This repository contains the Google SecOps Extension, providing specialized skills and tools for security operations.
This is not an officially supported Google product.
This project is not eligible for the Google Open Source Software Vulnerability Rewards Program.
This extension packages setup and key security workflows into skills.
Crucially, it automatically configures the Google Cloud Remote MCP Server for SecOps. This means:
- No Local Tools: You don't need to install or manage local Python environments for standard tools.
- Enterprise Ready: Connects directly to Google's managed infrastructure for SecOps.
- Adaptive: While it defaults to the Remote server, it can fallback to local tools if needed.
-
Install Gemini CLI (Preview):
npm install -g @google/gemini-cli@preview
-
Google Cloud Authentication: Ensure you are authenticated with Google Cloud and have set a quota project:
gcloud auth application-default login gcloud auth application-default set-quota-project <YOUR_PROJECT_ID>
-
Enable MCP Service: You must enable the Chronicle MCP service in your Google Cloud project:
gcloud beta services mcp enable chronicle.googleapis.com/mcp --project=<YOUR_PROJECT_ID>
-
GUI Login Requirement: You MUST have logged into the Google SecOps GUI at least once before using the API/MCP server.
-
Enable Skills: Ensure your
~/.gemini/settings.jsonhasexperimental.skillsenabled:{ "security": { "auth": { "selectedType": "gemini-api-key" } }, "general": { "previewFeatures": true }, "experimental": { "skills": true, "extensionConfig": true } }
You can install this extension directly without cloning:
gemini extensions install github:dandye/secops-gemini-extension-
Clone the repository:
git clone https://github.com/dandye/secops-gemini-extension.git cd secops-gemini-extension -
Install the extension:
gemini extensions install .
- Update:
gemini extensions update google-secops - Uninstall:
gemini extensions uninstall google-secops
During installation, you will be prompted for several parameters:
PROJECT_ID: Your Google Cloud Project ID.CUSTOMER_ID: Your Chronicle Customer UUID.REGION: Your Chronicle Region (e.g.,us,europe-west1).SERVER_URL: The regional MCP endpoint (e.g.,https://chronicle.us.rep.googleapis.com/mcp).
Note: These values are persisted in
~/.gemini/extensions/google-secops/.env. You can edit this file at any time to update your configuration.
Run the following command to ensure the skills are loaded:
/skills listYou should see secops-setup-antigravity, secops-triage, etc., in the list.
- Setup Assistant (
secops-setup-antigravity)- Trigger: "Help me set up Antigravity", "Configure Antigravity for SecOps"
- Function: Helps configure Antigravity to also use the Remote MCP Server.
- Alert Triage (
secops-triage)- Trigger: "Triage alert [ID]", "Analyze case [ID]"
- Function: Orchestrates a Tier 1 triage workflow (deduplication, enrichment, classification).
- Investigation (
secops-investigate)- Trigger: "Investigate case [ID]", "Deep dive on [Entity]"
- Function: Guides deep-dive investigations using specialized runbooks.
- Threat Hunting (
secops-hunt)- Trigger: "Hunt for [Threat]", "Search for TTP [ID]"
- Function: Assists in proactive threat hunting by generating hypotheses and constructing complex UDM queries.
- Cases (
secops-cases)- Trigger: "List cases", "Show recent cases", "/secops:cases"
- Function: Lists recent SOAR cases to verify connectivity.
Use these shortcuts for common tasks:
/secops:triage <ALERT_ID>/secops:investigate <CASE_ID>/secops:hunt <THREAT>/secops:cases
- Regional Endpoints: If the
SERVER_URLrequires regionalization, ensure you use the correct endpoint from the official documentation.
Known-good values for Regional Endpoints (REP):
https://chronicle.us-east1.rep.googleapis.com/mcphttps://chronicle.europe-west1.rep.googleapis.com/mcphttps://chronicle.us.rep.googleapis.com/mcp(Multi-Regional)