From 2acdb567803299ccbbe3e09af37decfbb26df284 Mon Sep 17 00:00:00 2001 From: Dan Dye Date: Wed, 30 Jul 2025 21:46:50 -0400 Subject: [PATCH 01/16] demo 1st slash command --- .gemini/commands/secops.toml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 .gemini/commands/secops.toml diff --git a/.gemini/commands/secops.toml b/.gemini/commands/secops.toml new file mode 100644 index 00000000..62578d9c --- /dev/null +++ b/.gemini/commands/secops.toml @@ -0,0 +1,13 @@ +description = "Implement slash command to call MCP Tools" +prompt = """ +You are implementing /slash-commands to call the available MCP Tools +""" + +# SecOps entity_lookup +[[subCommands]] +name = "entity-lookup" +description = "Call the SecOps MCP Server's entity_lookup MCP Tool" +prompt = "Call the entity_lookup tool with: `entity_lookup(entity_value={{entity-value}})`" + [[subCommands.args]] + name = "entity-value" + required = true From 5923d4b8cfd7c4187937b09ab67c77aabeac9c23 Mon Sep 17 00:00:00 2001 From: Dan Dye Date: Wed, 30 Jul 2025 22:02:37 -0400 Subject: [PATCH 02/16] implement /secops custom slash commands --- .gemini/commands/secops.toml | 189 +++++++++++++++++++++++++++++++++++ 1 file changed, 189 insertions(+) diff --git a/.gemini/commands/secops.toml b/.gemini/commands/secops.toml index 62578d9c..ce1db2ab 100644 --- a/.gemini/commands/secops.toml +++ b/.gemini/commands/secops.toml @@ -11,3 +11,192 @@ prompt = "Call the entity_lookup tool with: `entity_lookup(entity_value={{entity [[subCommands.args]] name = "entity-value" required = true + +# SecOps get_ioc_matches +[[subCommands]] +name = "ioc-matches" +description = "Call the SecOps MCP Server's get_ioc_matches MCP Tool" +prompt = "Call the get_ioc_matches tool with: `get_ioc_matches(hours_back={{hours-back}}, max_matches={{max-matches}})`" + [[subCommands.args]] + name = "hours-back" + required = false + default = "24" + [[subCommands.args]] + name = "max-matches" + required = false + default = "20" + +# SecOps search_security_events +[[subCommands]] +name = "search-events" +description = "Call the SecOps MCP Server's search_security_events MCP Tool" +prompt = "Call the search_security_events tool with: `search_security_events(text={{query}}, hours_back={{hours-back}}, max_events={{max-events}})`" + [[subCommands.args]] + name = "query" + required = true + description = "Natural language query to search for events" + [[subCommands.args]] + name = "hours-back" + required = false + default = "24" + [[subCommands.args]] + name = "max-events" + required = false + default = "100" + +# SecOps get_security_alerts +[[subCommands]] +name = "get-alerts" +description = "Call the SecOps MCP Server's get_security_alerts MCP Tool" +prompt = "Call the get_security_alerts tool with: `get_security_alerts(hours_back={{hours-back}}, max_alerts={{max-alerts}}, status_filter={{status-filter}})`" + [[subCommands.args]] + name = "hours-back" + required = false + default = "24" + [[subCommands.args]] + name = "max-alerts" + required = false + default = "10" + [[subCommands.args]] + name = "status-filter" + required = false + default = "feedback_summary.status != \"CLOSED\"" + +# SecOps get_security_alert_by_id +[[subCommands]] +name = "get-alert" +description = "Call the SecOps MCP Server's get_security_alert_by_id MCP Tool" +prompt = "Call the get_security_alert_by_id tool with: `get_security_alert_by_id(alert_id={{alert-id}}, include_detections={{include-detections}})`" + [[subCommands.args]] + name = "alert-id" + required = true + description = "The unique ID of the alert to retrieve" + [[subCommands.args]] + name = "include-detections" + required = false + default = "true" + +# SecOps do_update_security_alert +[[subCommands]] +name = "update-alert" +description = "Call the SecOps MCP Server's do_update_security_alert MCP Tool" +prompt = "Call the do_update_security_alert tool with: `do_update_security_alert(alert_id={{alert-id}}, reason={{reason}}, priority={{priority}}, status={{status}}, verdict={{verdict}}, severity={{severity}}, comment={{comment}}, root_cause={{root-cause}})`" + [[subCommands.args]] + name = "alert-id" + required = true + description = "The unique ID of the alert to update" + [[subCommands.args]] + name = "reason" + required = false + [[subCommands.args]] + name = "priority" + required = false + [[subCommands.args]] + name = "status" + required = false + [[subCommands.args]] + name = "verdict" + required = false + [[subCommands.args]] + name = "severity" + required = false + [[subCommands.args]] + name = "comment" + required = false + [[subCommands.args]] + name = "root-cause" + required = false + +# SecOps list_security_rules +[[subCommands]] +name = "list-rules" +description = "Call the SecOps MCP Server's list_security_rules MCP Tool" +prompt = "Call the list_security_rules tool with: `list_security_rules()`" + +# SecOps search_security_rules +[[subCommands]] +name = "search-rules" +description = "Call the SecOps MCP Server's search_security_rules MCP Tool" +prompt = "Call the search_security_rules tool with: `search_security_rules(query={{query}})`" + [[subCommands.args]] + name = "query" + required = true + description = "Regex string to search for in rules" + +# SecOps get_rule_detections +[[subCommands]] +name = "get-detections" +description = "Call the SecOps MCP Server's get_rule_detections MCP Tool" +prompt = "Call the get_rule_detections tool with: `get_rule_detections(rule_id={{rule-id}}, alert_state={{alert-state}}, page_size={{page-size}}, page_token={{page-token}})`" + [[subCommands.args]] + name = "rule-id" + required = true + description = "Unique ID of the rule to get detections for" + [[subCommands.args]] + name = "alert-state" + required = false + description = "Filter by alert state (UNSPECIFIED, NOT_ALERTING, ALERTING)" + [[subCommands.args]] + name = "page-size" + required = false + [[subCommands.args]] + name = "page-token" + required = false + +# SecOps list_rule_errors +[[subCommands]] +name = "list-errors" +description = "Call the SecOps MCP Server's list_rule_errors MCP Tool" +prompt = "Call the list_rule_errors tool with: `list_rule_errors(rule_id={{rule-id}})`" + [[subCommands.args]] + name = "rule-id" + required = true + description = "Unique ID of the rule to list errors for" + +# SecOps create_rule +[[subCommands]] +name = "create-rule" +description = "Call the SecOps MCP Server's create_rule MCP Tool" +prompt = "Call the create_rule tool with: `create_rule(rule_text={{rule-text}})`" + [[subCommands.args]] + name = "rule-text" + required = true + description = "Complete YARA-L 2.0 rule definition" + +# SecOps test_rule +[[subCommands]] +name = "test-rule" +description = "Call the SecOps MCP Server's test_rule MCP Tool" +prompt = "Call the test_rule tool with: `test_rule(rule_text={{rule-text}}, hours_back={{hours-back}}, max_results={{max-results}})`" + [[subCommands.args]] + name = "rule-text" + required = true + description = "Complete YARA-L 2.0 rule definition to test" + [[subCommands.args]] + name = "hours-back" + required = false + default = "168" + [[subCommands.args]] + name = "max-results" + required = false + default = "100" + +# SecOps validate_rule +[[subCommands]] +name = "validate-rule" +description = "Call the SecOps MCP Server's validate_rule MCP Tool" +prompt = "Call the validate_rule tool with: `validate_rule(rule_text={{rule-text}})`" + [[subCommands.args]] + name = "rule-text" + required = true + description = "Complete YARA-L 2.0 rule definition to validate" + +# SecOps get_threat_intel +[[subCommands]] +name = "threat-intel" +description = "Call the SecOps MCP Server's get_threat_intel MCP Tool" +prompt = "Call the get_threat_intel tool with: `get_threat_intel(query={{query}})`" + [[subCommands.args]] + name = "query" + required = true + description = "Security or threat intelligence question to ask Gemini" \ No newline at end of file From 45bf2fa6446b4dbe2749876f5bf0c57fd3a7a644 Mon Sep 17 00:00:00 2001 From: Dan Dye Date: Wed, 30 Jul 2025 22:07:28 -0400 Subject: [PATCH 03/16] Add comprehensive Gemini slash commands for SecOps MCP tools - Added 13 slash commands covering all SecOps MCP tools: * entity-lookup: Entity enrichment and lookup * ioc-matches: IoC matches from threat intelligence * search-events: Natural language security event search * get-alerts, get-alert, update-alert: Alert management * list-rules, search-rules, get-detections, list-errors: Rule management * create-rule, test-rule, validate-rule: Rule development * threat-intel: Gemini-powered threat intelligence queries - Enhanced ioc-matches with detailed help functionality using Jinja2 templating - All commands include proper parameter validation and descriptions - Enables usage information --- .gemini/commands/secops.toml | 29 +++++++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/.gemini/commands/secops.toml b/.gemini/commands/secops.toml index ce1db2ab..3a44ee81 100644 --- a/.gemini/commands/secops.toml +++ b/.gemini/commands/secops.toml @@ -15,16 +15,41 @@ prompt = "Call the entity_lookup tool with: `entity_lookup(entity_value={{entity # SecOps get_ioc_matches [[subCommands]] name = "ioc-matches" -description = "Call the SecOps MCP Server's get_ioc_matches MCP Tool" -prompt = "Call the get_ioc_matches tool with: `get_ioc_matches(hours_back={{hours-back}}, max_matches={{max-matches}})`" +description = "Get Indicators of Compromise (IoC) matches from Chronicle SIEM - retrieves malicious IPs, domains, and hashes observed in logs" +prompt = """ +{% if help %} +Usage: /secops ioc-matches [OPTIONS] + +Get Indicators of Compromise (IoC) matches from Chronicle SIEM. +Retrieves IoCs (e.g., malicious IPs, domains, hashes) from configured threat +intelligence feeds that have been observed matching events in Chronicle logs. + +Options: + --hours-back Hours to look back for IoC matches (default: 24) + --max-matches Maximum number of IoC matches to return (default: 20) + --help Show this help message + +Examples: + /secops ioc-matches # Get IoC matches from last 24 hours + /secops ioc-matches --hours-back 72 # Get IoC matches from last 3 days + /secops ioc-matches --max-matches 50 # Get up to 50 IoC matches + /secops ioc-matches --hours-back 48 --max-matches 100 + +Use this to proactively identify potential threats based on IoC matches within SIEM data. +{% else %} +Call the get_ioc_matches tool with: `get_ioc_matches(hours_back={{hours-back}}, max_matches={{max-matches}})` +{% endif %} +""" [[subCommands.args]] name = "hours-back" required = false default = "24" + description = "Number of hours to look back for IoC matches" [[subCommands.args]] name = "max-matches" required = false default = "20" + description = "Maximum number of IoC matches to return" # SecOps search_security_events [[subCommands]] From 0510e88d0747efb3cb9171c24e5fdd059588461d Mon Sep 17 00:00:00 2001 From: Dan Dye Date: Wed, 30 Jul 2025 22:12:41 -0400 Subject: [PATCH 04/16] Add --help functionality to entity-lookup command Enhanced entity-lookup command with comprehensive help using Jinja2 templating: - Added detailed usage information and examples - Shows entity types supported (IP, domain, hash, username, hostname) - Explains output format including entity details, related entities, alerts - Includes practical examples for different entity types - Maintains backward compatibility with existing functionality --- .gemini/commands/secops.toml | 43 ++++++++++++++++++++++++++++++++++-- 1 file changed, 41 insertions(+), 2 deletions(-) diff --git a/.gemini/commands/secops.toml b/.gemini/commands/secops.toml index 3a44ee81..3346e80f 100644 --- a/.gemini/commands/secops.toml +++ b/.gemini/commands/secops.toml @@ -6,11 +6,50 @@ You are implementing /slash-commands to call the available MCP Tools # SecOps entity_lookup [[subCommands]] name = "entity-lookup" -description = "Call the SecOps MCP Server's entity_lookup MCP Tool" -prompt = "Call the entity_lookup tool with: `entity_lookup(entity_value={{entity-value}})`" +description = "Look up an entity (IP, domain, hash, user, etc.) in Chronicle SIEM for enrichment and historical context" +prompt = """ +{% if help %} +Usage: /secops entity-lookup [OPTIONS] + +Look up an entity (IP, domain, hash, user, etc.) in Chronicle SIEM for enrichment. + +Provides a comprehensive summary of an entity's activity based on historical log data +within Chronicle over a specified time period. Chronicle automatically attempts to +detect the entity type from the value provided. + +Options: + --entity-value Value to look up (IP, domain, hash, username) [REQUIRED] + --hours-back Hours of historical data to consider (default: 24) + --help Show this help message + +Examples: + /secops entity-lookup --entity-value="192.168.1.100" # Lookup IP address + /secops entity-lookup --entity-value="evil.com" # Lookup domain + /secops entity-lookup --entity-value="user@example.com" # Lookup user + /secops entity-lookup --entity-value="WIN-HELIUM" # Lookup hostname + /secops entity-lookup --entity-value="abc123hash" --hours-back=72 # 3-day lookup + +The summary includes: +- Primary entity details (type, first/last seen) +- Related entities observed interacting with the primary entity +- Associated Chronicle alerts triggered involving the entity +- Timeline summary (event/alert counts over the period) +- Prevalence information (if available) + +Use this to quickly understand context and prevalence of indicators by examining SIEM log data. +{% else %} +Call the lookup_entity tool with: `lookup_entity(entity_value={{entity-value}}, hours_back={{hours-back}})` +{% endif %} +""" [[subCommands.args]] name = "entity-value" required = true + description = "Value to look up (IP address, domain name, file hash, username)" + [[subCommands.args]] + name = "hours-back" + required = false + default = "24" + description = "Number of hours of historical data to consider for the summary" # SecOps get_ioc_matches [[subCommands]] From 80e7b2855353a33bf2468de27675b790a2a80b3b Mon Sep 17 00:00:00 2001 From: Dan Dye Date: Wed, 30 Jul 2025 22:19:18 -0400 Subject: [PATCH 05/16] Add --help to entity-lookup, search-events, get-alerts, get-alert, update-alert --- .gemini/commands/secops.toml | 235 +++++++++++++++++++++++++++++++++-- 1 file changed, 227 insertions(+), 8 deletions(-) diff --git a/.gemini/commands/secops.toml b/.gemini/commands/secops.toml index 3346e80f..2c4668b6 100644 --- a/.gemini/commands/secops.toml +++ b/.gemini/commands/secops.toml @@ -93,8 +93,47 @@ Call the get_ioc_matches tool with: `get_ioc_matches(hours_back={{hours-back}}, # SecOps search_security_events [[subCommands]] name = "search-events" -description = "Call the SecOps MCP Server's search_security_events MCP Tool" -prompt = "Call the search_security_events tool with: `search_security_events(text={{query}}, hours_back={{hours-back}}, max_events={{max-events}})`" +description = "Search for security events in Chronicle SIEM using natural language queries" +prompt = """ +{% if help %} +Usage: /secops search-events [OPTIONS] + +Search for security events in Chronicle SIEM using natural language. + +Allows searching Chronicle event logs using natural language queries, which are +automatically translated into UDM queries for execution. Ideal for deep investigation +after an initial alert, case, or entity has been prioritized. + +Options: + --query Natural language description of events to find [REQUIRED] + --hours-back Hours back from current time to search (default: 24) + --max-events Maximum number of event records to return (default: 100) + --help Show this help message + +Examples: + /secops search-events --query="Show network connections involving IP 10.0.0.5" + /secops search-events --query="Find login events for user 'admin' yesterday" + /secops search-events --query="List file modifications on host 'server1'" + /secops search-events --query="DNS lookups to malicious.example.com" --hours-back=72 + /secops search-events --query="PowerShell execution events" --max-events=50 + +Query Tips: +- Use natural language to describe what you're looking for +- Specify entity types: IPs, domains, users, hosts, files +- Include time references: "yesterday", "last 6 hours", "today" +- Be specific about event types: logins, network connections, file modifications +- For email addresses, use only lowercase letters + +The response includes: +- Translated UDM query used for the search +- List of matching UDM event records +- Total event count (may exceed max-events limit) + +Use this to retrieve detailed UDM event logs for specific indicators or activities. +{% else %} +Call the search_security_events tool with: `search_security_events(text={{query}}, hours_back={{hours-back}}, max_events={{max-events}})` +{% endif %} +""" [[subCommands.args]] name = "query" required = true @@ -103,34 +142,139 @@ prompt = "Call the search_security_events tool with: `search_security_events(tex name = "hours-back" required = false default = "24" + description = "Hours back from current time to search" [[subCommands.args]] name = "max-events" required = false default = "100" + description = "Maximum number of event records to return" # SecOps get_security_alerts [[subCommands]] name = "get-alerts" -description = "Call the SecOps MCP Server's get_security_alerts MCP Tool" -prompt = "Call the get_security_alerts tool with: `get_security_alerts(hours_back={{hours-back}}, max_alerts={{max-alerts}}, status_filter={{status-filter}})`" +description = "Get security alerts directly from Chronicle SIEM for monitoring and triage" +prompt = """ +{% if help %} +Usage: /secops get-alerts [OPTIONS] + +Get security alerts directly from Chronicle SIEM. + +Retrieves a list of recent security alerts generated within Chronicle, based on +detection rules or other alert sources configured in the SIEM. Use this for direct +monitoring of SIEM alert activity and initial triage. + +Options: + --hours-back Hours to look back for alerts (default: 24) + --max-alerts Maximum number of alerts to return (default: 10) + --status-filter Query string to filter alerts by status (default: exclude closed) + --help Show this help message + +Examples: + /secops get-alerts # Get recent non-closed alerts + /secops get-alerts --hours-back=72 # Get alerts from last 3 days + /secops get-alerts --max-alerts=25 # Get up to 25 alerts + /secops get-alerts --status-filter="" # Get all alerts (including closed) + /secops get-alerts --hours-back=48 --max-alerts=20 # Custom time and limit + +Status Filter Examples: + feedback_summary.status != "CLOSED" # Exclude closed alerts (default) + feedback_summary.status = "NEW" # Only new alerts + feedback_summary.severityDisplay = "HIGH" # Only high severity alerts + +The response includes for each alert: +- Rule name that generated the alert +- Creation timestamp +- Current status (NEW, REVIEWED, CLOSED) +- Severity level +- Associated case information (if available) + +Use Cases: +- Monitor for recent high-priority security events +- Get overview of current alert queue for triage +- Check for alerts that might not have corresponding cases yet +- Initial assessment before deeper investigation + +Next Steps: +- Use /secops get-alert --alert-id=ID for specific alert details +- Use /secops search-events to find related raw logs +- Use /secops entity-lookup on indicators found in alerts +{% else %} +Call the get_security_alerts tool with: `get_security_alerts(hours_back={{hours-back}}, max_alerts={{max-alerts}}, status_filter={{status-filter}})` +{% endif %} +""" [[subCommands.args]] name = "hours-back" required = false default = "24" + description = "Hours to look back for alerts" [[subCommands.args]] name = "max-alerts" required = false default = "10" + description = "Maximum number of alerts to return" [[subCommands.args]] name = "status-filter" required = false default = "feedback_summary.status != \"CLOSED\"" + description = "Query string to filter alerts by status" # SecOps get_security_alert_by_id [[subCommands]] name = "get-alert" -description = "Call the SecOps MCP Server's get_security_alert_by_id MCP Tool" -prompt = "Call the get_security_alert_by_id tool with: `get_security_alert_by_id(alert_id={{alert-id}}, include_detections={{include-detections}})`" +description = "Get detailed information for a specific security alert by ID from Chronicle SIEM" +prompt = """ +{% if help %} +Usage: /secops get-alert [OPTIONS] + +Get security alert by ID directly from Chronicle SIEM. + +Retrieves detailed information for a specific security alert using its unique ID. +This provides comprehensive alert details including detection information, metadata, +and associated events for deep investigation and analysis. + +Options: + --alert-id Unique ID of the alert to retrieve [REQUIRED] + --include-detections Include detection details in response (default: true) + --help Show this help message + +Examples: + /secops get-alert --alert-id="de_12345678-1234-1234-1234-123456789012" + /secops get-alert --alert-id="de_abcdef12-3456-7890-abcd-ef1234567890" --include-detections=false + /secops get-alert --alert-id="de_87654321-4321-4321-4321-210987654321" --include-detections=true + +Alert ID Format: + Alert IDs typically follow the pattern: de_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx + You can get alert IDs from: + - /secops get-alerts command output + - Chronicle SIEM alert console + - SOAR case management systems + - Other security tools integrated with Chronicle + +The response includes: +- Complete alert metadata and properties +- Detection rule information that triggered the alert +- Alert status, severity, and priority +- Timeline and creation information +- Associated detection details (if include-detections=true) +- Related entities and indicators +- Case association information (if available) + +Use Cases: +- Deep dive investigation of a specific alert +- Gather context before updating alert status +- Extract detailed information for incident response +- Validate alert details before taking response actions +- Review detection logic and rule performance + +Next Steps: +- Use /secops update-alert to modify alert status or add comments +- Use /secops search-events to find related raw event logs +- Use /secops entity-lookup on entities found in the alert +- Use /secops get-detections to see historical detections from the same rule +{% else %} +Call the get_security_alert_by_id tool with: `get_security_alert_by_id(alert_id={{alert-id}}, include_detections={{include-detections}})` +{% endif %} +""" [[subCommands.args]] name = "alert-id" required = true @@ -139,12 +283,80 @@ prompt = "Call the get_security_alert_by_id tool with: `get_security_alert_by_id name = "include-detections" required = false default = "true" + description = "Include detection details in the response" # SecOps do_update_security_alert [[subCommands]] name = "update-alert" -description = "Call the SecOps MCP Server's do_update_security_alert MCP Tool" -prompt = "Call the do_update_security_alert tool with: `do_update_security_alert(alert_id={{alert-id}}, reason={{reason}}, priority={{priority}}, status={{status}}, verdict={{verdict}}, severity={{severity}}, comment={{comment}}, root_cause={{root-cause}})`" +description = "Update security alert attributes directly in Chronicle SIEM for investigation disposition" +prompt = """ +{% if help %} +Usage: /secops update-alert [OPTIONS] + +Update security alert attributes directly in Chronicle SIEM. + +Modifies specific fields of an existing security alert based on its ID. Use this after +investigation, triage, or automated analysis to record findings or change alert state. +At least one optional field should be provided to perform a meaningful update. + +Options: + --alert-id Unique ID of the alert to update [REQUIRED] + --reason Reason for closing alert + --priority Alert priority level + --status Alert lifecycle status + --verdict Investigation verdict (true/false positive) + --severity Severity score (0-100) + --comment Analyst comment (empty string clears existing) + --root-cause Alert root cause (empty string clears existing) + --help Show this help message + +Valid Values: + +Reason: + REASON_UNSPECIFIED, REASON_NOT_MALICIOUS, REASON_MALICIOUS, REASON_MAINTENANCE + +Priority: + PRIORITY_UNSPECIFIED, PRIORITY_INFO, PRIORITY_LOW, PRIORITY_MEDIUM, PRIORITY_HIGH, PRIORITY_CRITICAL + +Status: + STATUS_UNSPECIFIED, NEW, REVIEWED, CLOSED, OPEN + +Verdict: + VERDICT_UNSPECIFIED, TRUE_POSITIVE, FALSE_POSITIVE + +Examples: + # Mark alert as false positive + /secops update-alert --alert-id="de_12345" --verdict="FALSE_POSITIVE" --status="CLOSED" --comment="Benign admin activity" + + # Escalate alert priority with analysis + /secops update-alert --alert-id="de_67890" --priority="PRIORITY_HIGH" --severity=85 --comment="Confirmed malicious activity" + + # Close alert with root cause + /secops update-alert --alert-id="de_abcde" --status="CLOSED" --reason="REASON_NOT_MALICIOUS" --root-cause="Scheduled maintenance" + + # Add investigation notes + /secops update-alert --alert-id="de_fghij" --comment="Investigating with IR team - potential data exfiltration" + + # Clear existing comment + /secops update-alert --alert-id="de_klmno" --comment="" + +Use Cases: +- Mark alerts as true/false positives after investigation +- Escalate or de-escalate alert priority based on impact assessment +- Add investigation comments and findings +- Set final disposition when closing alerts +- Update severity based on additional evidence +- Record root cause analysis results + +Next Steps: +- Use /secops get-alert to verify changes were applied +- Consider rule tuning if marking as false positive +- Document significant findings in external case management +- Communicate critical updates to relevant teams +{% else %} +Call the do_update_security_alert tool with: `do_update_security_alert(alert_id={{alert-id}}, reason={{reason}}, priority={{priority}}, status={{status}}, verdict={{verdict}}, severity={{severity}}, comment={{comment}}, root_cause={{root-cause}})` +{% endif %} +""" [[subCommands.args]] name = "alert-id" required = true @@ -152,24 +364,31 @@ prompt = "Call the do_update_security_alert tool with: `do_update_security_alert [[subCommands.args]] name = "reason" required = false + description = "Reason for closing alert" [[subCommands.args]] name = "priority" required = false + description = "Alert priority level" [[subCommands.args]] name = "status" required = false + description = "Alert lifecycle status" [[subCommands.args]] name = "verdict" required = false + description = "Investigation verdict" [[subCommands.args]] name = "severity" required = false + description = "Severity score (0-100)" [[subCommands.args]] name = "comment" required = false + description = "Analyst comment" [[subCommands.args]] name = "root-cause" required = false + description = "Alert root cause" # SecOps list_security_rules [[subCommands]] From 284ab8b64b413f47b6c5bb0c956be4e6fe81b971 Mon Sep 17 00:00:00 2001 From: Dan Dye Date: Wed, 30 Jul 2025 22:37:26 -0400 Subject: [PATCH 06/16] complete --help for all secops commands --- .gemini/commands/secops.toml | 441 +++++++++++++++++++++++++++++++++-- 1 file changed, 425 insertions(+), 16 deletions(-) diff --git a/.gemini/commands/secops.toml b/.gemini/commands/secops.toml