Gemini Google Cloud APP Owner’s Manual

Gemini is a powerful AI tool that can be used to assist Google Security Operations and Google Threat Intelligence users. This guide will provide you with the information you need to get started with Gemini and create effective prompts.

Creating prompts with Gemini

When creating a prompt, you will need to provide Gemini with the following information:

1. The type of prompt you want to create, if applicable (e.g.
   “Create a rule”)
2. The context for the prompt
3. The desired output

Users can create a variety of prompts, including questions, commands and summaries.

Best practices for creating prompts

When creating prompts, it is important to keep the following best practices in mind:

Use natural language: Write as if you are speaking a command and express complete thoughts in full sentences.

Provide context: Include relevant details to help Gemini understand your request, such as timeframes, specific log sources, or user information. The more context you provide, the more relevant and helpful the results will be.

Be specific and concise: Clearly state the information you are looking for or the task you want Gemini to perform. Detail the purpose, trigger, action, and condition(s).
For example, ask the assistant: “Is this (file name, etc.) known to be malicious?” and if it is known to be, you can ask to “Search for this (file) in my environment.”

Include clear objectives: Start with a clear objective and specify triggers that will activate a response.

Leverage all modalities: Use in-line search functionality, chat assistant, and the playbook generator for your different needs.

Reference integrations (for playbook creation only): Request and specify integrations you’ve already installed and configured in your environment as they relate to next steps in the playbook.

Iterate: If the initial results are not satisfactory, refine your prompt, provide additional information, and ask follow-up questions to guide Gemini towards a better response.

Include conditions for action (for playbook creation only): You can enhance the prompt’s effectiveness when creating a playbook by requesting additional steps such as enriching data.

Verify accuracy: Remember that Gemini is an AI tool, and its responses should always be validated against your own knowledge and other available sources.

Using prompts in Security Operations

Gemini can be used in a variety of ways in Security Operations, including in-line search, chat assistance, and playbook generation. After receiving AI-generated case summaries, Gemini can help practitioners with:

1. Threat detection and investigation
2. Security-related Q&A
3. Playbook generation
4. Threat intelligence summarization

Google Security Operations (SecOps) is enriched with frontline intelligence from Mandiant, and crowdsourced intelligence from VirusTotal which can help security teams:

Quickly access and analyze threat intelligence: Ask natural language questions about threat actors, malware families, vulnerabilities, and IOCs.

Accelerate threat hunting and detection: Generate UDM search queries and detection rules based on threat intelligence data.

Prioritize security risks: Understand which threats are most relevant to their organization and fo cus on the most critical vulnerabilities.

Respond more effectively to security incidents: Enrich security alerts with threat intelligence context and get recommendations for remediation actions.

Improve security awareness: Create engaging training materials based on real-world threat intelligence.

Use cases for Security Operations

Threat detection and investigation

Create queries, generate rules, monitor events, investigate alerts, search for data (generate UDM queries).

Scenario: A threat analyst is investigating a new alert and wants to know if there is any evidence in the environment of a particular command used to infiltrate infrastructure by adding itself to the registry.

Sample prompt: Create a query to find any registry modification events on [hostname] over the past [time period].

Follow-up prompt: Generate a rule to help detect that behavior in the future.

Scenario: An analyst is told that an intern was doing suspicious “things” and wanted to get a better understanding of what was occurring.

Sample prompt: Show me network connection events for the userid starting with tim. smith (case insensitive) for the past 3 days.

Follow-up prompt: Generate a YARA-L rule to detect for this activity in the future.

Scenario: A security analyst receives an alert about suspicious activity on a user account.

Sample prompt: Show me blocked user login events with an event code of 4625 where src.
hostname is not null.

Follow-up prompt: How many users are included in the result set?

Security-related Q&A

Scenario: A security analyst is onboarding into a new job and notices that Gemini has summarized a case with recommended steps for investigation and response. They want to learn more about the malware identified in the case summary.

Sample prompt: What is [name of malware]?

Follow-up prompt: How does [name of malware] persist?

Scenario: A security analyst receives an alert about a potentially malicious file hash.

Sample prompt: Is this file hash [insert hash] known to be malicious?

Follow-up prompt: What other information is available about this file?

Scenario: An incident responder needs to identify the source of a malicious file.

Sample prompt: What is the file hash of the executable “[malware.exe]”?

Follow-up prompts:

• Enrich with threat intelligence from VirusTotal for information about this file hash; is it known to be malicious?
• Has this hash been observed in my environment?
• What are the recommended containment and remediation actions for this malware?

Playbook generation

Take action and build playbooks.

Scenario: A security engineer wants to automate the process of responding to phishing emails.

Sample prompt: Create a playbook that triggers when an email is received from a known phishing sender. The playbook should quarantine the email and notify the security team.

Scenario: A member of the SOC team wants to automatically quarantine malicious files.

Sample prompt: Write a playbook for malware alerts. The playbook should take the file hash from the alert and enrich it with intelligence from VirusTotal. If the file hash is malicious, quarantine the file.

Scenario: A threat analyst wants to create a new playbook that can help respond to future alerts related to registry key changes.

Sample prompt: Build a playbook for those registry key changes alerts. I want that playbook enriched with all entity types including VirusTotal and Mandiant threat frontline intelligence. If anything suspicious is identified, create case tags and then prioritize the case accordingly.

