Stay organized with collectionsSave and categorize content based on your preferences.
Use the Alert Response Recommender
Supported in:
Google secops
This document explains how to use theAlert Response Recommenderpilot, an
experiment in the Google Security Operations Labs. The pilot significantly reduces the time analysts spend on investigations. It analyzes historical data from similar, previously closed alerts with a Large Language Model (LLM). By providing actionable recommendations, the Alert Response Recommender helps streamline the triage process and accelerate case resolution.
Go to theCasespage, select the case you want to investigate from the
queue.
Navigate to theCase Overview.
Go to theAlerts widgetand clickView Detailsfor the specific alert
you need.
In the side drawer that appears, go to theCasesection and copy theTicket IDorAlert ID.
Run the experiment
On the Google SecOps page, clickexperimentLabs.
In theAlert Response Recommendercard, clickTry.
In theOpen Alert IDfield, enter the Ticket ID or Alert ID you copied.
ClickSubmit.
Review the output
Once the pilot has analyzed the data, it generates a recommendation based on an
analysis of similar historical alerts. The output includes these key sections:
Analyst Actions:Recommended manual steps.
Content Hub (Marketplace) Actions:Suggested actions within the Content
Hub (Marketplace).
Closure Recommendation:A suggested reason to close the alert.
The output also includes a detailed breakdown of the analysis, with a list of
similar historical alerts, their closure reasons, and playbook usage.
Example output:
Recommendations
Step 1: Recommendation for Analyst Actions
No specific manual analyst actions are recommended based on the provided data.
Step 2: Recommendation for Content Hub Actions
No Content Hub actions are recommended based on the provided data.
Step 3: Closure Recommendation
Close the alert as "Maintenance".
Recommendations Are Based on the Following Similar Historical Closed Alerts
Step 4: Identify Similar Alerts
The following characteristics are shared between the current alert and the similar alerts:
* AlertRuleGenerator: "Data Exfiltration"
* AlertProduct: "DLP_Product"
* AlertDisplayName: "DATA EXFILTRATION"
* AlertVendor: "DLP"
* AlertSourceSystemName: "Arcsight"
* AlertIsManual: false
* AlertOriginalName: "DATA EXFILTRATION"
* AlertSourceIdentifier: "Simulation"
* AlertUsefulness: "None"
* AlertPriority: "High"
* All EntityIdentifiers are identical.
The similar alerts are:
* DATA EXFILTRATION_96C92028-70E5-4947-87DF-CC64133B2583
* DATA EXFILTRATION_79D74832-4C9D-4315-AD0C-77F640A1766A
* DATA EXFILTRATION_6C6713D6-8A50-48AB-B168-FE23791EC86C
* DATA EXFILTRATION_C6493390-3544-46A6-A219-0DDC64FE8547
* DATA EXFILTRATION_B44A1099-2DBD-4F02-9173-5931C538AE9D
Step 5: Analyze Playbook Usage in Similar Alerts
No playbooks were used in the identified similar alerts.
Step 6: Analyze Case Closure Information
All similar alerts, except DATA EXFILTRATION_8D4E6467-F503-447A-8B38-BC521296E194,
have the closure reason as "Maintenance", with a root cause of "Lab Test". The alert
DATA EXFILTRATION_8D4E6467-F503-447A-8B38-BC521296E194 has the closure reason "NotMalicious".
Comments in most cases contain the word "test" along with the Case closed by Siemplify API
information.
Limitations
To ensure you interpret the recommendations correctly, be aware of the following limitations:
Dependence on historical data: The quality and relevance of the
recommendations are directly tied to the historical data available. If there
isn't enough similar data, the advice may be limited or less accurate.
Limited alert types: The recommendations may be less effective for some
alert types, particularly if they're new or have few precedents.
