Create and edit a playbook with Gemini

Supported in:

Create and edit playbooks with Gemini

Gemini can help you streamline the process of creating playbooks by turning your prompts into a functional playbook that helps resolve security issues.

Create a playbook using prompts

  1. Navigate to Response > Playbooks.

  2. Select the add add icon and create a new playbook.

  3. In the new playbook pane, select Create Playbooks with Gemini.

  4. In the prompt pane, enter a comprehensive and well-structured prompt in English. For more information on how to write a playbook prompt, see Writing prompts for Gemini playbook creation.

  5. Click Generate Playbook.

  6. A preview pane with the generated playbook is displayed. If you want to make changes, click the edit icon and refine the prompt.

  7. Click Create Playbook.

Edit a playbook using prompts

  1. Select the required playbook and select Edit Playbook with Gemini.
  2. Add any changes that are required.
  3. A preview pane with the edited playbook shows you the before and after versions. If you want to make changes, click Back and refine the prompt.
  4. When satisfied with the changes, click Edit Playbook.

Provide feedback for playbooks created by Gemini

  1. If the playbook results are good, click the thumbs up icon. You can add more information in the Additional Feedback field.
  2. If the playbook results were not as expected, click the thumbs down icon. Select one of the options provided and add additional feedback.

Writing prompts for Gemini playbook creation

The Gemini playbook feature has been designed to create playbooks based on the natural language input you provide. You need to enter clear and well structured prompts in the Gemini playbook prompts box which then generates a Google SecOps playbook, which includes triggers, actions, and conditions. The quality of the playbook is influenced by the accuracy of the prompt provided. Well-formulated prompts containing clear and specific details produce more effective playbooks.

Capabilities of playbook creation with Gemini

You can do the following with the Gemini playbook creation feature:

  • Create new playbooks with the following items: actions, triggers, flows.
  • Use all downloaded commercial integrations.
  • Put specific actions and integration names in the prompt as playbook steps.
  • Understand prompts to describe the flow where specific integrations and names are not given.
  • Use condition flows as supported in SOAR response capabilities.
  • Detect which trigger is necessary for the playbook.

You can't do the following when creating playbooks using prompts:

  • Create or use playbook blocks.
  • Use custom integrations.
  • Make use of parallel actions in playbooks.
  • Use integrations which have not been downloaded and installed.
  • Use integration instances.

Capabilities of playbook editing with Gemini

You can do the following with the Gemini playbook editing feature:

  • Add playbook steps anywhere in the playbook.
  • Delete any playbook step.
  • Move steps around in the playbook.
  • Replace actions or integrations with other actions and integrations.

You can't do the following when editing playbooks using prompts:

  • Edit triggers.
  • Edit conditions. Note that using parameters in prompts might not always result in the correct action being used.

Constructing effective prompts

Each prompt must include the following components:

  • Objective: what to generate
  • Trigger: how the playbook will be triggered
  • Playbook action: what it will do
  • Condition: conditional logic

Example of prompt using integration name

The following example shows a well structured prompt using an integration name:

Write a playbook for malware alerts. The playbook should take the file hash from the alert and enrich it with VirusTotal. If the file hash is malicious, quarantine the file.

This prompt contains the four components defined earlier:

  • Clear objective: Has a defined goal, handling malware alerts.
  • Specific trigger: Activation is based on a specific event, receiving a malware alert.
  • Playbook actions: Enhances a Google Security Operations SOAR entity with data from a third-party integration (VirusTotal).
  • Conditional response: Specifies a condition that is based on previous results. For example, if the file hash is found to be malicious, the file should be quarantined.

Example of prompt using a flow instead of an integration name

The following example shows a well structured prompt but describes the flow without mentioning the specific integration name.

Write a playbook for malware alerts. The playbook should take the file hash from the alert and enrich it. If the file hash is malicious, quarantine the file.

The Gemini playbook creation feature is capable of taking this description of an action—enrich a file hash—and looking through the installed integrations to find the one that best fits this action.

The Gemini playbook creation feature can only choose from integrations that are already installed in your environment.

Customized triggers

In addition to using standard triggers, a trigger can be customized in the playbook prompt. You can specify placeholders for the following objects:

  • Alert
  • Event
  • Entity
  • Environment
  • Free text

In the following example, free text is used to create a trigger that is executed for all emails from the suspicious email folder except for those emails that contain the word [TEST] in the email subject line.

Write a phishing playbook that will be executed for all emails from the 'suspicious email' folder ([Event.email_folder]) that the subject does not contain '[TEST]' ([Event.subject]). The playbook should take the file hash and URL from the alert and enrich it with VirusTotal. If the file hash is malicious, quarantine the file. If the URL is malicious, block it in the firewall.

Tips for writing prompts

  • Best practice is to use specific integration names: Specify integrations only if they are already installed and configured within your environment.
  • Take advantage of Gemini specialization: The Gemini playbook creation feature is specifically designed to build playbooks based on prompts that align with incident response, threat detection, and automated security workflows.
  • Detail the purpose, trigger, action, and condition.
  • Include clear objectives: Start with a clear objective, such as managing malware alerts, and specify triggers that activate the playbook.
  • Include conditions for actions, like enriching data or quarantining files, based on threat analysis. This clarity and specificity enhance the playbook's effectiveness and automation potential.

Examples of well structured prompts

Write a playbook for phishing alerts. The playbook enriches usernames, URLs and file hashes from the email and enriches them in available sources. If one of the findings is malicious, block the finding, remove the email from all the users' mailboxes and assign the case to Tier 2.

Create a playbook for my Google Cloud Anomalous Access alert. The playbook should enrich user account information with Google Cloud IAM, and then enrich the IP information with VirusTotal. If the user is an admin and the IP is malicious, the user account should be disabled in IAM.

Write a playbook for suspicious login alerts. The playbook should enrich the IP address with VirusTotal and get GeoIP information. If VirusTotal reported more than 5 malicious engines and the IP address is from Iran or China, block the IP address in Checkpoint Firewall and send an email notification to zak@example.com.