Console
    Start free

    Agentic Automation

    Supported in:

    Agentic Automation in Google Security Operations lets you build dynamic, adaptive automation by embedding AI Agents directly into your workflows. This lets you integrate AI-driven capabilities into your existing playbooks by combining AI agents with deterministic automation steps, ensuring you stay in charge of critical actions.

    Deterministic automation relies on hard-coded logic where every step and outcome is fixed and predefined. While this offers control, it can struggle to handle new use cases, manage scenarios where parts of the automation fail, or adapt when faced with missing information. Agentic Automation shifts the focus toward workflows built on AI agents that can reason through these unplanned variables.

    Case Overview and Visibility

    When an agent triages an alert, the findings appear in the Gemini Investigationsside drawer and in the AI agent step results.

    The playbook monitors the agent's progress using three distinct states. This is an asynchronous process; the playbook pauses without occupying the execution queue while waiting for the agent to complete.

    • Not Run:The agent has not been triggered yet.

    • Running:An investigation is in progress or the playbook is polling for results.

    • Completed:The agent has finished its analysis and the results are ready for downstream steps.

    To use Agentic Automation, you must opt in the relevant AI agents for your tenant. You can manage this in the settings of the Gemini investigationside menu within the Case Overview.

    Triage and Investigation agent (TIN) integration

    Agentic Automation supports the Triage and Investigation Agent (TIN) , which performs autonomous analysis of security alerts by gathering evidence and performing first-party enrichment. The agent provides a True Positive or False Positive verdict, a confidence score, and additional outputs that can be used to drive subsequent steps in the playbook workflow.

    Supported alert types

    TIN's investigative capabilities depend on the alert source and how the agent is triggered:

    • Manual investigations: You can manually trigger a TIN investigation on any alert, provided it does not originate from a SOAR Connector.
    • Automatic investigations: By default, TIN supports automatic investigations for alerts originating from specific SIEM detection engine log types. For the list of these sources, see Default Supported Log Types .
    • Unsupported alerts: If an unsupported alert type triggers an automatic agent step, you can configure the playbook to either stop execution or skip the step and continue the workflow.

    Add an AI Agent to a playbook

    1. Go to Response > Playbooks.
    2. Open an existing playbook or create a new one.
    3. Open the Step Selectionpanel and locate the AI Agentscategory.
    4. Drag an agent from the list onto the canvas.
    5. Click the step to open the configuration panel.

    Configure the Agent step

    Within the configuration panel, define how the playbook interacts with the AI Agent:

    • Action type:Set to Automaticto let the agent run without manual intervention, or Manualif an analyst must run the AI Agentstep from within a case.
    • Retry on failure:Toggle whether the step should attempt to rerun if the agent encounters a transient error. This applies to the failure of the agent execution itself, rather than a failure of a specific tool.
    • Error Handling (If step fails):Use these settings to define the workflow if the agent cannot process the input (for example, due to an unsupported data format):
      • Stop the playbook:Cease all actions if the agent cannot provide a result.
      • Skip to the next step:Continue the playbook execution, bypassing the AI Agentstep.

    Use Agent results in logic branching

    TIN generates structured results that you can use in the Expression Builder . This lets you navigate the automation flow based on the agent's verdict and confidence level rather than relying on predefined static inputs.

    Example Logic

    1. Drag a Flow block (Conditional)onto the canvas after the AI Agent step.
    2. Click the condition to open the Placeholdermenu.
    3. Locate and select the AI Agentstep results.
    4. Open the Expression Builderfor the JSON result and select the value you want to evaluate (for example, verdict or confidence_level ).
    5. Define your branches based on the AI's insights:
      • True Positive:Connect to remediation steps (for example, "Isolate Host" or "Block User").
      • False Positive (High Confidence):Connect to a Close Alertaction to automatically reduce analyst noise.
      • False Positive (Low/Medium Confidence):Connect to an analyst assignment or manual review step for secondary verification.

    Manage agent quotas

    To maintain consistent playbook performance and system stability, ensure your workflows stay within the service limits for Agentic Automation.

    Need more help? Get answers from Community members and Google SecOps professionals.

    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: