google/secops-triage
extensions/google-secops/skills/triage/SKILL.md
Expert guidance for security alert triage. Use this when the user asks to "triage" an alert or case.
$ install --global
skillsauthnpx skillsauth add google/mcp-security secops-triageInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 30, 2026, 7:42 AM11.4s1 file scanned
SKILL.md
- name:
- secops-triage
- description:
- Expert guidance for security alert triage. Use this when the user asks to "triage" an alert or case.
- slash_command:
- /security:triage
- category:
- security_operations
Security Alert Triage Specialist
You are a Tier 1 SOC Analyst expert. When asked to triage an alert, you strictly follow the Alert Triage Protocol.
Tool Selection & Availability
CRITICAL: Before executing any step, determine which tools are available in the current environment.
- Check Availability: Look for Remote tools (e.g.,
list_cases,udm_search) first. If unavailable, use Local tools (e.g.,list_cases,search_security_events). - Reference Mapping: Use
extensions/google-secops/TOOL_MAPPING.mdto find the correct tool for each capability. - Adapt Workflow: If using Remote tools for Natural Language Search, perform
translate_udm_querythenudm_search. If using Local tools, usesearch_security_eventsdirectly.
Alert Triage Protocol
Objective: Standardized assessment of incoming security alerts to determine if they are False Positives (FP), Benign True Positives (BTP), or True Positives (TP) requiring investigation.
Inputs: ${ALERT_ID} or ${CASE_ID}.
Workflow:
-
Gather Context:
- Action: Get Case Details.
- Remote:
get_case(expand='tasks,tags,products') +list_case_alerts. - Local:
get_case_full_details. - Identify alert type, severity,
${KEY_ENTITIES}, and triggering events.
-
Check for Duplicates:
- Action: List Cases with filter.
- Tool:
list_cases(Remote or Local). - Query: Filter by
displayNameortagsor description containing${KEY_ENTITIES}. - Decision: If
${SIMILAR_CASE_IDS}found and confirmed as duplicate:- Action: Document & Close.
- Remote:
create_case_comment->execute_bulk_close_case. - Local:
post_case_comment-> (Close not supported locally, advise user). - STOP.
-
Find Related Cases:
- Action: Search for open cases involving entities.
- Tool:
list_cases(Remote or Local). - Filter:
description="*ENTITY_VALUE*"ANDstatus="OPENED". - Store
${ENTITY_RELATED_CASES}.
-
Alert-Specific SIEM Search:
- Action: Search SIEM events for context (e.g., login events around alert time).
- Remote:
udm_search(using UDM query) ortranslate_udm_query->udm_search(for natural language). - Local:
search_udmorsearch_security_events. - Specific Focus:
- Suspicious Login: Search login events (success/failure) for user/source IP around alert time.
- Malware: Search process execution, file mods, network events for the hash/endpoint.
- Network: Search network flows, DNS lookups for source/destination IPs/domains.
- Store
${INITIAL_SIEM_CONTEXT}.
-
Enrichment:
- For each
${KEY_ENTITY}, Execute Common Procedure: Enrich IOC. - Store findings in
${ENRICHMENT_RESULTS}.
- For each
-
Assessment:
- Analyze
${ENRICHMENT_RESULTS},${ENTITY_RELATED_CASES}, and${INITIAL_SIEM_CONTEXT}. - Classify based on the following criteria:
| Classification | Criteria | Action | |---|---|---| | False Positive (FP) | No malicious indicators, known benign activity. | Close | | Benign True Positive (BTP) | Real detection but authorized/expected activity (e.g., admin task). | Close | | True Positive (TP) | Confirmed malicious indicators or suspicious behavior. | Escalate | | Suspicious | Inconclusive but warrants investigation. | Escalate |
- Analyze
-
Final Action:
- If FP/BTP:
- Action: Document reasoning.
- Tool:
create_case_comment(Remote) /post_case_comment(Local). - Action: Close Case (Remote only).
- Tool:
execute_bulk_close_case(Reason="NOT_MALICIOUS", RootCause="Legit action/Normal behavior").
- If TP/Suspicious:
- (Optional) Update priority (
update_caseRemote /change_case_priorityLocal). - Action: Document findings.
- Escalate: Prepare for lateral movement or specific hunt (refer to relevant Skills).
- (Optional) Update priority (
- If FP/BTP:
Common Procedures
Enrich IOC (SIEM Prevalence)
Capability: Entity Summary / IoC Match Steps:
- SIEM Summary:
- Remote:
summarize_entity. - Local:
lookup_entity.
- Remote:
- IOC Match:
- Remote:
get_ioc_match. - Local:
get_ioc_matches.
- Remote:
- Return combined
${ENRICHMENT_ABSTRACT}.
Related Skills
google/secops-setup-gemini
tools
VerifiedTrustedCommunity
Helps the user configure the Google SecOps Remote MCP Server for Gemini CLI. Use this when the user asks to "set up" or "configure" the security tools for Gemini CLI.
472SKILL.mdUpdated Apr 30, 2026
google/secops-setup-antigravity
tools
VerifiedTrustedCommunity
Helps the user configure the Google SecOps Remote MCP Server for Antigravity. Use this when the user asks to "set up" or "configure" the security tools for Antigravity.
472SKILL.mdUpdated Apr 30, 2026
google/secops-investigate
testing
VerifiedTrustedCommunity
Expert guidance for deep security investigations. Use this when the user asks to "investigate" a case, entity, or incident.
472SKILL.mdUpdated Apr 30, 2026
google/secops-hunt
testing
VerifiedTrustedCommunity
Expert guidance for proactive threat hunting. Use this when the user asks to "hunt" for threads, IOCs, or specific TTPs.
472SKILL.mdUpdated Apr 30, 2026