Triage and Investigation Agent dashboard

Supported in:

The Triage and Investigation Agent (TIN) autonomously investigates security alerts to determine if they are true or false positives. Google SecOps integrates TIN operational data into dashboards. This integration provides critical visibility into the agent's investigations, helping you evaluate its effectiveness and understand its impact on your security posture. Additionally, these dashboards provide a clear way to monitor security token consumption for billing purposes and evaluate the value provided by the agent.

Key metrics

By integrating TIN data into dashboards, you can monitor the following:

  • Operational efficacy: View the types of alerts the agent investigates and the final verdicts (true positive or false positive) it reaches.
  • Efficiency gains: Track metrics such as the time saved by using the agent for autonomous investigations.
  • Usage monitoring: Monitor your TIN usage to understand the value it provides to your security posture.

For more information about YARA-L 2.0 query dashboard examples for these metrics, see Triage and Investigation Agent dashboard examples.

Curated dashboard for TIN

Google SecOps provides a curated dashboard that features several preset charts to track agent performance and user satisfaction. Each chart includes interactive options to help you explore the underlying data. You can export the dashboard data to a JSON file or download a report in CSV, PDF, and PNG formats.

For more information about exporting and importing dashboards, see Import or export a dashboard and Download reports.

To access this dashboard, select Triage and Investigation Agent Metrics from the dashboards list.

For more information about dashboards and the available filters, see Manage dashboards and Dashboard filters.

Curated dashboard details

The Triage and Investigation Agent Metrics curated dashboard displays the following sections:

Each of these sections includes multiple charts that show related metrics.

Gemini investigation volume

  • Gemini investigations: Displays the number of completed Gemini investigations.

    This section includes separate charts for hourly, daily, weekly, and monthly views.

  • Daily number of investigations per alert type: Breaks down the number of daily Gemini investigations by alert type.

Gemini investigation volume by trigger type

  • Gemini investigations by trigger type: Compares manually triggered and automatically triggered investigations.

    This section includes separate charts for hourly, daily, weekly, and monthly views.

  • Dispositions by day: Tracks daily counts of true positive and false positive investigation verdicts.

User feedback metrics

  • Disposition feedback: Tracks user feedback for final investigation verdicts.
  • Investigation step feedback: Shows the proportion of positive and negative feedback for individual investigation steps.
  • Investigation summary feedback: Tracks user feedback for investigation summaries.
  • Next steps feedback: Tracks user feedback for recommended response actions.

Token usage metrics

  • Daily token usage: Displays the total number of security tokens consumed each day.

Need more help? Get answers from Community members and Google SecOps professionals.