From 1c0c29de7ef4a7a3cd9ff38d81f17bcc89c1051e Mon Sep 17 00:00:00 2001 From: Dan Dye Date: Tue, 13 Jan 2026 00:17:51 +0000 Subject: [PATCH 1/3] Add ADK-based SOC Agent with Remote MCP support Introduces a new agent implementation in configured to work with the Remote MCP server for Google SecOps. This includes the agent logic, dependency definition, and sample configuration for connecting to the managed remote endpoint using Application Default Credentials. --- soc_agent/__init__.py | 0 soc_agent/agent.py | 49 +++++++++++++++++++++++++++++++++++++++ soc_agent/requirements.in | 5 ++++ soc_agent/sample.env | 17 ++++++++++++++ 4 files changed, 71 insertions(+) create mode 100644 soc_agent/__init__.py create mode 100644 soc_agent/agent.py create mode 100644 soc_agent/requirements.in create mode 100644 soc_agent/sample.env diff --git a/soc_agent/__init__.py b/soc_agent/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/soc_agent/agent.py b/soc_agent/agent.py new file mode 100644 index 00000000..f8fcd7d2 --- /dev/null +++ b/soc_agent/agent.py @@ -0,0 +1,49 @@ +import logging +import google.auth +import os +from google.auth.transport.requests import Request +from google.adk.agents import Agent +from google.adk.tools.mcp_tool import McpToolset, StreamableHTTPConnectionParams +from dotenv import load_dotenv + +# Configure logging +logging.basicConfig(level=logging.INFO) + +# Load environment variables +load_dotenv(os.path.join(os.path.dirname(__file__), '.env')) + +# 1. Setup scopes +SCOPES = ["https://www.googleapis.com/auth/chronicle"] + +def get_access_token(): + creds, _ = google.auth.default(scopes=SCOPES) + auth_req = Request() + creds.refresh(auth_req) + return creds.token + +# 2. Configure Toolset +toolset = McpToolset( + connection_params=StreamableHTTPConnectionParams( + url=os.getenv("REMOTE_MCP_URL", "https://chronicle.googleapis.com/mcp"), + headers={ + "Authorization": f"Bearer {get_access_token()}", + "Accept": "application/json", + "x-goog-user-project": os.getenv("PROJECT_ID") + } + ) +) + +# 3. Create Agent +root_agent = Agent( + name="oc_agent", + model=os.getenv("GOOGLE_MODEL", "gemini-2.5-pro"), + description="ADK Agent to test the Remote SecOps MCP Server", + instruction=f"""You are an Agent that tests the remote MCP server's tools. + + When using the SecOps MCP, use these parameters for EVERY request: + Customer ID: {os.getenv("CUSTOMER_ID")} + Region: {os.getenv("REGION", "us")} + Project ID: {os.getenv("PROJECT_ID")} + """, + tools=[toolset], +) diff --git a/soc_agent/requirements.in b/soc_agent/requirements.in new file mode 100644 index 00000000..a3b2b312 --- /dev/null +++ b/soc_agent/requirements.in @@ -0,0 +1,5 @@ +google-adk[eval]>=1.22.1 +google-auth +requests +python-dotenv +google-genai diff --git a/soc_agent/sample.env b/soc_agent/sample.env new file mode 100644 index 00000000..cb445caf --- /dev/null +++ b/soc_agent/sample.env @@ -0,0 +1,17 @@ +# Google Cloud Project Config +PROJECT_ID=YOUR_PROJECT_ID +# For SecOps/Chronicle, this is usually a UUID +CUSTOMER_ID=YOUR_CUSTOMER_ID +REGION=us + +# Configuration for ADK/Gemini +GOOGLE_GENAI_USE_VERTEXAI=True +GOOGLE_CLOUD_PROJECT=YOUR_PROJECT_ID +GOOGLE_CLOUD_LOCATION=us-central1 + +# Model Config +GOOGLE_MODEL=gemini-2.5-flash +DEFAULT_PROMPT='You are a helpful security assistant. You can use the available tools to investigate security incidents.' + +# Remote MCP Server URL (Defaults to production if not set) +# REMOTE_MCP_URL="https://chronicle.googleapis.com/mcp" From 55108289f625f4d598c035d8282a52b6a9c58636 Mon Sep 17 00:00:00 2001 From: Dan Dye Date: Thu, 15 Jan 2026 18:21:31 +0000 Subject: [PATCH 2/3] switch to MREP server url --- soc_agent/agent.py | 2 +- soc_agent/sample.env | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/soc_agent/agent.py b/soc_agent/agent.py index f8fcd7d2..55451967 100644 --- a/soc_agent/agent.py +++ b/soc_agent/agent.py @@ -24,7 +24,7 @@ def get_access_token(): # 2. Configure Toolset toolset = McpToolset( connection_params=StreamableHTTPConnectionParams( - url=os.getenv("REMOTE_MCP_URL", "https://chronicle.googleapis.com/mcp"), + url=os.getenv("REMOTE_MCP_URL", "https://chronicle.us.rep.googleapis.com/mcp"), headers={ "Authorization": f"Bearer {get_access_token()}", "Accept": "application/json", diff --git a/soc_agent/sample.env b/soc_agent/sample.env index cb445caf..2f819255 100644 --- a/soc_agent/sample.env +++ b/soc_agent/sample.env @@ -14,4 +14,4 @@ GOOGLE_MODEL=gemini-2.5-flash DEFAULT_PROMPT='You are a helpful security assistant. You can use the available tools to investigate security incidents.' # Remote MCP Server URL (Defaults to production if not set) -# REMOTE_MCP_URL="https://chronicle.googleapis.com/mcp" +# REMOTE_MCP_URL="https://chronicle.us.rep.googleapis.com/mcp" From c2e72693f5e0ccdc3d006621b52a169d2fc737d5 Mon Sep 17 00:00:00 2001 From: Dan Dye Date: Thu, 15 Jan 2026 18:28:28 +0000 Subject: [PATCH 3/3] flash model and pin reqs --- soc_agent/agent.py | 2 +- soc_agent/requirements.in | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/soc_agent/agent.py b/soc_agent/agent.py index 55451967..45631a0c 100644 --- a/soc_agent/agent.py +++ b/soc_agent/agent.py @@ -36,7 +36,7 @@ def get_access_token(): # 3. Create Agent root_agent = Agent( name="oc_agent", - model=os.getenv("GOOGLE_MODEL", "gemini-2.5-pro"), + model=os.getenv("GOOGLE_MODEL", "gemini-2.5-flash"), description="ADK Agent to test the Remote SecOps MCP Server", instruction=f"""You are an Agent that tests the remote MCP server's tools. diff --git a/soc_agent/requirements.in b/soc_agent/requirements.in index a3b2b312..dcfc9fef 100644 --- a/soc_agent/requirements.in +++ b/soc_agent/requirements.in @@ -1,4 +1,4 @@ -google-adk[eval]>=1.22.1 +google-adk[eval]~=1.22.1 google-auth requests python-dotenv