Gemini in Security Operations

For more information on Gemini, large language models, and responsible AI, see Gemini for Code . You can also see the Gemini documentation and release notes.

  • Availability—Gemini in Security Operations is available globally to customers who don't have compliance requirements.

  • Pricing—For more information about pricing, see Chronicle Security Operations pricing

  • Gemini security—For more information on Gemini security features in Google Cloud, see Security with generative AI

  • Data governance—For more information about Gemini data governance practices, see How Gemini for Google Cloud uses your data

  • Certifications—For more information on Gemini certifications, see Certifications for Gemini

  • Sec-PaLM large language model—Gemini for Security Operations uses Sec-PaLM. Sec-PaLM is trained on data including security blogs, threat intelligence reports, YARA and YARA-L detection rules, SOAR playbooks, malware scripts, vulnerability information, product documentation, and many other specialized datasets. For more information, see Security with generative AI

The following sections provide documentation for the Chronicle Security Operations features powered by Gemini:

Use Gemini to investigate security issues

Gemini provides investigation assistance which can be accessed from any part of Chronicle. Gemini can assist with your investigations by providing support for the following:

  • Search: Gemini can help you build, edit, and run searches targeted toward relevant events using natural language prompts. Gemini can also help you iterate on a search, adjust the scope, expand the time range, and add filters. You can complete all these tasks using natural language prompts entered into the Gemini pane.
  • Search summaries: Gemini can automatically summarize search results after every search and subsequent filter action. The Gemini pane summarizes the results of your search in a concise and understandable format. Gemini can also answer contextual follow-up questions about the summaries it provides.
  • Rule generation: Gemini can create new YARA-L rules from the UDM search queries it generates.
  • Security questions and threat intelligence analysis: Gemini can answer general security domain questions. Additionally, Gemini can answer specific threat intelligence questions and provide summaries about threat actors, IOCs, and other threat intelligence topics.
  • Incident remediation: Based on the event information returned, Gemini can suggest follow on steps. Suggestions might also appear after filtering search results. For example, Gemini might suggest reviewing a relevant alert or rule or filtering for a specific host or user.
  1. Navigate to the Chronicle UI and open the Gemini pane.
  2. Enter a natural language prompt and press Enter. The natural language prompt must be in English.
  3. Review the generated UDM search query. If the generated search query meets your requirements, click Run search.
  4. Gemini produces a results summary along with suggested actions.
  5. Enter natural language follow-up questions about the search results provided by Gemini to continue your investigation.

Example search prompts and follow-up questions

  • Show me all failed logins for the last 3 days
    • Generate a rule to help detect that behavior in the future
  • Show me events associated with the principle user izumi.n
    • Who is this user?
  • Search for all of the events associated with the IP 198.51.100.121 in the last 3 hours
    • List all of the domains in the results set
    • What types of events were returned?
  • Show me events from my firewall in the last 24 hours
    • What were the 16 unique hostnames in the results set?
    • What were the 9 unique IPs associated with the results set?

Generate a YARA-L rule using Gemini

Gemini can create YARA-L rules from the search queries it generates.

  1. Use a natural language prompt to generate a rule (for example, write a rule to look for failed login events). Press Enter. Gemini generates a rule to detect the behavior you've searched for in the Gemini pane.
  2. Click Open in rule editor to view and modify the new rule in the Rules Editor.
  3. To save and use the rule in Chronicle, click Save new rule.

Assistance with threat intelligence and security questions

Gemini can answer questions related to threat intelligence about topics such as threat actors, their associations, and their behavior patterns. You can enter your questions into the Gemini pane.

  1. Enter a threat intelligence question. For example: What is UNC3782?
  2. Review the results.
  3. Investigate further by asking Gemini to create queries to look for specific IOCs referenced in the threat intelligence reports. Threat intelligence information is subject to available entitlements from your Chronicle license.

Example: Threat intelligence and security questions

  • Help me hunt for APT 44
  • Are there any known attacker tools that use RDP to brute force logins?
  • Is 103.224.80.44 suspicious?
  • What types of attacks may be associated with CVE-2020-14145?
  • Can you provide details around buffer overflow and how it can affect the target machine?

Delete a chat session

You can delete your chat conversation session or delete all chat sessions. Gemini maintains all user conversation histories privately and adheres to Google Cloud's responsible AI practices . User history is never used to train models.

  1. In the Gemini pane, select Delete chat from the menu at the top right.
  2. Click Delete chat at the bottom right to delete the current chat session.
  3. (Optional) To delete all chat sessions, select Delete all chat sessions and then click Delete all chats.

Provide feedback

You can provide feedback to responses generated by the Gemini AI investigation assistance. Your feedback helps Google improve the feature and the output generated by Gemini.

  1. In the Gemini pane, select the thumbs up or thumbs down icon.
  2. (Optional) If you select thumbs down, you can add additional feedback about why you chose the rating.
  3. Click Send feedback.

Use natural language to generate UDM search queries

You can enter a simple natural language search about your data and Chronicle can translate this statement into a UDM search query that you can run against UDM events.

