CONTEXT`, `F5_AFM`, `F5_ASM`, `F5_BIGIP_LTM`, `FIREEYE_HX`, `FIREEYE_NX`, `FORCEPOINT_FIREWALL`, `INFOBLOX_DNS`, `JUNIPER_FIREWALL`, `KEYCLOAK`, `LIMACHARLIE_EDR`, `MALWAREBYTES_EDR`, `MCAFEE_EDR`, `NETFILTER_IPTABLES`, `ONELOGIN_SSO`, `ONE_IDENTITY_IDENTITY_MANAGER`, `OPENSSH`, `PAN_FIREWALL`, `PING`, `SALESFORCE`, `SEP`, `SOPHOS_EDR`, `SOPHOS_FIREWALL`, `SQUID_WEBPROXY`, `SURICATA_EVE`, `SURICATA_IDS`, `SYMANTEC_EDR`, `TANIUM_EDR`, `TANIUM_THREAT_RESPONSE`, `TRENDMICRO_EDR`, `UMBRELLA_DNS`, `UMBRELLA_FIREwall`, `UMBRELLA_WEBPROXY`, `ZEEK`, `ZSCALER_FIREWALL`, `ZSCALER_WEBPROXY`.

Manual investigations

To manually run an investigation:

In Google SecOps, go to the Alerts & IoCs page.
Select an alert and click Run Investigation.

You can also navigate to an alert in a case and run an investigation for it. The banner updates to View Investigation once the process completes. You can click this banner to view the details of an investigation.

Navigate to investigations

You can access past or in-progress investigations from anywhere in Google SecOps.

Click in the Google SecOps interface.
Click in the navigation panel.
Click keyboard_arrow_down next to the investigation list to expand the panel.
In the list, select an item to open the investigation results.

Each investigation entry includes the alert name, the completion time, and the Gemini investigation summary. If the same alert is investigated multiple times, each investigation appears as a separate entry on the investigation list.

Review an investigation

Each investigation opens in a detailed view that summarizes Gemini's analysis, its reasoning, and the supporting data it used.

This view has the following components:

Summary
Investigation timeline
View an alert or re-run an investigation
Suggested next steps
Feedback

Summary

At the top of the panel, the Summary by Gemini section provides a brief description of the alert and the investigation's findings.

The summary provides the following information:

Disposition: Indicates if Gemini determined the alert to be a true or false positive.
Confidence level: Describes Gemini's confidence in its assessment. This assessment is based on the alert and available investigation data.
Summary explanation: Describes the alert and how Gemini reached its conclusion.

Investigation timeline

After the summary, the Investigation timeline displays cards, each representing an analysis step the agent performs.

Each card includes:

A title describing the analysis activity
A body summarizing Gemini's search results and analysis
A source link to the data that Gemini used for the step (for example, GTI results or search queries)

View an alert or re-run an investigation

The investigation panel lets you take the following actions:

View alert: Opens the alert details in the Google SecOps SIEM view.
Re-run investigation: Reruns the analysis for the same alert.

Suggested next steps

For all investigations, Gemini provides further investigation steps. These steps recommend additional actions or data sources for analysts to explore.

As the agent is updated, these suggestions can expand to include remediation guidance.

Feedback

Each investigation includes thumb_up Thumb Up and thumb_down Thumb Down icons to collect feedback. Focus your feedback on the severity verdict because this helps refine Gemini's threat classification.

Cloud audit logging

To enable audit logging for the Triage Agent:

In the Google Google Cloud console, navigate to IAM > Audit Logging.
Search for Chronicle API.
In the Permission Types tab of the Chronicle API panel, select the Admin Read checkbox.

View audit logs

To view audit logs:

In the Google Google Cloud console, go to Monitoring > Logs Explorer.
Search for the logs you want to view.
- To view all Google SecOps audit logs, search for protoPayload.serviceName: "chronicle.googleapis.com".
- To see only the Triage Agent logs, search for the related methods.
  
  For example, protoPayload.method: "google.cloud.chronicle.v1alpha.InvestigationService.TriggerInvestigation" and protoPayload.method: "google.cloud.chronicle.v1alpha.InvestigationService.GetInvestigation".

Need more help? Get answers from Community members and Google SecOps professionals.