diff --git a/.github/workflows/release-google-secops.yml b/.github/workflows/release-google-secops.yml new file mode 100644 index 00000000..c61bb2b2 --- /dev/null +++ b/.github/workflows/release-google-secops.yml @@ -0,0 +1,26 @@ +name: Release Google SecOps Extension + +on: + push: + tags: + - 'google-secops-v*' + +jobs: + release: + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - uses: actions/checkout@v3 + + - name: Create Extension Artifact + run: | + cd extensions + zip -r ../google-secops.zip google-secops -x "google-secops/TOOL_MAPPING.md" + # Verify zip content + unzip -l ../google-secops.zip + + - name: Create GitHub Release + uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0 + with: + files: google-secops.zip diff --git a/.gitignore b/.gitignore index a614800b..81e761d9 100644 --- a/.gitignore +++ b/.gitignore @@ -138,6 +138,7 @@ env.bak/ venv.bak/ .gemini extensions/google-secops/skills/setup-antigravity/.env +extensions/google-secops-staging/.env # Spyder project settings .spyderproject diff --git a/docs/google_secops_extension.md b/docs/google_secops_extension.md index 3516a77d..5dda5c50 100644 --- a/docs/google_secops_extension.md +++ b/docs/google_secops_extension.md @@ -6,9 +6,11 @@ This folder contains the **Google SecOps Extension**, providing specialized skil The extension `extensions/google-secops` packages setup and key security workflows into [skills](https://agentskills.io/specification). -The skills are designed to work seamlessly with: - * [Gemini CLI](https://geminicli.com) and the Google SecOps Remote MCP Server. - * [Antigravity](https://antigravity.google/docs/skills) +These skills are **Adaptive**, designed to work seamlessly with: + * [Google SecOps Remote MCP Server](https://google.github.io/mcp-security/docs/remote_server.html) (Preferred) + * **Local Python Tools** (Fallback) + +This allows the skills to function in diverse environments, automatically selecting the best available tool for the job. The (`.agent`) symlink makes them available as [Antigravity Agent Skills](https://antigravity.google/docs/skills) at the workspace level. You could also install/copy/symlink the skills to `~/.gemini/antigravity/skills/` to make them available globally to all workspaces. @@ -20,7 +22,10 @@ The (`.agent`) symlink makes them available as [Antigravity Agent Skills](https: npm install -g @google/gemini-cli@preview ``` -2. **Enable Skills**: Ensure your `~/.gemini/settings.json` has `experimental.skills` enabled: + +2. **GUI Login Requirement**: You MUST have logged into the Google SecOps GUI at least once before using the API/MCP server. + +3. **Enable Skills**: Ensure your `~/.gemini/settings.json` has `experimental.skills` enabled: ```json { "security": { @@ -32,7 +37,8 @@ The (`.agent`) symlink makes them available as [Antigravity Agent Skills](https: "previewFeatures": true }, "experimental": { - "skills": true + "skills": true, + "extensionConfig": true } } ``` @@ -52,35 +58,65 @@ To install this extension in your Gemini CLI environment: gemini extensions install ./extensions/google-secops ``` +You will be prompted for environment variables for the MCP configuration: + +1. `PROJECT_ID` (GCP Project ID on your SecOps tenant's /settings/profile page) +2. `CUSTOMER_ID` (Your Chronicle Customer UUID) +3. `REGION` (Your Chronicle Region, e.g., `us`, `europe-west1`) +4. `SERVER_URL` (e.g. https://chronicle.northamerica-northeast2.rep.googleapis.com/mcp, https://chronicle.us.rep.googleapis.com/mcp, etc.) + +> **Note**: These values are persisted in `~/.gemini/extensions/google-secops/.env` and can be referenced by skills. Also, you can change the values in this file if needed. + ## Available Skills -### 1. Setup Assistant (Gemini CLI) (`secops-setup-gemini-cli`) -* **Trigger**: "Help me set up the Gemini CLI", "Configure Gemini CLI for SecOps". -* **Function**: checks for `uv` and Google Cloud