index 2c4668b6..707f0fd3 100644 --- a/.gemini/commands/secops.toml +++ b/.gemini/commands/secops.toml @@ -393,14 +393,96 @@ Call the do_update_security_alert tool with: `do_update_security_alert(alert_id= # SecOps list_security_rules [[subCommands]] name = "list-rules" -description = "Call the SecOps MCP Server's list_security_rules MCP Tool" -prompt = "Call the list_security_rules tool with: `list_security_rules()`" +description = "List security detection rules configured in Chronicle SIEM" +prompt = """ +{% if help %} +Usage: /secops list-rules [OPTIONS] + +List security detection rules configured in Chronicle SIEM. + +Retrieves the definitions of detection rules currently active or configured +within the Chronicle SIEM instance. Useful for understanding detection capabilities, +rule auditing, and identifying rules that generated specific alerts. + +Options: + --help Show this help message + +Examples: + /secops list-rules # List all active detection rules + +The response includes: +- Rule definitions and metadata +- Rule IDs for use with other commands +- YARA-L code and logic +- Rule status and configuration + +Use Cases: +- Audit the set of active detection rules +- Find rule that generated a specific alert +- Review detection capabilities +- Understand rule logic for tuning + +Next Steps: +- Use /secops search-rules to find specific rules by pattern +- Use /secops get-detections to see rule's historical detections +- Use /secops list-errors to check for rule execution issues +{% else %} +Call the list_security_rules tool with: `list_security_rules()` +{% endif %} +""" # SecOps search_security_rules [[subCommands]] name = "search-rules" -description = "Call the SecOps MCP Server's search_security_rules MCP Tool" -prompt = "Call the search_security_rules tool with: `search_security_rules(query={{query}})`" +description = "Search security detection rules using regex patterns" +prompt = """ +{% if help %} +Usage: /secops search-rules [OPTIONS] + +Search security detection rules configured in Chronicle SIEM. + +Retrieves detection rules that match a regex pattern, allowing you to find +specific rules by content, MITRE techniques, hostnames, or other criteria +coded into the detection logic. + +Options: + --query Regex string to search for in rules [REQUIRED] + --help Show this help message + +Examples: + /secops search-rules --query="TA0005" # Find defense evasion rules + /secops search-rules --query="192.168.1.1" # Find rules with specific IP + /secops search-rules --query="WORKSPACE" # Find rules using workspace logs + /secops search-rules --query="powershell.*downloadfile" # Find PowerShell download rules + /secops search-rules --query="T1059.001" # Find specific MITRE technique + +Search Tips: +- Use MITRE ATT&CK technique IDs (T1059.001, TA0005) +- Search for specific hostnames or IP addresses +- Look for log types (WORKSPACE, DNS, PROCESS_LAUNCH) +- Use regex patterns for flexible matching +- Search rule names, descriptions, or YARA-L code + +The response includes: +- Matching rule definitions and metadata +- Rule IDs and names +- YARA-L code containing the search pattern +- Rule configuration details + +Use Cases: +- Find rules related to specific MITRE techniques +- Locate rules that reference static infrastructure +- Search for rules using specific log types +- Find rules by name or description content + +Next Steps: +- Use /secops get-detections to see historical detections +- Use /secops list-errors to check rule execution status +- Use /secops test-rule to validate rule modifications +{% else %} +Call the search_security_rules tool with: `search_security_rules(query={{query}})` +{% endif %} +""" [[subCommands.args]] name = "query" required = true @@ -409,8 +491,58 @@ prompt = "Call the search_security_rules tool with: `search_security_rules(query # SecOps get_rule_detections [[subCommands]] name = "get-detections" -description = "Call the SecOps MCP Server's get_rule_detections MCP Tool" -prompt = "Call the get_rule_detections tool with: `get_rule_detections(rule_id={{rule-id}}, alert_state={{alert-state}}, page_size={{page-size}}, page_token={{page-token}})`" +description = "Retrieve historical detections generated by a specific Chronicle SIEM rule" +prompt = """ +{% if help %} +Usage: /secops get-detections [OPTIONS] + +Retrieve historical detections generated by a specific Chronicle SIEM rule. + +Fetches detections based on a rule ID, allowing for investigation and analysis +of rule performance and threat activity. Essential for understanding rule +effectiveness and scoping incident timelines. + +Options: + --rule-id Unique ID of the rule to get detections for [REQUIRED] + --alert-state Filter by alert state (optional) + --page-size Maximum detections per response (optional) + --page-token Token for pagination (optional) + --help Show this help message + +Examples: + /secops get-detections --rule-id="ru_12345678-1234-1234-1234-123456789012" + /secops get-detections --rule-id="ru_abcdef12-3456-7890-abcd-ef1234567890" --alert-state="ALERTING" + /secops get-detections --rule-id="ru_87654321@v_12345_67890" --page-size=50 + +Rule ID Formats: + ru_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx # Latest version + ru_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@v_12345_67890 # Specific version + ru_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@- # All versions + +Alert State Values: + UNSPECIFIED, NOT_ALERTING, ALERTING + +Use Cases: +- Alert triage: Understand rule context and frequency +- Rule effectiveness analysis: Determine if rule is too noisy/quiet +- Threat hunting: Find all instances of specific TTP detection +- Incident scoping: Identify timeline of related events +- Assess alert likelihood of maliciousness + +The response includes: +- List of detections with timestamps and details +- Detection metadata and rule information +- Pagination tokens for large result sets +- Related UDM events and indicators + +Next Steps: +- Use /secops search-events to find detailed logs for detected events +- Use /secops entity-lookup on indicators found in detections +- Use /secops list-errors if detections are missing or unexpected +{% else %} +Call the get_rule_detections tool with: `get_rule_detections(rule_id={{rule-id}}, alert_state={{alert-state}}, page_size={{page-size}}, page_token={{page-token}})` +{% endif %} +""" [[subCommands.args]] name = "rule-id" required = true @@ -429,8 +561,51 @@ prompt = "Call the get_rule_detections tool with: `get_rule_detections(rule_id={ # SecOps list_rule_errors [[subCommands]] name = "list-errors" -description = "Call the SecOps MCP Server's list_rule_errors MCP Tool" -prompt = "Call the list_rule_errors tool with: `list_rule_errors(rule_id={{rule-id}})`" +description = "List execution errors for a specific