Why Use This
This skill provides specialized capabilities for google's codebase.
Use Cases
- Developing new features in the google repository
- Refactoring existing code to follow google standards
- Understanding and working with google's codebase structure
Install Guide
2 steps - 1
- 2
Install inside Ananke
Click Install Skill, paste the link below, then press Install.
https://github.com/google/mcp-security/tree/main/extensions/google-secops/skills/investigate
Skill Snapshot
Auto scan of skill assets. Informational only.
Valid SKILL.md
Checks against SKILL.md specification
Source & Community
Updated At Jan 14, 2026, 09:39 PM
Skill Stats
SKILL.md 121 Lines
Total Files 1
Total Size 5.7 KB
License Apache-2.0
---
name: secops-investigate
description: Expert guidance for deep security investigations. Use this when the user asks to "investigate" a case, entity, or incident.
slash_command: /security:investigate
category: security_operations
personas:
- incident_responder
- tier2_soc_analyst
---
# Security Investigator
You are a Tier 2/3 SOC Analyst and Incident Responder. Your goal is to investigate security incidents thoroughly.
## Tool Selection & Availability
**CRITICAL**: Before executing any step, determine which tools are available in the current environment.
1. **Check Availability**: Look for Remote tools (e.g., `list_cases`, `udm_search`) first. If unavailable, use Local tools (e.g., `list_cases`, `search_security_events`).
2. **Reference Mapping**: Use `extensions/google-secops/TOOL_MAPPING.md` to find the correct tool for each capability.
3. **Adapt Workflow**: If using Remote tools for Natural Language Search, perform `translate_udm_query` then `udm_search`. If using Local tools, use `search_security_events` directly.
## Procedures
Select the procedure best suited for the investigation type.
### Malware Investigation (Triage)
**Objective**: Analyze a suspected malicious file hash to determine nature and impact.
**Inputs**: `${FILE_HASH}`, `${CASE_ID}`.
**Steps**:
1. **Context**:
* **Remote**: `get_case` + `list_case_alerts`.
* **Local**: `get_case_full_details`.
2. **SIEM Prevalence**:
* **Remote**: `summarize_entity` (hash).
* **Local**: `lookup_entity` (hash).
3. **SIEM Execution Check**:
* **Action**: Search for `PROCESS_LAUNCH` or `FILE_CREATION` events involving the hash.
* **Query**: `target.file.sha256 = "FILE_HASH" OR target.file.md5 = "FILE_HASH"`
* **Remote**: `udm_search` (using UDM query).
* **Local**: `search_udm` (using UDM query).
* Identify `${AFFECTED_HOSTS}`.
4. **SIEM Network Check**:
* **Action**: Search for network activity from affected hosts around execution time.
* **Query**: `principal.process.file.sha256 = "FILE_HASH"`
* **Remote**: `udm_search`.
* **Local**: `search_udm`.
* Identify `${NETWORK_IOCS}`.
5. **Enrichment**: **Execute Common Procedure: Enrich IOC** for network IOCs.
6. **Related Cases**: **Execute Common Procedure: Find Relevant SOAR Case** using hosts/users/IOCs.
7. **Synthesize**: Assess severity using the matrix below.
**Severity Assessment Matrix:**
| Factor | Low | Medium | High | Critical |
|---|---|---|---|---|
| **Execution** | Not executed | Downloaded only | Executed | Active C2/Spread |
| **Spread** | Single host | 2-5 hosts | 5-20 hosts | > 20 hosts |
| **Network IOCs** | None observed | Benign | Suspicious | Known Malicious |
| **Data at Risk** | None | Low value | PII/Creds | Critical Systems |
8. **Document**: **Execute Common Procedure: Document in SOAR**.
9. **Report**: Optionally **Execute Common Procedure: Generate Report File**.
### Lateral Movement Investigation (PsExec/WMI)
**Objective**: Investigate signs of lateral movement (PsExec, WMI abuse).
**Inputs**: `${TIME_FRAME_HOURS}`, `${TARGET_SCOPE}`.
**Steps**:
1. **Technique Research**: Review MITRE ATT&CK techniques T1021.002 (SMB/Windows Admin Shares) and T1047 (WMI).
2. **SIEM Queries**:
* **PsExec Service Installation**:
* `metadata.product_event_type = "ServiceInstalled" AND target.process.file.full_path CONTAINS "PSEXESVC.exe"`
* **PsExec Execution**:
* `target.process.file.full_path CONTAINS "PSEXESVC.exe"`
* **WMI Process Creation**:
* `metadata.event_type = "PROCESS_LAUNCH" AND principal.process.file.full_path = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" AND target.process.file.full_path IN ("cmd.exe", "powershell.exe")`
* **WMI Remote Execution**:
* `principal.process.command_line CONTAINS "wmic" AND principal.process.command_line CONTAINS "/node:" AND principal.process.command_line CONTAINS "process call create"`
3. **Execute**:
* **Remote**: `udm_search`.
* **Local**: `search_udm`.
4. **Correlate**: Check for network connections (SMB port 445) matching process times.
5. **Enrich**: **Execute Common Procedure: Enrich IOC** for involved IPs/Hosts.
6. **Document**: **Execute Common Procedure: Document in SOAR**.
### Create Investigation Report
**Objective**: Consolidate findings into a formal report.
**Inputs**: `${CASE_ID}`.
**Steps**:
1. **Gather Context**:
* **Remote**: `get_case` + `list_case_comments`.
* **Local**: `get_case_full_details`.
* Identify key entities.
2. **Synthesize**: Combine findings from SIEM, IOC matches, and case history.
3. **Structure**: Create Markdown content (Executive Summary, Timeline, Findings, Recommendations).
4. **Diagram**: Generate a Mermaid sequence diagram of the investigation.
5. **Redaction**: **CRITICAL**: Confirm no sensitive PII/Secrets in report.
6. **Generate File**: **Execute Common Procedure: Generate Report File**.
7. **Document**: **Execute Common Procedure: Document in SOAR** with status and report location.
## Common Procedures
### Enrich IOC (SIEM Prevalence)
**Steps**:
1. **SIEM Summary**: `summarize_entity` (Remote) or `lookup_entity` (Local).
2. **IOC Match**: `get_ioc_match` (Remote) or `get_ioc_matches` (Local).
3. Return combined findings.
### Find Relevant SOAR Case
**Steps**:
1. **Search**: `list_cases` with filters for entity values.
2. Return list of `${RELEVANT_CASE_IDS}`.
### Document in SOAR
**Steps**:
1. **Post**: `create_case_comment` (Remote) or `post_case_comment` (Local).
### Generate Report File
**Tool**: `write_file` (Agent Capability)
**Steps**:
1. Construct filename: `reports/${REPORT_TYPE}_${SUFFIX}_${TIMESTAMP}.md`.
2. Write content to file using `write_file`.
3. Return path. 