authentication, then guides you to add the correct `secops-hosted-mcp` configuration to your Gemini settings (`~/.gemini/config.json`). -### 2. Setup Assistant (Antigravity) (`secops-setup-antigravity`) +### 1. Setup Assistant (Antigravity) (`secops-setup-antigravity`) * **Trigger**: "Help me set up Antigravity", "Configure Antigravity for SecOps". * **Function**: checks for Google Cloud authentication and environment variables, then merges the correct `remote-secops-investigate` and `remote-secops-admin` configuration into your Antigravity settings (`~/.gemini/antigravity/mcp_config.json`). -### 3. Alert Triage (`secops-triage`) +### 2. Alert Triage (`secops-triage`) * **Trigger**: "Triage alert [ID]", "Analyze case [ID]". * **Function**: Orchestrates a Tier 1 triage workflow by following the `triage_alerts.md` runbook. It checks for duplicates, enriches entities, and provides a classification recommendation (FP/TP). -### 4. Investigation (`secops-investigate`) +### 3. Investigation (`secops-investigate`) * **Trigger**: "Investigate case [ID]", "Deep dive on [Entity]". * **Function**: Guides deep-dive investigations using specialized runbooks (e.g., Lateral Movement, Malware). -### 5. Threat Hunting (`secops-hunt`) +### 4. Threat Hunting (`secops-hunt`) * **Trigger**: "Hunt for [Threat]", "Search for TTP [ID]". * **Function**: Assists in proactive threat hunting by generating hypotheses and constructing complex UDM queries for Chronicle. +### 5. Cases (`secops-cases`) +* **Trigger**: "List cases", "Show recent cases", "/secops:cases". +* **Function**: Lists recent SOAR cases to verify connectivity and view case status. + +## Custom Commands + +You can use the following slash commands as shortcuts for common tasks: + +* `/secops:triage `: Quickly start triaging an alert. +* `/secops:investigate `: Start an investigation. +* `/secops:hunt `: Start a threat hunt. +* `/secops:cases`: List recent cases. + ## How it Works These skills act as **Driver Agents** that: 1. **Read** the standardized Runbooks in `rules_bank/run_books/`. -2. **Execute** the steps using the available MCP tools (`secops`, `gti`, `secops-soar`). +2. **Execute** the steps using the available MCP tools. 3. **Standardize** the output according to SOC best practices. +### Tool Selection + +The skills employ an **Adaptive Execution** strategy to ensure robustness: + +1. **Check Environment**: The skill first identifies which tools are available in the current workspace. +2. **Prioritize Remote**: If the **Remote MCP Server** is connected, the skill uses remote tools (e.g., `list_cases`, `udm_search`) for maximum capability. +3. **Fallback to Local**: If remote tools are unavailable, the skill attempts to use **Local Python Tools**. + > **Note**: Local tools are not included in this extension release. To use them, you must clone the [Google SecOps MCP Repository](https://github.com/google/mcp-security) and configure the local server separately. + +For a detailed mapping of Remote vs. Local capabilities, see [`TOOL_MAPPING.md`](../extensions/google-secops/TOOL_MAPPING.md). + ## Cross-Compatibility @@ -90,14 +126,11 @@ These skills are designed to be compatible with **Claude Code** and other AI age * `personas`: detailed which security personas (e.g., `threat_hunter`) are best suited for the task. +## Known Issues +* If the `SERVER_URL` requires regionalization (i.e. LEP vs REP vs MREP), it can be very difficult for the user to know what value to use. + ## References * [Agent Skills Specification](https://agentskills.io/specification) * [Gemini CLI Documentation](https://geminicli.com) * [Gemini CLI Preview Features](https://geminicli.com/docs/settings/general#previewfeatures) * [Antigravity Skills](https://antigravity.google/docs/skills) - - - - - - diff --git a/extensions/google-secops/.env.example b/extensions/google-secops/.env.example new file mode 100644 index 00000000..81c4c3e9 --- /dev/null +++ b/extensions/google-secops/.env.example @@ -0,0 +1,4 @@ +PROJECT_ID=your-project-id-string +CUSTOMER_ID=12345678-abcd-4321-8765-1234567890ab +REGION=us +SERVER_URL=https://chronicle.us.rep.googleapis.com/mcp diff --git a/extensions/google-secops/.env.secops-lab b/extensions/google-secops/.env.secops-lab new file mode 100644 index 00000000..f3cb4aef --- /dev/null +++ b/extensions/google-secops/.env.secops-lab @@ -0,0 +1,4 @@ +PROJECT_ID=secops-demo-env +CUSTOMER_ID=a13f6726-efed-452e-9008-8fe0d3cb0f75 +REGION=us +SERVER_URL=https://chronicle.us.rep.googleapis.com/mcp diff --git a/extensions/google-secops/.env.staging b/extensions/google-secops/.env.staging new file mode 100644 index 00000000..ed6fe539 --- /dev/null +++ b/extensions/google-secops/.env.staging @@ -0,0 +1,4 @@ +PROJECT_ID=secops-ai-staging +CUSTOMER_ID=eb3b937b-3ab6-47e5-8185-24837b826691 +REGION=us +SERVER_URL=https://staging-chronicle.sandbox.googleapis.com/mcp diff --git a/extensions/google-secops/GEMINI.md b/extensions/google-secops/GEMINI.md new file mode 100644 index 00000000..b8462338 --- /dev/null +++ b/extensions/google-secops/GEMINI.md @@ -0,0 +1,161 @@ +# Google SecOps Extension + +This folder contains the **Google SecOps Extension**, providing specialized skills for security operations. + +## Overview + +The extension `extensions/google-secops` packages setup and key security workflows into [skills](https://agentskills.io/specification). + +These skills are **Adaptive**, designed to work seamlessly with: + * [Google SecOps Remote MCP Server](https://google.github.io/mcp-security/docs/remote_server.html) (Preferred) + * **Local Python Tools** (Fallback) + +This allows the skills to function in diverse environments, automatically selecting the best available tool for the job. + +The (`.agent`) symlink makes them available as [Antigravity Agent Skills](https://antigravity.google/docs/skills) at the workspace level. You could also install/copy/symlink the skills to `~/.gemini/antigravity/skills/` to make them available globally to all workspaces. + + +## Prerequisites + +1. **Install Gemini CLI (Preview)**: + ```bash + npm install -g @google/gemini-cli@preview + ``` + + +2. **GUI Login Requirement**: You MUST have logged into the Google SecOps GUI at least once before using the API/MCP server. + +3. **Enable Skills**: Ensure your `~/.gemini/settings.json` has `experimental.skills` enabled: + ```json + { + "security": { + "auth": { + "selectedType": "gemini-api-key" + } + }, + "general": { + "previewFeatures": true + }, + "experimental": { + "skills": true, + "extensionConfig": true + } + } + ``` + +Verify skills are enabled from the Gemini CLI prompt: +``` +/skills list +``` + +## Installation + +To install this extension in your Gemini CLI environment: + +1. **Navigate** to the project root. +2. **Run**: + ```bash + gemini extensions install ./extensions/google-secops + ``` + +You will be prompted for environment variables for the MCP configuration: + +1. `PROJECT_ID` (GCP Project ID on your SecOps tenant's /settings/profile page) +2. `CUSTOMER_ID` (Your Chronicle Customer UUID) +3. `REGION` (Your Chronicle Region, e.g., `us`, `europe-west1`) +4. `SERVER_URL` (e.g. https://chronicle.northamerica-northeast2.rep.googleapis.com/mcp, https://chronicle.us.rep.googleapis.com/mcp, etc.) + +> **Note**: These values are persisted in `~/.gemini/extensions/google-secops/.env` and can be referenced by skills. Also, you can change the values in this file if needed. + +When using the secops-hosted-mcp MCP Server, use these parameters from the `.env` file (located at `~/.gemini/extensions/google-secops/.env`) for EVERY request: +Customer ID: ${CUSTOMER_ID} +Region: ${REGION} +Project ID: ${PROJECT_ID} + +## Available Skills + + +### 1. Setup Assistant (Antigravity) (`secops-setup-antigravity`) +* **Trigger**: "Help me set up Antigravity", "Configure Antigravity