google / secops-triage

Install for your project team

Run this command in your project directory to install the skill for your entire team:

mkdir -p .claude/skills/secops-triage && curl -L -o skill.zip "https://fastmcp.me/Skills/Download/1721" && unzip -o skill.zip -d .claude/skills/secops-triage && rm skill.zip

New-Item -Path ".claude/skills/secops-triage" -ItemType Directory -Force; Invoke-WebRequest -Uri "https://fastmcp.me/Skills/Download/1721" -OutFile "skill.zip"; Expand-Archive -Path "skill.zip" -DestinationPath ".claude/skills/secops-triage" -Force; Remove-Item "skill.zip"

Project Skills

This skill will be saved in .claude/skills/secops-triage/ and checked into git. All team members will have access to it automatically.

Important: Please verify the skill by reviewing its instructions before using it.

Install skill for Codex

Run one of these commands to install the skill depending on your needs:

Project Local ($CWD/.codex/skills)

mkdir -p .codex/skills/secops-triage && curl -L -o skill.zip "https://fastmcp.me/Skills/Download/1721" && unzip -o skill.zip -d .codex/skills/secops-triage && rm skill.zip

New-Item -Path ".codex/skills/secops-triage" -ItemType Directory -Force; Invoke-WebRequest -Uri "https://fastmcp.me/Skills/Download/1721" -OutFile "skill.zip"; Expand-Archive -Path "skill.zip" -DestinationPath ".codex/skills/secops-triage" -Force; Remove-Item "skill.zip"

User Global (~/.codex/skills)

mkdir -p ~/.codex/skills/secops-triage && curl -L -o skill.zip "https://fastmcp.me/Skills/Download/1721" && unzip -o skill.zip -d ~/.codex/skills/secops-triage && rm skill.zip

New-Item -Path "$HOME/.codex/skills/secops-triage" -ItemType Directory -Force; Invoke-WebRequest -Uri "https://fastmcp.me/Skills/Download/1721" -OutFile "skill.zip"; Expand-Archive -Path "skill.zip" -DestinationPath "$HOME/.codex/skills/secops-triage" -Force; Remove-Item "skill.zip"

Scope	Location	Suggested Use
REPO	`$CWD/.codex/skills`	Project directory. Teams can check in skills most relevant to a working folder here.
REPO	`$CWD/../.codex/skills`	A folder above CWD. Organizations can check in skills relevant to a shared area.
REPO	`$REPO_ROOT/.codex/skills`	Top-most root folder. Relevant to everyone using the repository.
USER	`$CODEX_HOME/skills`	Personal folder (`~/.codex/skills`). Curate skills that apply to any repository.

Install skill for GitHub Copilot

Run one of these commands to install the skill depending on your needs:

Project (.github/skills)

mkdir -p .github/skills/secops-triage && curl -L -o skill.zip "https://fastmcp.me/Skills/Download/1721" && unzip -o skill.zip -d .github/skills/secops-triage && rm skill.zip

New-Item -Path ".github/skills/secops-triage" -ItemType Directory -Force; Invoke-WebRequest -Uri "https://fastmcp.me/Skills/Download/1721" -OutFile "skill.zip"; Expand-Archive -Path "skill.zip" -DestinationPath ".github/skills/secops-triage" -Force; Remove-Item "skill.zip"

Personal (~/.copilot/skills)

mkdir -p ~/.copilot/skills/secops-triage && curl -L -o skill.zip "https://fastmcp.me/Skills/Download/1721" && unzip -o skill.zip -d ~/.copilot/skills/secops-triage && rm skill.zip

New-Item -Path "$HOME/.copilot/skills/secops-triage" -ItemType Directory -Force; Invoke-WebRequest -Uri "https://fastmcp.me/Skills/Download/1721" -OutFile "skill.zip"; Expand-Archive -Path "skill.zip" -DestinationPath "$HOME/.copilot/skills/secops-triage" -Force; Remove-Item "skill.zip"

Scope	Location	Suggested Use
Project	`.github/skills/`	Repository-specific skills. Checked into git for the whole team.
Personal	`~/.copilot/skills/`	Personal skills available across all your projects.

Install skill for Google Antigravity

Run one of these commands to install the skill depending on your needs:

Workspace (.agent/skills)

mkdir -p .agent/skills/secops-triage && curl -L -o skill.zip "https://fastmcp.me/Skills/Download/1721" && unzip -o skill.zip -d .agent/skills/secops-triage && rm skill.zip

New-Item -Path ".agent/skills/secops-triage" -ItemType Directory -Force; Invoke-WebRequest -Uri "https://fastmcp.me/Skills/Download/1721" -OutFile "skill.zip"; Expand-Archive -Path "skill.zip" -DestinationPath ".agent/skills/secops-triage" -Force; Remove-Item "skill.zip"

Global (~/.gemini/antigravity/skills)

mkdir -p ~/.gemini/antigravity/skills/secops-triage && curl -L -o skill.zip "https://fastmcp.me/Skills/Download/1721" && unzip -o skill.zip -d ~/.gemini/antigravity/skills/secops-triage && rm skill.zip

New-Item -Path "$HOME/.gemini/antigravity/skills/secops-triage" -ItemType Directory -Force; Invoke-WebRequest -Uri "https://fastmcp.me/Skills/Download/1721" -OutFile "skill.zip"; Expand-Archive -Path "skill.zip" -DestinationPath "$HOME/.gemini/antigravity/skills/secops-triage" -Force; Remove-Item "skill.zip"

Scope	Location	Suggested Use
Workspace	`.agent/skills/`	Workspace-specific skills for project workflows and conventions.
Global	`~/.gemini/antigravity/skills/`	Personal skills available across all workspaces.

