Generate playbooks for alerts with Gemini

Supported in:

You can use Gemini to generate a playbook for any alert created in a case in the platform. This feature accelerates alert triage and streamlines your incident response workflow by ensuring a playbook exists for every alert.

There are three options for the AI-generated playbooks for alerts feature:

  • The platform automatically attaches AI-generated playbooks for alerts with critical priority that don't have a playbook attached. These playbooks are enabled by default. However, if you give it a thumb down, it will be disabled for future use.

  • You can generate one or more playbooks for a standard alert that doesn't have a playbook attached. These playbooks are enabled by default and will be attached to future alerts with the same rule generator. However, if you give it a thumb down, it will be disabled for future use.

  • You can generate one or more playbooks for a standard alert that has a playbook already attached to it. These playbooks are disabled by default. Once the security engineer enables them, they are assigned the lowest priority so they don't interfere with existing SOC workflows.

No AI-generated playbook runs automatically. You need to manually execute each step. This ensures you have control over what actions are taken.

To generate a playbook with Gemini:

  1. On the Cases page, select the relevant alert and click Generate a playbook with Gemini. You can generate multiple playbooks for each alert.
  2. On the Playbook tab in the Alert view, select the AI-generated playbook (marked as AI-generated).
  3. Review each playbook step and manually decide whether to execute or skip each step. Alternatively, you can choose not to run the playbook at all.
  4. Click Thumb up or Thumb down and provide feedback on this playbook's effectiveness. Be aware that if you click Thumb down, you disable the playbook for future use.

Manage an AI-generated playbook

Once the playbook has been generated, it will appear in the Generated by Gemini folder in the Playbooks page. The security engineer can then choose to enable or disable it, add or delete steps, and move it to a different folder.

Need more help? Get answers from Community members and Google SecOps professionals.