for SecOps". +* **Function**: checks for Google Cloud authentication and environment variables, then merges the correct `remote-secops-investigate` and `remote-secops-admin` configuration into your Antigravity settings (`~/.gemini/antigravity/mcp_config.json`). + +### 2. Alert Triage (`secops-triage`) +* **Trigger**: "Triage alert [ID]", "Analyze case [ID]". +* **Function**: Orchestrates a Tier 1 triage workflow by following the `triage_alerts.md` runbook. It checks for duplicates, enriches entities, and provides a classification recommendation (FP/TP). + +### 3. Investigation (`secops-investigate`) +* **Trigger**: "Investigate case [ID]", "Deep dive on [Entity]". +* **Function**: Guides deep-dive investigations using specialized runbooks (e.g., Lateral Movement, Malware). + +### 4. Threat Hunting (`secops-hunt`) +* **Trigger**: "Hunt for [Threat]", "Search for TTP [ID]". +* **Function**: Assists in proactive threat hunting by generating hypotheses and constructing complex UDM queries for Chronicle. + +### 5. Cases (`secops-cases`) +* **Trigger**: "List cases", "Show recent cases", "/secops:cases". +* **Function**: Lists recent SOAR cases to verify connectivity and view case status. + +## Custom Commands + +You can use the following slash commands as shortcuts for common tasks: + +* `/secops:triage `: Quickly start triaging an alert. +* `/secops:investigate `: Start an investigation. +* `/secops:hunt `: Start a threat hunt. +* `/secops:cases`: List recent cases. + +## How it Works + +These skills act as **Driver Agents** that: +1. **Read** the standardized Runbooks in `rules_bank/run_books/`. +2. **Execute** the steps using the available MCP tools. +3. **Standardize** the output according to SOC best practices. + +### Tool Selection + +The skills employ an **Adaptive Execution** strategy to ensure robustness: + +1. **Check Environment**: The skill first identifies which tools are available in the current workspace. +2. **Prioritize Remote**: If the **Remote MCP Server** is connected, the skill uses remote tools (e.g., `list_cases`, `udm_search`) for maximum capability. +3. **Fallback to Local**: If remote tools are unavailable, the skill attempts to use **Local Python Tools**. + > **Note**: Local tools are not included in this extension release. To use them, you must clone the [Google SecOps MCP Repository](https://github.com/google/mcp-security) and configure the local server separately. + +For a detailed mapping of Remote vs. Local capabilities, see [`TOOL_MAPPING.md`](https://github.com/google/mcp-security/blob/main/extensions/google-secops/TOOL_MAPPING.md). + + +## Cross-Compatibility + +These skills are designed to be compatible with **Claude Code** and other AI agents. The `slash_command` and `personas` metadata in the YAML frontmatter allow other tools to index and trigger these skills effectively. + +* `slash_command`: Defines the equivalent command pattern (e.g., `/security:triage`). +* `personas`: detailed which security personas (e.g., `threat_hunter`) are best suited for the task. + + +## Known Issues +* If the `SERVER_URL` requires regionalization (i.e. LEP vs REP vs MREP), it can be very difficult for the user to know what value to use. + +Documentation says: +> Server URL or Endpoint: Select the regional endpoint and add /mcp at the end. For example, https://chronicle.us.rep.googleapis.com/mcp + +Known-good values for Regional Endpoints (REP): +* https://chronicle.us-east1.rep.googleapis.com/mcp +* https://chronicle.africa-south1.rep.googleapis.com/mcp +* https://chronicle.asia-northeast1.rep.googleapis.com/mcp +* https://chronicle.me-central1.rep.googleapis.com/mcp +* https://chronicle.europe-west1.rep.googleapis.com/mcp +* https://chronicle.northamerica-northeast2.rep.googleapis.com/mcp +* https://chronicle.southamerica-east1.rep.googleapis.com/mcp +* https://chronicle.europe-west2.rep.googleapis.com/mcp +* ... + +Known-good values for Multi-Regional Endpoints (MREP): +* https://chronicle.us.rep.googleapis.com/mcp + + +## References +* [Agent Skills Specification](https://agentskills.io/specification) +* [Gemini CLI Documentation](https://geminicli.com) +* [Gemini CLI Preview Features](https://geminicli.com/docs/settings/general#previewfeatures) +* [Antigravity Skills](https://antigravity.google/docs/skills) +* [Use the Google SecOps MCP server](https://docs.cloud.google.com/chronicle/docs/secops/use-google-secops-mcp) +* [Chronicle API - Regional service endpoint](https://docs.cloud.google.com/chronicle/docs/reference/rest?rep_location=us) \ No newline at end of file diff --git a/extensions/google-secops/commands/secops/cases.toml b/extensions/google-secops/commands/secops/cases.toml new file mode 100644 index 00000000..44e47b1f --- /dev/null +++ b/extensions/google-secops/commands/secops/cases.toml @@ -0,0 +1 @@ +prompt = """Run the secops-cases skill.""" diff --git a/extensions/google-secops/commands/secops/hunt.toml b/extensions/google-secops/commands/secops/hunt.toml new file mode 100644 index 00000000..6cbd0f97 --- /dev/null +++ b/extensions/google-secops/commands/secops/hunt.toml @@ -0,0 +1 @@ +prompt = """Run the secops-hunt skill for `{{args}}`.""" diff --git a/extensions/google-secops/commands/secops/investigate.toml b/extensions/google-secops/commands/secops/investigate.toml new file mode 100644 index 00000000..981015f3 --- /dev/null +++ b/extensions/google-secops/commands/secops/investigate.toml @@ -0,0 +1 @@ +prompt = """Run the secops-investigate skill on case `{{args}}`.""" diff --git a/extensions/google-secops/commands/secops/triage.toml b/extensions/google-secops/commands/secops/triage.toml new file mode 100644 index 00000000..49327458 --- /dev/null +++ b/extensions/google-secops/commands/secops/triage.toml @@ -0,0 +1 @@ +prompt = """Run the secops-triage skill on alert `{{args}}`.""" diff --git a/extensions/google-secops/endpoint_constants.py b/extensions/google-secops/endpoint_constants.py new file mode 100644 index 00000000..95c0b502 --- /dev/null +++ b/extensions/google-secops/endpoint_constants.py @@ -0,0 +1,14 @@ + +VALID_REPS = [ + "https://chronicle.us-east1.rep.googleapis.com/mcp", + "https://chronicle.africa-south1.rep.googleapis.com/mcp", + "https://chronicle.asia-northeast1.rep.googleapis.com/mcp", + "https://chronicle.me-central1.rep.googleapis.com/mcp", + "https://chronicle.europe-west1.rep.googleapis.com/mcp", + "https://chronicle.northamerica-northeast2.rep.googleapis.com/mcp", + "https://chronicle.southamerica-east1.rep.googleapis.com/mcp", + "https://chronicle.europe-west2.rep.googleapis.com/mcp", +] +VALID_MREPS = [ + "https://chronicle.us.rep.googleapis.com/mcp", +] \ No newline at end of file diff --git a/extensions/google-secops/gemini-extension.json b/extensions/google-secops/gemini-extension.json index 5f66cdab..5f77f4d2 100644 --- a/extensions/google-secops/gemini-extension.json +++ b/extensions/google-secops/gemini-extension.json @@ -1,12 +1,71 @@ { "name": "google-secops", + "contextFileName": "GEMINI.md", "description": "Essential Security Operations skills for Triage, Investigation, and Hunting.", "version": "1.0.0", "skills": [ - "skills/setup-gemini-cli", "skills/setup-antigravity", "skills/triage", "skills/investigate", - "skills/hunt" - ] -} \ No newline at end of file + "skills/hunt", + "skills/cases" + ], + "settings": [ + { + "name": "PROJECT_ID", + "defaultValue": "secops-demo-env", + "description": "Your Google Cloud Project ID (from /settings/profile).", + "envVar": "PROJECT_ID", + "sensitive": false + }, + { + "name": "CUSTOMER_ID", + "defaultValue": "a13f6726-efed-452e-9008-8fe0d3cb0f75", + "description": "Your Chronicle Customer UUID (from /settings/profile).", + "envVar": "CUSTOMER_ID", + "sensitive": false + }, + { + "name": "REGION", + "defaultValue": "us", + "description": "Your Chronicle Region (e.g. 