Threat intelligence summarization

Gain insights about threats and threat actors.

Scenario: A security operations manager wants to understand the attack patterns of a specific threat actor.

Sample prompt: What are the known tactics, techniques, and procedures (TTPs) used by APT29?

Follow-up prompt: Are there any curated detections in Google SecOps that can help identify activity associated with these TTPs?

Scenario: A threat intelligence analyst learns about a new kind of malware (“emotet”) and shares a report from their research with the SOC team.

Sample prompt: What are the indicators of compromise (IOCs) associated with the emotet malware?

Follow-up prompts:

• Generate a UDM search query to look for these IOCs in my organization’s logs.
• Create a detection rule that will alert me if any of these IOCs are observed in the future.

Scenario: A security researcher has identified hosts in their environment communicating with known command-and-control (C2) servers associated with a particular threat actor.

Sample prompt: Generate a query to show me all outbound network connections to IP addresses and domains associated with: [name of threat actor].

By using Gemini effectively, security teams can enhance their threat intelligence capabilities and improve their overall security posture. These are just a few examples of how Gemini can be used to improve security operations.
As you become more familiar with the tool, you will find many other ways to use it to your advantage. Additional details can be found on the Google SecOps product documentation page.

Using prompts in Threat Intelligence

While Google Threat Intelligence can be used similarly to a traditional search engine with terms alone, users can also achieve intended results by creating specific prompts.
Gemini prompts can be used in a variety of ways in Threat Intelligence, from searching for broad trends, to understanding specific threats and pieces of malware, including:

1. Threat intelligence analysis
2. Proactive threat hunting
3. Threat actor profiling
4. Vulnerability prioritization
5. Enriching security alerts
6. Leveraging MITRE ATT&CK

Use cases for Threat Intelligence

Threat intelligence analysis

Scenario: A threat intelligence analyst wants to learn more about a newly discovered malware family.

Sample prompt: What is known about the malware “Emotet”? What are its capabilities and how does it spread?

Related prompt: What are the indicators of compromise (IOCs) associated with the emotet malware?

Scenario: An analyst is investigating a new ransomware group and wants to quickly understand their tactics, techniques, and procedures (TTPs).

Sample prompt: Summarize the known TTPs of the ransomware group “LockBit 3.0.” Include information about their initial access methods, lateral movement techniques, and preferred extortion tactics.

Related prompts:

• What are the common indicators of compromise (IOCs) associated with LockBit 3.0?
• Have there been any recent public reports or analysis of LockBit 3.0 attacks?

Proactive threat hunting

Scenario: A threat intelligence analyst wants to proactively search for signs of a specific malware family known to target their industry.

Sample prompt: What are the common indicators of compromise (IOCs) associated with the “Trickbot” malware?

Scenario: A security researcher wants to identify any hosts in their environment communicating with known command-and-control (C2) servers associated with a particular threat actor.

Sample prompt: What are the known C2 IP addresses and domains used by the threat actor “[Name]”?

Threat actor profiling

Scenario: A threat intelligence team is tracking the activities of a suspected APT group and wants to develop a comprehensive profile.

Sample prompt: Generate a profile of the threat actor “APT29”. Include their known aliases, suspected country of origin, motivations, typical targets, and preferred TTPs.

Related prompt: Show me a timeline of APT29’s most notable attacks campaign and timeline.

Vulnerability prioritization

Scenario: A vulnerability management team wants to prioritize remediation efforts based on the threat landscape.

Sample prompt: Which Palo Alto Networks vulnerabilities are being actively exploited by threat actors in the wild?

Related prompt: Summarize the known exploits for CVE-2024-3400 and CVE-2024-0012.

Scenario: A security team is overwhelmed with vulnerability scan results and wants to prioritize remediation efforts based on threat intelligence.

Sample prompt: Which of the following vulnerabilities have been mentioned in recent threat intelligence reports: [list identified vulnerabilities]?

Related prompts:

• Are there any known exploits available for the following vulnerabilities: [list identified vulnerabilities]?
• Which of the following vulnerabilities are most likely to be exploited by threat actors: [list identified vulnerabilities]? Prioritize them based on their severity, exploitability, and relevance to our industry.

Enriching security alerts

Scenario: A security analyst receives an alert about a suspicious login attempt from an unfamiliar IP address.

Sample prompt: What is known about the IP address [provide IP]?

Leveraging MITRE ATT&CK

Scenario: A security team wants to use the MITRE ATT&CK framework to understand how a specific threat actor might target their organization.

Sample prompt: Show me the MITRE ATT&CK techniques associated with the threat actor APT38.

Gemini is a powerful tool that can be used to improve Security Operations and Threat Intelligence. By following the best practices outlined in this guide, you can create effective prompts that will help you get the most out of Gemini.

Note: This guide provides suggestions for using Gemini in Google SecOps and Gemini in Threat Intelligence. It is not an exhaustive list of all possible use cases, and the specific capabilities of Gemini may vary depending on your product edition. You should consult the official documentation for the most up-to-date information.

Gemini
in Security Operations

Gemini
in Threat Intelligence

Documents / Resources

Gemini Google Cloud APP [pdf] Owner's Manual Google Cloud APP, Google, Cloud APP, APP

References

• User Manual