Recommendations
Step 1: Recommendation for Analyst Actions
No specific manual analyst actions are recommended based on the provided data.
Step 2: Recommendation for Content Hub Actions
No Content Hub actions are recommended based on the provided data.
Step 3: Closure Recommendation
Close the alert as "Maintenance".
Recommendations Are Based on the Following Similar Historical Closed Alerts
Step 4: Identify Similar Alerts
The following characteristics are shared between the current alert and the similar alerts:
* AlertRuleGenerator: "Data Exfiltration"
* AlertProduct: "DLP_Product"
* AlertDisplayName: "DATA EXFILTRATION"
* AlertVendor: "DLP"
* AlertSourceSystemName: "Arcsight"
* AlertIsManual: false
* AlertOriginalName: "DATA EXFILTRATION"
* AlertSourceIdentifier: "Simulation"
* AlertUsefulness: "None"
* AlertPriority: "High"
* All EntityIdentifiers are identical.
The similar alerts are:
* DATA EXFILTRATION_96C92028-70E5-4947-87DF-CC64133B2583
* DATA EXFILTRATION_79D74832-4C9D-4315-AD0C-77F640A1766A
* DATA EXFILTRATION_6C6713D6-8A50-48AB-B168-FE23791EC86C
* DATA EXFILTRATION_C6493390-3544-46A6-A219-0DDC64FE8547
* DATA EXFILTRATION_B44A1099-2DBD-4F02-9173-5931C538AE9D
Step 5: Analyze Playbook Usage in Similar Alerts
No playbooks were used in the identified similar alerts.
Step 6: Analyze Case Closure Information
All similar alerts, except DATA EXFILTRATION_8D4E6467-F503-447A-8B38-BC521296E194,
have the closure reason as "Maintenance", with a root cause of "Lab Test". The alert
DATA EXFILTRATION_8D4E6467-F503-447A-8B38-BC521296E194 has the closure reason "NotMalicious".
Comments in most cases contain the word "test" along with the Case closed by Siemplify API
information.
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-09-10。"],[],[],null,["Use the Alert Response Recommender \nSupported in: \nGoogle secops\n\nThis document explains how to use the **Alert Response Recommender** pilot, an\nexperiment in the Google Security Operations Labs. The pilot significantly reduces the time analysts spend on investigations. It analyzes historical data from similar, previously closed alerts with a Large Language Model (LLM). By providing actionable recommendations, the Alert Response Recommender helps streamline the triage process and accelerate case resolution.\n\nFor more information about the Google SecOps Labs, see\n[Use Gemini and Google SecOps experiments](/chronicle/docs/secops/google-secops-labs).\n\nLocate the alert ID or ticket ID\n\n1. Go to the **Cases** page, select the case you want to investigate from the\n queue.\n\n2. Navigate to the **Case Overview**.\n\n3. Go to the **Alerts widget** and click **View Details** for the specific alert\n you need.\n\n4. In the side drawer that appears, go to the **Case** section and copy the\n **Ticket ID** or **Alert ID**.\n\nRun the experiment\n\n1. On the Google SecOps page, click\n experiment **Labs**.\n\n2. In the **Alert Response Recommender** card, click **Try**.\n\n3. In the **Open Alert ID** field, enter the Ticket ID or Alert ID you copied.\n\n4. Click **Submit**.\n\nReview the output\n\nOnce the pilot has analyzed the data, it generates a recommendation based on an\nanalysis of similar historical alerts. The output includes these key sections:\n\n- **Analyst Actions:** Recommended manual steps.\n\n- **Content Hub (Marketplace) Actions:** Suggested actions within the Content\n Hub (Marketplace).\n\n- **Closure Recommendation:** A suggested reason to close the alert.\n\nThe output also includes a detailed breakdown of the analysis, with a list of\nsimilar historical alerts, their closure reasons, and playbook usage.\n\n- Example output:\n\n Recommendations\n\n Step 1: Recommendation for Analyst Actions\n\n No specific manual analyst actions are recommended based on the provided data.\n\n Step 2: Recommendation for Content Hub Actions\n\n No Content Hub actions are recommended based on the provided data.\n\n Step 3: Closure Recommendation\n\n Close the alert as \"Maintenance\".\n\n Recommendations Are Based on the Following Similar Historical Closed Alerts\n\n Step 4: Identify Similar Alerts\n\n The following characteristics are shared between the current alert and the similar alerts:\n\n * AlertRuleGenerator: \"Data Exfiltration\"\n * AlertProduct: \"DLP_Product\"\n * AlertDisplayName: \"DATA EXFILTRATION\"\n * AlertVendor: \"DLP\"\n * AlertSourceSystemName: \"Arcsight\"\n * AlertIsManual: false\n * AlertOriginalName: \"DATA EXFILTRATION\"\n * AlertSourceIdentifier: \"Simulation\"\n * AlertUsefulness: \"None\"\n * AlertPriority: \"High\"\n * All EntityIdentifiers are identical.\n\n The similar alerts are:\n\n * DATA EXFILTRATION_96C92028-70E5-4947-87DF-CC64133B2583\n * DATA EXFILTRATION_79D74832-4C9D-4315-AD0C-77F640A1766A\n * DATA EXFILTRATION_6C6713D6-8A50-48AB-B168-FE23791EC86C\n * DATA EXFILTRATION_C6493390-3544-46A6-A219-0DDC64FE8547\n * DATA EXFILTRATION_B44A1099-2DBD-4F02-9173-5931C538AE9D\n\n Step 5: Analyze Playbook Usage in Similar Alerts\n\n No playbooks were used in the identified similar alerts.\n\n Step 6: Analyze Case Closure Information\n\n All similar alerts, except DATA EXFILTRATION_8D4E6467-F503-447A-8B38-BC521296E194, \n have the closure reason as \"Maintenance\", with a root cause of \"Lab Test\". The alert \n DATA EXFILTRATION_8D4E6467-F503-447A-8B38-BC521296E194 has the closure reason \"NotMalicious\". \n Comments in most cases contain the word \"test\" along with the Case closed by Siemplify API \n information.\n\nLimitations\n\nTo ensure you interpret the recommendations correctly, be aware of the following limitations:\n\n- Dependence on historical data: The quality and relevance of the\n recommendations are directly tied to the historical data available. If there\n isn't enough similar data, the advice may be limited or less accurate.\n\n- Limited alert types: The recommendations may be less effective for some\n alert types, particularly if they're new or have few precedents.\n\n- Minimum alerts required: The Alert Response Recommender must find at\n least one similar historical alert to provide a recommendation. If no similar\n alerts are found, it can't provide a useful analysis. The application will\n notify you of this by showing an empty **Identify Similar Alerts** tab.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