'us', 'europe-west1').", + "envVar": "REGION", + "sensitive": false + }, + { + "name": "SERVER_URL", + "defaultValue": "https://chronicle.us.rep.googleapis.com/mcp", + "description": "The URL of the remote MCP server See https://docs.cloud.google.com/chronicle/docs/secops/use-google-secops-mcp.", + "envVar": "SERVER_URL", + "sensitive": false + } + ], + "mcpServers": { + "remote-mcp-secops": { + "httpUrl": "${SERVER_URL}", + "authProviderType": "google_credentials", + "oauth": { + "scopes": [ + "https://www.googleapis.com/auth/cloud-platform" + ] + }, + "headers": { + "x-goog-user-project": "${PROJECT_ID}" + }, + "env": { + "PROJECT_ID": "${PROJECT_ID}", + "CUSTOMER_ID": "${CUSTOMER_ID}", + "REGION": "${REGION}" + }, + "disabledTools": [ + "list_log_types", + "list_parsers", + "list_integrations", + "list_integration_actions", + "execute_manual_action", + "create_reference_list", + "get_reference_list" + ] + } + } +} diff --git a/extensions/google-secops/rewrite_json_w_env.py b/extensions/google-secops/rewrite_json_w_env.py new file mode 100644 index 00000000..db2a47b2 --- /dev/null +++ b/extensions/google-secops/rewrite_json_w_env.py @@ -0,0 +1,45 @@ +import json +import os + +def main(): + env_file = '.env' + json_file = 'gemini-extension.json' + + if not os.path.exists(env_file): + print(f"Error: {env_file} not found.") + return + + if not os.path.exists(json_file): + print(f"Error: {json_file} not found.") + return + + # Read .env file + env_vars = {} + with open(env_file, 'r') as f: + for line in f: + line = line.strip() + if line and not line.startswith('#'): + key, value = line.split('=', 1) + env_vars[key.strip()] = value.strip() + + # Read gemini-extension.json + with open(json_file, 'r') as f: + data = json.load(f) + + # Update defaultValue in settings + if 'settings' in data: + for setting in data['settings']: + env_var_name = setting.get('envVar') + if env_var_name and env_var_name in env_vars: + setting['defaultValue'] = env_vars[env_var_name] + print(f"Updated {env_var_name} to {env_vars[env_var_name]}") + + # Write back to gemini-extension.json + with open(json_file, 'w') as f: + json.dump(data, f, indent=2) + f.write('\n') # Add trailing newline + + print("Successfully updated gemini-extension.json") + +if __name__ == "__main__": + main() diff --git a/extensions/google-secops/skills/cases/SKILL.md b/extensions/google-secops/skills/cases/SKILL.md new file mode 100644 index 00000000..ef44a3cb --- /dev/null +++ b/extensions/google-secops/skills/cases/SKILL.md @@ -0,0 +1,23 @@ +--- +name: secops-cases +description: List recent SOAR cases. Use this for "list cases" or "show cases". +slash_command: /secops:cases +category: security_operations +personas: + - tier1_soc_analyst +--- + +# Security Cases Specialist + +You are a specialist in retrieving SOAR case information. + +## Tool Selection + +1. **Check Availability**: Prefer `list_cases` (Remote). +2. **Fallback**: Use `list_cases` from Local tools if Remote is unavailable. + +## Workflow + +1. **List Cases**: + * Call `list_cases` to retrieve the most recent cases. + * Display them in a table with ID, Title, Priority, and Status. diff --git a/extensions/google-secops/skills/hunt/SKILL.md b/extensions/google-secops/skills/hunt/SKILL.md index 0038d752..33112afd 100644 --- a/extensions/google-secops/skills/hunt/SKILL.md +++ b/extensions/google-secops/skills/hunt/SKILL.md @@ -1,7 +1,7 @@ --- name: secops-hunt description: Expert guidance for proactive threat hunting. Use this when the user asks to "hunt" for threads, IOCs, or specific TTPs. -slash_command: /security:hunt +slash_command: /secops:hunt category: security_operations personas: - threat_hunter diff --git a/extensions/google-secops/skills/investigate/SKILL.md b/extensions/google-secops/skills/investigate/SKILL.md index de008d25..6c22f67a 100644 --- a/extensions/google-secops/skills/investigate/SKILL.md +++ b/extensions/google-secops/skills/investigate/SKILL.md @@ -1,7 +1,7 @@ --- name: secops-investigate description: Expert guidance for deep security investigations. Use this when the user asks to "investigate" a case, entity, or incident. -slash_command: /security:investigate +slash_command: /secops:investigate category: security_operations personas: - incident_responder diff --git a/extensions/google-secops/skills/setup-antigravity/mcp_config.template.json b/extensions/google-secops/skills/setup-antigravity/mcp_config.template.json index 89eb33ec..c7074eb6 100644 --- a/extensions/google-secops/skills/setup-antigravity/mcp_config.template.json +++ b/extensions/google-secops/skills/setup-antigravity/mcp_config.template.json @@ -1,7 +1,7 @@ { "mcpServers": { "remote-secops-investigate": { - "serverUrl": "{{ server_url | default('https://staging-chronicle.sandbox.googleapis.com/mcp') }}", + "serverUrl": "{{ server_url | default('https://chronicle.us.googleapis.com/mcp') }}", "headers": { "Content-Type": "application/json", "x-goog-user-project": "{{ project_id }}", @@ -41,7 +41,7 @@ ] }, "remote-secops-admin": { - "serverUrl": "{{ server_url | default('https://staging-chronicle.sandbox.googleapis.com/mcp') }}", + "serverUrl": "{{ server_url | default('https://chronicle.us.googleapis.com/mcp') }}", "headers": { "Content-Type": "application/json", "x-goog-user-project": "{{ project_id }}", diff --git a/extensions/google-secops/skills/setup-gemini-cli/SKILL.md b/extensions/google-secops/skills/setup-gemini-cli/SKILL.md deleted file mode 100644 index 23ef18ed..00000000 --- a/extensions/google-secops/skills/setup-gemini-cli/SKILL.md +++ /dev/null @@ -1,58 +0,0 @@ ---- -name: secops-setup-gemini -description: Helps the user configure the Google SecOps Remote MCP Server for Gemini CLI. Use this when the user asks to "set up" or "configure" the security tools for Gemini CLI. -slash_command: /security:setup-gemini -category: configuration -personas: - - security_engineer ---- - -# Google SecOps Setup Assistant (Gemini CLI) - -You are an expert in configuring the Google SecOps Remote MCP Server for Gemini CLI users. - -## Prerequisite Checks - -1. **Check for `uv`**: The user needs `uv` installed. - * Ask if `uv` is installed. - * If not, guide: `curl -LsSf https://astral.sh/uv/install.sh | sh` - -2. **Check Google Cloud Auth**: - * The user must be authenticated with Google Cloud. - * Ask: "Have you run `gcloud auth application-default login`?" - * If not, instruct: - ```bash - gcloud auth application-default login - gcloud auth application-default set-quota-project - ``` - -3. **Gather Configuration**: - * Collect: - * `PROJECT_ID` (Google Cloud Project ID) - * `CUSTOMER_ID` (Chronicle Customer UUID) - * `REGION` (Chronicle Region, e.g., `us`, `europe-west1`) - -## Configuration Steps - -Guide the user to update their Gemini CLI configuration at `~/.gemini/config.json`. - -Instruct the user to add the following under `mcpServers`: - -```json -"remote-mcp-secops": { - "httpUrl": "https://chronicle.googleapis.com/mcp", - "authProviderType": "google_credentials", - "oauth": { - "scopes": ["https://www.googleapis.com/auth/cloud-platform"] - }, - "timeout": 30000, - "headers": { - "x-goog-user-project": "" - } -} -``` - -## Verification - -After configuration, ask the user to test: -`gemini prompt "list 3 soar cases"` diff --git a/extensions/google-secops/skills/triage/SKILL.md b/extensions/google-secops/skills/triage/SKILL.md index 613a92f3..3b291be3 100644 --- a/extensions/google-secops/skills/triage/SKILL.md +++ b/extensions/google-secops/skills/triage/SKILL.md @@ -1,7 +1,7 @@ --- name: secops-triage description: Expert guidance for security alert triage. Use this when the user asks to "triage" an alert or case. -slash_command: /security:triage +slash_command: /secops:triage category: security_operations personas: - tier1_soc_analyst