This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Leverage GenAI in automation with Vertex AI integration

Posted on 01-29-2025 07:34 AM
ylandovskyy
Staff
Reply posted on --/--/---- --:-- AM

ylandovskyy_0-1738160328002.png

We just released a new integration - Vertex AI! It's in public preview. If you are not familiar with Vertex AI, please refer to this doc. In simple words, it's a service that allows you to use GenAI capabilities from different models (beyond even Google ones).

This community post will go into details about use cases that you can solve with the integration and more context around the supported actions.

Integration contains the following actions:

  1. Ping
  2. Describe Entity [Preview]
  3. Execute Prompt [GA]
  4. Transform Data [Preview]
  5. Analyze EML [Preview]

For more information please visit the official doc page.

Briefly about Integration configuration

Vertex AI is a Google Cloud product, so that means you need to go through the same process as you do with any other Google Cloud integration. It supports Service Account Key and Workload Identity authentications. You will need to add "Vertex AI User" Role permissions to your principal.

ylandovskyy_1-1738160763607.png

Depending on the region, you will need to provide a different API Root. List of available API Roots are available here.

Important! Vertex AI is billed on your configured Google Cloud project. It's NOT a Google SecOps AI offering, like Gemini Summary. 

Please refer to the pricing doc.

Our recommendation is to use Gemini 1.5 Flash (gemini-1.5-flash-002). It's the cheapest option, but gives you enough to extract the maximum value. The "Default model" that is provided as part of the configuration will be used across all actions, unless you will overwrite it on the actions themselves.

Describe Entity

This action is designed to be used in environments, where there are multiple Threat Intel sources that are adding metadata to SOAR Entities. What this action does it extracts all of the metadata associated with an Entity and creates a small summary about it.

For example, I have a Destination URL Entity that was enriched by VirusTotal, Mandiant Threat Intelligence and URLscan.io. There is now a lot of metadata that is hard to digest as you can see on the screenshot below:

ylandovskyy_3-1738161990327.png

And now with a Describe Entity action, we are able to get this nice summary of the enriched data:

ylandovskyy_2-1738161890228.png

We understand that this action may be used frequently in playbooks and to ensure that it doesn't grow the bill, we added a special caching mechanism. This caching mechanism ensures that the action will only try to generate a new summary, if there is new information detected on the entity metadata. We are calculating a hash based on the important fields and store it as context value. 

You can influence this with parameter "Exclude Fields", where you can provide a comma-separated list of enrichment keys that should be excluded from the summary generation.

If you changed the model, temperature or added more fields to the "Exclude Fields" parameter, the hash will be recalculated, but only after "Refresh After (Days)" time limit has passed. So, if "Refresh After (Days)" is set to 30 days, then the calculated hash will only be re-checked in 30 days from the previous generation.

If you want to always generate a new summary, then enable "Force Refresh" parameter.

Execute Prompt

This action is a GenAI swissknife for your automation needs. It allows you to execute ANY prompt and return data as JSON Result. To make it easier to work with integration, we are validating, if the returned GenAI output is in JSON format. If it is, then it will be stored in a special key "extracted_info".

You can force the output to be in JSON format by setting "Response MIME type" to be "application/json".

ylandovskyy_6-1738164754318.png

Simple use cases for the action: summarise UDM search results, generate a description for ITSM ticket/email.

Analyze EML

This action leverages GenAI capabilities to check for any suspicious indicators inside emails. You can take an email from ANY provider and submit it for analysis. 

As part of the response, you will always get:

  1. Threats Found
  2. Verification Steps
  3. Protection Measures

Here is how it's going to look like:

ylandovskyy_4-1738163568894.png

ylandovskyy_5-1738163658307.png

All of the information is available as part of JSON Result. Remember that the quality of the response is heavily dependant on the model that was used. Information provided in the screenshots was achieved with gemini-1.5-flash-002 model.

NOTE:  if you will set small value for "Max Output Tokens" parameter, you have a risk of stripping the GenAI response, which will break the JSON object and the widget will not be rendered.

Transform Data

This action is similar to "Execute Prompt" as it was designed to be very flexible. The high level idea is that this action expects a JSON object as input and you can do transformations on that data. In it's current state, it can be challenging to do data manipulations during automation.

You may need to do 10 steps just to extract the specific key, but with this action you can just ask it to take the value and it will do it very consistently.

You can also use this action to generate an HTML based on output of JSON and later use it with widgets. The creative opportunities are endless!

We are very excited to finally have this integration in the Marketplace. If you have any interesting use case to share, we would love to hear about it! 

7 0 602
Topic Labels
0 REPLIES 0
Top Solution Authors
View all