Minimum alerts required: The Alert Response Recommender must find at
least one similar historical alert to provide a recommendation. If no similar
alerts are found, it can't provide a useful analysis. The application will
notify you of this by showing an emptyIdentify Similar Alertstab.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-07 UTC."],[],[],null,["Use the Alert Response Recommender \nSupported in: \nGoogle secops\n\nThis document explains how to use the **Alert Response Recommender** pilot, an\nexperiment in the Google Security Operations Labs. The pilot significantly reduces the time analysts spend on investigations. It analyzes historical data from similar, previously closed alerts with a Large Language Model (LLM). By providing actionable recommendations, the Alert Response Recommender helps streamline the triage process and accelerate case resolution.\n\nFor more information about the Google SecOps Labs, see\n[Use Gemini and Google SecOps experiments](/chronicle/docs/secops/google-secops-labs).\n\nLocate the alert ID or ticket ID\n\n1. Go to the **Cases** page, select the case you want to investigate from the\n queue.\n\n2. Navigate to the **Case Overview**.\n\n3. Go to the **Alerts widget** and click **View Details** for the specific alert\n you need.\n\n4. In the side drawer that appears, go to the **Case** section and copy the\n **Ticket ID** or **Alert ID**.\n\nRun the experiment\n\n1. On the Google SecOps page, click\n experiment **Labs**.\n\n2. In the **Alert Response Recommender** card, click **Try**.\n\n3. In the **Open Alert ID** field, enter the Ticket ID or Alert ID you copied.\n\n4. Click **Submit**.\n\nReview the output\n\nOnce the pilot has analyzed the data, it generates a recommendation based on an\nanalysis of similar historical alerts. The output includes these key sections:\n\n- **Analyst Actions:** Recommended manual steps.\n\n- **Content Hub (Marketplace) Actions:** Suggested actions within the Content\n Hub (Marketplace).\n\n- **Closure Recommendation:** A suggested reason to close the alert.\n\nThe output also includes a detailed breakdown of the analysis, with a list of\nsimilar historical alerts, their closure reasons, and playbook usage.\n\n- Example output:\n\n Recommendations\n\n Step 1: Recommendation for Analyst Actions\n\n No specific manual analyst actions are recommended based on the provided data.\n\n Step 2: Recommendation for Content Hub Actions\n\n No Content Hub actions are recommended based on the provided data.\n\n Step 3: Closure Recommendation\n\n Close the alert as \"Maintenance\".\n\n Recommendations Are Based on the Following Similar Historical Closed Alerts\n\n Step 4: Identify Similar Alerts\n\n The following characteristics are shared between the current alert and the similar alerts:\n\n * AlertRuleGenerator: \"Data Exfiltration\"\n * AlertProduct: \"DLP_Product\"\n * AlertDisplayName: \"DATA EXFILTRATION\"\n * AlertVendor: \"DLP\"\n * AlertSourceSystemName: \"Arcsight\"\n * AlertIsManual: false\n * AlertOriginalName: \"DATA EXFILTRATION\"\n * AlertSourceIdentifier: \"Simulation\"\n * AlertUsefulness: \"None\"\n * AlertPriority: \"High\"\n * All EntityIdentifiers are identical.\n\n The similar alerts are:\n\n * DATA EXFILTRATION_96C92028-70E5-4947-87DF-CC64133B2583\n * DATA EXFILTRATION_79D74832-4C9D-4315-AD0C-77F640A1766A\n * DATA EXFILTRATION_6C6713D6-8A50-48AB-B168-FE23791EC86C\n * DATA EXFILTRATION_C6493390-3544-46A6-A219-0DDC64FE8547\n * DATA EXFILTRATION_B44A1099-2DBD-4F02-9173-5931C538AE9D\n\n Step 5: Analyze Playbook Usage in Similar Alerts\n\n No playbooks were used in the identified similar alerts.\n\n Step 6: Analyze Case Closure Information\n\n All similar alerts, except DATA EXFILTRATION_8D4E6467-F503-447A-8B38-BC521296E194, \n have the closure reason as \"Maintenance\", with a root cause of \"Lab Test\". The alert \n DATA EXFILTRATION_8D4E6467-F503-447A-8B38-BC521296E194 has the closure reason \"NotMalicious\". \n Comments in most cases contain the word \"test\" along with the Case closed by Siemplify API \n information.\n\nLimitations\n\nTo ensure you interpret the recommendations correctly, be aware of the following limitations:\n\n- Dependence on historical data: The quality and relevance of the\n recommendations are directly tied to the historical data available. If there\n isn't enough similar data, the advice may be limited or less accurate.\n\n- Limited alert types: The recommendations may be less effective for some\n alert types, particularly if they're new or have few precedents.\n\n- Minimum alerts required: The Alert Response Recommender must find at\n least one similar historical alert to provide a recommendation. If no similar\n alerts are found, it can't provide a useful analysis. The application will\n notify you of this by showing an empty **Identify Similar Alerts** tab.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