To use a natural language search to create a UDM search query, complete the following steps:

  1. Sign in to Chronicle.
  2. Navigate to Search.
  3. Enter a search statement in the natural language query bar and click Generate Query.

    You must use English for the search.

    The following are some examples of statements that might generate a useful UDM search:

    • network connections from 10.5.4.3 to google.com
    • failed user logins over the last 3 days
    • emails with file attachments sent to john@example.com or jane@example.com
    • all Cloud service accounts created yesterday
    • outbound network traffic from 10.16.16.16 or 10.17.17.17
    • all network connections to facebook.com or tiktok.com
    • service accounts created in Google Cloud yesterday
    • Windows executables modified between 8 AM and 1 PM on May 1, 2023
    • all activity from winword.exe on lab-pc
    • scheduled tasks created or modified on exchange01 during the last week
    • email messages that contain PDF attachments
    • emails sent by sent from admin@acme.com on September 1
    • any files with the hash 44d88612fea8a8f36de82e1278abb02f
    • all activity associated with user "sam@acme.com"
  4. If the search statement includes a time-based term, the time picker is automatically adjusted to match. For example, this would apply to the following searches:

    • yesterday
    • within the last 5 days
    • on Jan 1, 2023

    If the search statement cannot be interpreted, you will see the following message:
    "Sorry, no valid query could be generated. Try asking a different way."

  5. Review the generated UDM search query.

  6. (Optional) Adjust the search time range.

  7. Click Run Search.

  8. Review the search results to determine if the event is present. If needed, use search filters to narrow the list of results.

  9. Provide feedback about the query using the Generated Query feedback icons. Select one of the following:

    • If the query returns the expected results, click the thumbs up icon.
    • If the query does not return the expected results, click the thumbs down icon.
    • (Optional) Include additional detail in the Feedback field.
    • To submit a revised UDM search query that helps improve results:
    • Edit the UDM search query that was generated.
    • Click Submit. If you did not rewrite the query, text in the dialog prompts you to edit the query.
    • Click Submit. The revised UDM search query will be sanitized of sensitive data and used to improve results.

Use natural language to generate rules

After you generate a UDM search query using natural language search, you can then generate a Chronicle rule with the corresponding security information and rule information included by completing the following steps:

  1. Use natural language to generate a UDM search.

    For example, the natural language statement Find all logins from bruce-monroe is converted to the UDM search metadata.event_type = "USER_LOGIN" AND principal.user.userid = "bruce-monroe".

  2. Click Generate Rule.

    For example, using the UDM search generated previously, Chronicle generates the following rule:

    rule logins_from_bruce_monroe {
      meta:
        author = "Chronicle Gemini"
        description = "Detect logins from bruce-monroe"
      events:
        $e.metadata.event_type = "USER_LOGIN"
        $e.principal.user.userid = "bruce-monroe"
      outcome:
        $principal_ip = array($e.principal.ip)
        $target_ip = array($e.target.ip)
        $target_hostname = $e.target.hostname
        $action = array($e.security_result.action)
      condition:
        $e
    }
    
  3. Review the generated YARA-L rule, rule name, and additional metadata included with the rule by clicking Open in editor. You can only create single-event rules using this feature.

  4. To activate the rule, click Save New Rule in the Rules Editor. The rule appears in the list of rules to the left. Hold the pointer over the rule, click the menu icon, and toggle the Live Rule option to the right (green). For more information, see Manage rules using Rules Editor.

Provide feedback on the generated rule

You can provide feedback on the generated rule. This feedback is used to improve the accuracy of the rule generation feature.

To provide feedback on the rule, complete the following steps:

  1. Click Feedback on Rule.
    • If the rule syntax was generated as expected, click the thumbs up icon.
    • If the rule syntax is not what you expected, click the thumbs down icon.
    • (Optional) Include additional details in the Tell us more field.
  2. Click Submit Feedback.

AI Investigation widget

The AI Investigation widget looks at the whole case (alerts, events, and entities) and provides an AI-generated case summary of how much attention the case might require. The widget also summarizes the alerts data for a better understanding of the threat, and provides recommendations for next steps to be taken for effective remediation.

The classification, summary, and recommendations all include an option to leave feedback as to the level of the AI accuracy and usefulness. The feedback is used to help us improve accuracy.

The AI Investigation widget is displayed under the Case Overview tab in the Cases page. If there is only one alert in the case, you need to click the Case Overview tab to see this widget.

ai-investigation

The AI Investigation widget is not displayed for cases that are created manually or request cases that are initiated from Your Workdesk.

Provide feedback for the AI Investigation widget

  1. If the results are acceptable, click the thumbs up icon. You can add more information in the Additional Feedback field.

  2. If the results were not as expected, click the thumbs down icon. Select one of the options provided and add any other additional feedback that you think relevant.

  3. Click Send Feedback.

Remove the AI Investigation widget

The AI Investigation widget is included in the default view.

To remove the AI Investigation widget from the default view, do the following:

  1. Navigate to SOAR Settings > Case Data > Views.

  2. Select Default Case View from the left side-panel.

  3. Click the Delete icon on the AI Investigation widget.