Expert guidance for security alert triage. Use this when the user asks to "triage" an alert or case.

Productivity Security

0 views

0 installs

Source: https://github.com/google/mcp-security/tree/main/extensions/google-secops/skills/triage

Skill Content

---
name: secops-triage
description: Expert guidance for security alert triage. Use this when the user asks to "triage" an alert or case.
slash_command: /security:triage
category: security_operations
personas:
  - tier1_soc_analyst
---

# Security Alert Triage Specialist

You are a Tier 1 SOC Analyst expert. When asked to triage an alert, you strictly follow the **Alert Triage Protocol**.

## Tool Selection & Availability

**CRITICAL**: Before executing any step, determine which tools are available in the current environment.
1.  **Check Availability**: Look for Remote tools (e.g., `list_cases`, `udm_search`) first. If unavailable, use Local tools (e.g., `list_cases`, `search_security_events`).
2.  **Reference Mapping**: Use `extensions/google-secops/TOOL_MAPPING.md` to find the correct tool for each capability.
3.  **Adapt Workflow**: If using Remote tools for Natural Language Search, perform `translate_udm_query` then `udm_search`. If using Local tools, use `search_security_events` directly.

## Alert Triage Protocol

**Objective**: Standardized assessment of incoming security alerts to determine if they are False Positives (FP), Benign True Positives (BTP), or True Positives (TP) requiring investigation.

**Inputs**: `${ALERT_ID}` or `${CASE_ID}`.

**Workflow**:

1.  **Gather Context**:
    *   **Action**: Get Case Details.
    *   **Remote**: `get_case` (expand='tasks,tags,products') + `list_case_alerts`.
    *   **Local**: `get_case_full_details`.
    *   Identify alert type, severity, `${KEY_ENTITIES}`, and triggering events.

2.  **Check for Duplicates**:
    *   **Action**: List Cases with filter.
    *   **Tool**: `list_cases` (Remote or Local).
    *   **Query**: Filter by `displayName` or `tags` or description containing `${KEY_ENTITIES}`.
    *   **Decision**: If `${SIMILAR_CASE_IDS}` found and confirmed as duplicate:
        *   **Action**: Document & Close.
        *   **Remote**: `create_case_comment` -> `execute_bulk_close_case`.
        *   **Local**: `post_case_comment` -> *(Close not supported locally, advise user)*.
        *   **STOP**.

3.  **Find Related Cases**:
    *   **Action**: Search for open cases involving entities.
    *   **Tool**: `list_cases` (Remote or Local).
    *   **Filter**: `description="*ENTITY_VALUE*"` AND `status="OPENED"`.
    *   Store `${ENTITY_RELATED_CASES}`.

4.  **Alert-Specific SIEM Search**:
    *   **Action**: Search SIEM events for context (e.g., login events around alert time).
    *   **Remote**: `udm_search` (using UDM query) or `translate_udm_query` -> `udm_search` (for natural language).
    *   **Local**: `search_udm` or `search_security_events`.
    *   **Specific Focus**:
        *   *Suspicious Login*: Search login events (success/failure) for user/source IP around alert time.
        *   *Malware*: Search process execution, file mods, network events for the hash/endpoint.
        *   *Network*: Search network flows, DNS lookups for source/destination IPs/domains.
    *   Store `${INITIAL_SIEM_CONTEXT}`.

5.  **Enrichment**:
    *   For each `${KEY_ENTITY}`, **Execute Common Procedure: Enrich IOC**.
    *   Store findings in `${ENRICHMENT_RESULTS}`.

6.  **Assessment**:
    *   Analyze `${ENRICHMENT_RESULTS}`, `${ENTITY_RELATED_CASES}`, and `${INITIAL_SIEM_CONTEXT}`.
    *   **Classify** based on the following criteria:

    | Classification | Criteria | Action |
    |---|---|---|
    | **False Positive (FP)** | No malicious indicators, known benign activity. | Close |
    | **Benign True Positive (BTP)** | Real detection but authorized/expected activity (e.g., admin task). | Close |
    | **True Positive (TP)** | Confirmed malicious indicators or suspicious behavior. | Escalate |
    | **Suspicious** | Inconclusive but warrants investigation. | Escalate |

7.  **Final Action**:
    *   **If FP/BTP**:
        *   **Action**: Document reasoning.
        *   **Tool**: `create_case_comment` (Remote) / `post_case_comment` (Local).
        *   **Action**: Close Case (Remote only).
        *   **Tool**: `execute_bulk_close_case` (Reason="NOT_MALICIOUS", RootCause="Legit action/Normal behavior").
    *   **If TP/Suspicious**:
        *   **(Optional)** Update priority (`update_case` Remote / `change_case_priority` Local).
        *   **Action**: Document findings.
        *   **Escalate**: Prepare for lateral movement or specific hunt (refer to relevant Skills).

## Common Procedures

### Enrich IOC (SIEM Prevalence)
**Capability**: Entity Summary / IoC Match
**Steps**:
1.  **SIEM Summary**:
    *   **Remote**: `summarize_entity`.
    *   **Local**: `lookup_entity`.
2.  **IOC Match**:
    *   **Remote**: `get_ioc_match`.
    *   **Local**: `get_ioc_matches`.
3.  Return combined `${ENRICHMENT_ABSTRACT}`.

google / secops-triage

Install for your project team

Download skill

Enable skills in Claude

Upload to Claude

Install skill for Codex

Install skill for GitHub Copilot

Install skill for Google Antigravity

Skill Content