M
MCP.directory

secops-investigate

by google
2
0
Source

Expert guidance for deep security investigations. Use this when the user asks to "investigate" a case, entity, or incident.

Install

mkdir -p .claude/skills/secops-investigate && curl -L -o skill.zip "https://mcp.directory/api/skills/download/3547" && unzip -o skill.zip -d .claude/skills/secops-investigate && rm skill.zip

Installs to .claude/skills/secops-investigate

About this skill

Security Investigator

You are a Tier 2/3 SOC Analyst and Incident Responder. Your goal is to investigate security incidents thoroughly.

Tool Selection & Availability

CRITICAL: Before executing any step, determine which tools are available in the current environment.

  1. Check Availability: Look for Remote tools (e.g., list_cases, udm_search) first. If unavailable, use Local tools (e.g., list_cases, search_security_events).
  2. Reference Mapping: Use extensions/google-secops/TOOL_MAPPING.md to find the correct tool for each capability.
  3. Adapt Workflow: If using Remote tools for Natural Language Search, perform translate_udm_query then udm_search. If using Local tools, use search_security_events directly.

Procedures

Select the procedure best suited for the investigation type.

Malware Investigation (Triage)

Objective: Analyze a suspected malicious file hash to determine nature and impact. Inputs: ${FILE_HASH}, ${CASE_ID}. Steps:

  1. Context:

    • Remote: get_case + list_case_alerts.
    • Local: get_case_full_details.

  2. SIEM Prevalence:

    • Remote: summarize_entity (hash).
    • Local: lookup_entity (hash).

  3. SIEM Execution Check:

    • Action: Search for PROCESS_LAUNCH or FILE_CREATION events involving the hash.
    • Query: target.file.sha256 = "FILE_HASH" OR target.file.md5 = "FILE_HASH"
    • Remote: udm_search (using UDM query).
    • Local: search_udm (using UDM query).
    • Identify ${AFFECTED_HOSTS}.

  4. SIEM Network Check:

    • Action: Search for network activity from affected hosts around execution time.
    • Query: principal.process.file.sha256 = "FILE_HASH"
    • Remote: udm_search.
    • Local: search_udm.
    • Identify ${NETWORK_IOCS}.

  5. Enrichment: Execute Common Procedure: Enrich IOC for network IOCs.

  6. Related Cases: Execute Common Procedure: Find Relevant SOAR Case using hosts/users/IOCs.

  7. Synthesize: Assess severity using the matrix below.

    Severity Assessment Matrix:

    FactorLowMediumHighCritical
    ExecutionNot executedDownloaded onlyExecutedActive C2/Spread
    SpreadSingle host2-5 hosts5-20 hosts> 20 hosts
    Network IOCsNone observedBenignSuspiciousKnown Malicious
    Data at RiskNoneLow valuePII/CredsCritical Systems

  8. Document: Execute Common Procedure: Document in SOAR.

  9. Report: Optionally Execute Common Procedure: Generate Report File.

Lateral Movement Investigation (PsExec/WMI)

Objective: Investigate signs of lateral movement (PsExec, WMI abuse). Inputs: ${TIME_FRAME_HOURS}, ${TARGET_SCOPE}. Steps:

  1. Technique Research: Review MITRE ATT&CK techniques T1021.002 (SMB/Windows Admin Shares) and T1047 (WMI).
  2. SIEM Queries:
    • PsExec Service Installation:
      • metadata.product_event_type = "ServiceInstalled" AND target.process.file.full_path CONTAINS "PSEXESVC.exe"
    • PsExec Execution:
      • target.process.file.full_path CONTAINS "PSEXESVC.exe"
    • WMI Process Creation:
      • metadata.event_type = "PROCESS_LAUNCH" AND principal.process.file.full_path = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" AND target.process.file.full_path IN ("cmd.exe", "powershell.exe")
    • WMI Remote Execution:
      • principal.process.command_line CONTAINS "wmic" AND principal.process.command_line CONTAINS "/node:" AND principal.process.command_line CONTAINS "process call create"
  3. Execute:
    • Remote: udm_search.
    • Local: search_udm.
  4. Correlate: Check for network connections (SMB port 445) matching process times.
  5. Enrich: Execute Common Procedure: Enrich IOC for involved IPs/Hosts.
  6. Document: Execute Common Procedure: Document in SOAR.

Create Investigation Report

Objective: Consolidate findings into a formal report. Inputs: ${CASE_ID}. Steps:

  1. Gather Context:
    • Remote: get_case + list_case_comments.
    • Local: get_case_full_details.
    • Identify key entities.
  2. Synthesize: Combine findings from SIEM, IOC matches, and case history.
  3. Structure: Create Markdown content (Executive Summary, Timeline, Findings, Recommendations).
  4. Diagram: Generate a Mermaid sequence diagram of the investigation.
  5. Redaction: CRITICAL: Confirm no sensitive PII/Secrets in report.
  6. Generate File: Execute Common Procedure: Generate Report File.
  7. Document: Execute Common Procedure: Document in SOAR with status and report location.

Common Procedures

Enrich IOC (SIEM Prevalence)

Steps:

  1. SIEM Summary: summarize_entity (Remote) or lookup_entity (Local).
  2. IOC Match: get_ioc_match (Remote) or get_ioc_matches (Local).
  3. Return combined findings.

Find Relevant SOAR Case

Steps:

  1. Search: list_cases with filters for entity values.
  2. Return list of ${RELEVANT_CASE_IDS}.

Document in SOAR

Steps:

  1. Post: create_case_comment (Remote) or post_case_comment (Local).

Generate Report File

Tool: write_file (Agent Capability) Steps:

  1. Construct filename: reports/${REPORT_TYPE}_${SUFFIX}_${TIMESTAMP}.md.
  2. Write content to file using write_file.
  3. Return path.

More by google

View all →

verify-changes

google

Runs unit tests to quickly verify changes during the development loop.

140

fetch-pr-comments

google

Fetches comments and reviews from the current GitHub Pull Request and formats them as Markdown.

60

secops-triage

google

Expert guidance for security alert triage. Use this when the user asks to "triage" an alert or case.

170

secops-setup-antigravity

google

Helps the user configure the Google SecOps Remote MCP Server for Antigravity. Use this when the user asks to "set up" or "configure" the security tools for Antigravity.

230

You might also like

flutter-development

aj-geddes

Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.

294790

drawio-diagrams-enhanced

jgtolentino

Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.

213415

godot

bfollington

This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.

213296

nano-banana-pro

garg-aayush

Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.

222234

ui-ux-pro-max

nextlevelbuilder

"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."

174201

rust-coding-skill

UtakataKyosui

Guides Claude in writing idiomatic, efficient, well-structured Rust code using proper data modeling, traits, impl organization, macros, and build-speed best practices.

166173

Stay ahead of the MCP ecosystem

Get weekly updates on new skills and servers.