Chronicle SIEM rule" +prompt = """ +{% if help %} +Usage: /secops list-errors [OPTIONS] + +List execution errors for a specific Chronicle SIEM rule. + +Helps troubleshoot rules that might not be generating detections as expected +or are failing during execution. Essential for maintaining SIEM operational +health and ensuring rules run correctly. + +Options: + --rule-id Unique ID of the rule to list errors for [REQUIRED] + --help Show this help message + +Examples: + /secops list-errors --rule-id="ru_12345678-1234-1234-1234-123456789012" + /secops list-errors --rule-id="ru_abcdef12-3456-7890-abcd-ef1234567890@v_12345_67890" + /secops list-errors --rule-id="ru_87654321-4321-4321-4321-210987654321@-" + +Rule ID Formats: + ru_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx # Latest version + ru_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@v_12345_67890 # Specific version + ru_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@- # All versions + +Use Cases: +- Rule troubleshooting: Check why rules aren't producing detections +- Rule development: Verify new/modified rules are running properly +- SIEM health monitoring: Identify rules with execution problems +- Post-deployment validation: Ensure rules work after changes + +The response includes: +- Compilation errors and syntax issues +- Runtime execution failures +- Error timestamps and descriptions +- Rule version information + +Next Steps: +- Use /secops search-rules to review rule definition and syntax +- Use /secops validate-rule to check syntax after corrections +- Use /secops get-detections to verify rule produces detections after fixes +{% else %} +Call the list_rule_errors tool with: `list_rule_errors(rule_id={{rule-id}})` +{% endif %} +""" [[subCommands.args]] name = "rule-id" required = true @@ -439,8 +614,74 @@ prompt = "Call the list_rule_errors tool with: `list_rule_errors(rule_id={{rule- # SecOps create_rule [[subCommands]] name = "create-rule" -description = "Call the SecOps MCP Server's create_rule MCP Tool" -prompt = "Call the create_rule tool with: `create_rule(rule_text={{rule-text}})`" +description = "Create a new detection rule in Chronicle SIEM using YARA-L 2.0" +prompt = """ +{% if help %} +Usage: /secops create-rule [OPTIONS] + +Create a new detection rule in Chronicle SIEM. + +Creates a new YARA-L 2.0 detection rule in Chronicle that can generate alerts +when rule conditions are met by ingested events. Rules are the core mechanism +for automated threat detection and response. + +Options: + --rule-text Complete YARA-L 2.0 rule definition [REQUIRED] + --help Show this help message + +Examples: + /secops create-rule --rule-text="rule suspicious_powershell_download { + meta: + description = \"Detects PowerShell downloading files\" + author = \"Security Team\" + severity = \"Medium\" + yara_version = \"YL2.0\" + events: + \$process.metadata.event_type = \"PROCESS_LAUNCH\" + \$process.principal.process.command_line = /powershell.*downloadfile/i + condition: + \$process + }" + +YARA-L 2.0 Rule Structure: + rule rule_name { + meta: # Rule metadata (description, author, severity, MITRE mappings) + description = "Rule description" + author = "Your Name" + severity = "Low|Medium|High|Critical" + yara_version = "YL2.0" + mitre_attack_tactic = "TA0001" + mitre_attack_technique = "T1059.001" + events: # Event matching conditions using UDM fields + \$event.metadata.event_type = "PROCESS_LAUNCH" + \$event.principal.hostname != "" + condition: # Logic combining events + \$event + } + +Rule Development Best Practices: +- Start with clear understanding of what to detect +- Use precise conditions to minimize false positives +- Include appropriate metadata (description, author, severity) +- Test thoroughly before deploying to production +- Consider performance impact on Chronicle processing + +Use Cases: +- Detect specific attack patterns from threat hunting +- Implement custom detection for proprietary applications +- Create behavioral detection rules for user/entity patterns +- Detect compliance violations or policy breaches +- Implement threat intelligence indicators + +Next Steps: +- Use /secops test-rule to validate effectiveness against historical data +- Use /secops validate-rule to check syntax during development +- Use /secops get-detections to monitor rule performance after creation +- Use /secops get-alerts to review generated alerts +{% else %} +Call the create_rule tool with: `create_rule(rule_text={{rule-text}})` +{% endif %} +""" [[subCommands.args]] name = "rule-text" required = true @@ -449,8 +690,68 @@ prompt = "Call the create_rule tool with: `create_rule(rule_text={{rule-text}})` # SecOps test_rule [[subCommands]] name = "test-rule" -description = "Call the SecOps MCP Server's test_rule MCP Tool" -prompt = "Call the test_rule tool with: `test_rule(rule_text={{rule-text}}, hours_back={{hours-back}}, max_results={{max-results}})`" +description = "Test a detection rule against historical data in Chronicle SIEM" +prompt = """ +{% if help %} +Usage: /secops test-rule [OPTIONS] + +Test a detection rule against historical data in Chronicle SIEM. + +Tests a YARA-L 2.0 detection rule against historical data to validate +effectiveness and tune parameters before deployment. Essential for ensuring +rules work as expected and generate appropriate alerts without excessive +false positives. + +Options: + --rule-text Complete YARA-L 2.0 rule definition to test [REQUIRED] + --hours-back How many hours of historical data to test against (default: 168) + --max-results Maximum number of detection results to return (default: 100) + --help Show this help message + +Examples: + /secops test-rule --rule-text="rule test_network_connection { + meta: + description = \"Test rule for network connections\" + author = \"Security Team\" + yara_version = \"YL2.0\" + events: + \$e.metadata.event_type = \"NETWORK_CONNECTION\" + \$e.target.port = 443 + condition: + \$e + }" + + /secops test-rule --rule-text="..." --hours-back=24 --max-results=50 + +Rule Testing Best Practices: +- Test against representative time periods (normal + suspicious activity) +- Review detected events to ensure they align with detection objectives +- Adjust rule conditions based on test results to optimize precision +- Consider computational complexity and Chronicle performance impact +- Test with different time windows to understand patterns + +The response includes: +- Detection count and analysis summary +- Sample detection details and timestamps +- Rule performance metrics +- Recommendations for rule refinement + +Use Cases: +- Validate new rule logic against historical data +- Tune rule thresholds and conditions based on event patterns +- Validate rule modifications before production deployment +- Assess rule performance impact and detection volume +- Compare different rule variations for effectiveness + +Next Steps: +- Analyze test results to determine if rule meets detection objectives +- Refine rule based on results and retest as needed +- Use /secops create-rule once testing shows satisfactory results +- Use /secops validate-rule to check syntax during development +{% else %} +Call the test_rule tool with: `test_rule(rule_text={{rule-text}}, hours_back={{hours-back}}, max_results={{max-results}})` +{% endif %} +""" [[subCommands.args]] name = "rule-text" required = true @@ -467,8 +768,65 @@ prompt = "Call the test_rule tool with: `test_rule(rule_text={{rule-text}}, hour # SecOps validate_rule [[subCommands]] name = "validate-rule" -description = "Call the SecOps MCP Server's validate_rule MCP Tool" -prompt = "Call the validate_rule tool with: `validate_rule(rule_text={{rule-text}})`" +description = "Validate YARA-L 2.0 detection rule syntax in Chronicle SIEM" +prompt = """ +{% if help %} +Usage: /secops validate-rule [OPTIONS] + +Validate YARA-L 2.0 detection rule syntax in Chronicle SIEM. + +Validates the syntax and structure of a YARA-L 2.0 detection rule without +creating or testing it. Useful for checking rule syntax during development +and identifying compilation errors before rule deployment. + +Options: + --rule-text Complete YARA-L 2.0 rule definition to validate [REQUIRED] + --help Show this help message + +Examples: + /secops validate-rule --rule-text="rule example_validation_rule { + meta: + description = \"Example rule for validation testing\" + author = \"Security Team\" + severity = \"Medium\" + yara_version = \"YL2.0\" + events: + \$e.metadata.event_type = \"NETWORK_CONNECTION\" + \$e.target.ip != \"\" + \$e.principal.hostname != \"\" + condition: + \$e + }" + +Validation capabilities: +- Syntax validation for YARA-L 2.0 language constructs +- Field name validation against Chronicle's UDM schema +- Function and operator usage validation +- Rule structure and format validation +- Metadata section validation + +The response includes: +- Validation success/failure status +- Specific syntax errors with location information +- Suggested fields if available +- Error details for troubleshooting + +Use Cases: +- Validate rule syntax during initial development or modification +- Check for compilation errors before committing rule changes +- Quickly verify complex rule logic is syntactically correct +- Validate imported/shared rules before integration +- Educational tool for learning YARA-L 2.0 syntax + +Next Steps: +- If validation passes, proceed with /secops test-rule against historical data +- If validation fails, review and correct identified syntax errors +- Use validation feedback to refine rule logic and structure +- Use /secops create-rule once validated and tested +{% else %} +Call the validate_rule tool with: `validate_rule(rule_text={{rule-text}})` +{% endif %} +""" [[subCommands.args]] name = "rule-text" required = true @@ -477,8 +835,59 @@ prompt = "Call the validate_rule tool with: `validate_rule(rule_text={{rule-text # SecOps get_threat_intel [[subCommands]] name = "threat-intel" -description = "Call the SecOps MCP Server's get_threat_intel MCP Tool" -prompt = "Call the get_threat_intel tool with: `get_threat_intel(query={{query}})`" +description = "Get answers to security questions using Chronicle's integrated Gemini model" +prompt = """ +{% if help %} +Usage: /secops threat-intel [OPTIONS] + +Get answers to security questions using Chronicle's integrated Gemini model. + +Leverages Gemini to answer general security domain questions or provide specific +threat intelligence summaries about threat actors, IOCs, CVEs, TTPs, and other +security topics based on Google's threat intelligence. + +Options: + --query Security or threat intelligence question to ask Gemini [REQUIRED] + --help Show this help message + +Examples: + /secops threat-intel --query="Summarize threat actor APT41" + /secops threat-intel --query="What is CVE-2024-23897?" + /secops threat-intel --query="Explain the MITRE ATT&CK technique T1059.001" + /secops threat-intel --query="What are common persistence mechanisms on Linux?" + /secops threat-intel --query="Tell me about the LockBit ransomware" + /secops threat-intel --query="How does the Log4j vulnerability work?" + +Question Types: +- Threat Actor Intelligence: "Summarize APT28", "What are Lazarus Group's TTPs?" +- Vulnerability Information: "Explain CVE-2023-44487", "What is the impact of Log4Shell?" +- MITRE ATT&CK Details: "Describe technique T1566.001", "What is tactic TA0008?" +- Malware Analysis: "How does Emotet work?", "What are Cobalt Strike's capabilities?" +- General Security: "What is lateral movement?", "How do DDoS attacks work?" + +The response includes: +- Comprehensive threat intelligence summaries +- Technical details and context +- MITRE ATT&CK mappings when relevant +- IOCs and indicators when available +- Recommended defensive measures + +Use Cases: +- Quick context during investigations on specific threats/vulnerabilities +- Background information before deeper investigation +- Understanding potential impact of identified CVEs +- Learning about unfamiliar threat actors or malware families +- Getting security concept explanations + +Next Steps: +- Use provided intelligence to inform further investigation steps +- Use /secops entity-lookup to check for IOCs in your environment +- Use /secops search-events to find related activity in SIEM logs +- Document relevant findings in case management systems +{% else %} +Call the get_threat_intel tool with: `get_threat_intel(query={{query}})` +{% endif %} +""" [[subCommands.args]] name = "query" required = true From ac2a2194f1b35e0a0d131a2729ea6444d4c8a8eb Mon Sep 17 00:00:00 2001 From: Dan Dye Date: Wed, 30 Jul 2025 22:48:09 -0400 Subject: [PATCH 07/16] Add comprehensive SCC slash commands for Security Command Center MCP tools - Implement /scc top-vuln-findings: Lists top ACTIVE HIGH/CRITICAL vulnerability findings sorted by Attack Exposure Score - Implement /scc get-remediation: Gets detailed remediation steps for specific findings with resource details from CAI - Follow established conventions from secops.toml with comprehensive help documentation, examples, and use cases - Enable Gemini CLI integration with Security Command Center for vulnerability management and remediation workflows --- .gemini/commands/scc.toml | 151 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 151 insertions(+) create mode 100644 .gemini/commands/scc.toml diff --git a/.gemini/commands/scc.toml b/.gemini/commands/scc.toml new file mode 100644 index 00000000..71ec6703 --- /dev/null +++ b/.gemini/commands/scc.toml @@ -0,0 +1,151 @@ +description = "Implement slash command to call Security Command Center MCP Tools" +prompt = """ +You are implementing /slash-commands to call the available Security Command Center (SCC) MCP Tools +""" + +# SCC top_vulnerability_findings +[[subCommands]] +name = "top-vuln-findings" +description = "List the top ACTIVE, HIGH or CRITICAL severity vulnerability findings for a project, sorted by Attack Exposure Score" +prompt = """ +{% if help %} +Usage: /scc top-vuln-findings [OPTIONS] + +List the top ACTIVE, HIGH or CRITICAL severity vulnerability findings for a project. + +Lists the top vulnerability findings of class VULNERABILITY that are currently ACTIVE +with HIGH or CRITICAL severity, sorted by Attack Exposure Score (descending). This +tool aids in prioritization for remediation by focusing on the most exposed vulnerabilities. + +Options: + --project-id Google Cloud project ID to search for findings [REQUIRED] + --max-findings Maximum number of findings to return (default: 20) + --help Show this help message + +Examples: + /scc top-vuln-findings --project-id="my-gcp-project" + /scc top-vuln-findings --project-id="security-project-123" --max-findings=10 + /scc top-vuln-findings --project-id="prod-environment" --max-findings=50 + +Project ID Format: + Use your Google Cloud project ID (not project name or number) + Examples: "my-company-prod", "security-monitoring-dev", "web-app-staging" + +The response includes for each finding: +- Finding name and category +- Affected resource name +- Severity level (HIGH or CRITICAL) +- Attack Exposure Score (used for prioritization) +- Description of the vulnerability + +Use Cases: +- Prioritize vulnerability remediation by attack exposure +- Focus security efforts on most critical vulnerabilities +- Get overview of high-impact security findings +- Generate executive reports on security posture + +Next Steps: +- Use /scc get-remediation to get specific remediation steps +- Investigate specific resources with highest exposure scores +- Plan remediation activities based on attack exposure ranking +{% else %} +Call the top_vulnerability_findings tool with: `top_vulnerability_findings(project_id={{project-id}}, max_findings={{max-findings}})` +{% endif %} +""" + [[subCommands.args]] + name = "project-id" + required = true + description = "The Google Cloud project ID to search for vulnerability findings" + [[subCommands.args]] + name = "max-findings" + required = false + default = "20" + description = "Maximum number of findings to return" + +# SCC get_finding_remediation +[[subCommands]] +name = "get-remediation" +description = "Get remediation steps for a specific Security Command Center finding with resource details" +prompt = """ +{% if help %} +Usage: /scc get-remediation [OPTIONS] + +Get remediation steps for a specific Security Command Center finding. + +Retrieves the remediation steps (nextSteps) for a specific finding within a project, +along with details of the affected resource fetched from Cloud Asset Inventory (CAI). +The finding can be identified either by its resource name and category (for ACTIVE +findings) or directly by its finding ID (regardless of state). + +Options: + --project-id Google Cloud project ID containing the finding [REQUIRED] + --resource-name Full resource name associated with the finding (optional) + --category Category of the finding (optional, used with resource-name) + --finding-id ID of the finding to search for directly (optional) + --help Show this help message + +Finding Identification Methods: + +Method 1 - By Resource and Category (for ACTIVE findings): + /scc get-remediation --project-id="my-project" \ + --resource-name="//container.googleapis.com/projects/my-project/locations/us-central1/clusters/my-cluster" \ + --category="GKE_SECURITY_BULLETIN" + +Method 2 - By Finding ID (any state): + /scc get-remediation --project-id="my-project" \ + --finding-id="12345678901234567890" + +Resource Name Examples: + Container clusters: + //container.googleapis.com/projects/PROJECT/locations/LOCATION/clusters/CLUSTER + + Compute instances: + //compute.googleapis.com/projects/PROJECT/zones/ZONE/instances/INSTANCE + + Storage buckets: + //storage.googleapis.com/projects/_/buckets/BUCKET + +Common Categories: + - GKE_SECURITY_BULLETIN + - COMPUTE_ENGINE_SECURITY_BULLETIN + - CLOUD_SQL_SECURITY_BULLETIN + - OPEN_FIREWALL + - WEAK_SSL_POLICY + +The response includes: +- Detailed remediation steps (nextSteps) +- Finding description and metadata +- Resource details from Cloud Asset Inventory +- Full finding details for analysis + +Use Cases: +- Get specific remediation guidance for high-priority findings +- Understand resource context for vulnerability remediation +- Plan remediation activities with detailed technical steps +- Gather information for incident response + +Next Steps: +- Follow the provided remediation steps +- Coordinate with resource owners for remediation +- Verify remediation by re-running security scans +- Document remediation activities for compliance +{% else %} +Call the get_finding_remediation tool with: `get_finding_remediation(project_id={{project-id}}, resource_name={{resource-name}}, category={{category}}, finding_id={{finding-id}})` +{% endif %} +""" + [[subCommands.args]] + name = "project-id" + required = true + description = "The Google Cloud project ID containing the finding" + [[subCommands.args]] + name = "resource-name" + required = false + description = "Full resource name associated with the finding" + [[subCommands.args]] + name = "category" + required = false + description = "Category of the finding (used with resource-name)" + [[subCommands.args]] + name = "finding-id" + required = false + description = "ID of the finding to search for directly" From 7c1c7b88b9c028af02c61fe6d83ea324f6e6631b Mon Sep 17 00:00:00 2001 From: Dan Dye Date: Wed, 30 Jul 2025 22:51:55 -0400 Subject: [PATCH 08/16] Add comprehensive Gemini CLI slash commands for SecOps MCP tools - Complete integration of 23 SecOps MCP tools as Gemini CLI subcommands - Includes Chronicle SIEM tools: alerts, rules, entity lookup, event search - Includes SOAR case management: cases, alerts, entities, comments - Features Jinja2 templating with conditional help documentation - Consistent parameter mapping and comprehensive tool descriptions - Enables natural language security operations through Gemini CLI --- .gemini/commands/secops.toml | 625 ++++++++++++++++++++++++++++++++++- 1 file changed, 624 insertions(+), 1 deletion(-) diff --git a/.gemini/commands/secops.toml b/.gemini/commands/secops.toml index 707f0fd3..be89cbc3 100644 --- a/.gemini/commands/secops.toml +++ b/.gemini/commands/secops.toml @@ -891,4 +891,627 @@ Call the get_threat_intel tool with: `get_threat_intel(query={{query}})` [[subCommands.args]] name = "query" required = true - description = "Security or threat intelligence question to ask Gemini" \ No newline at end of file + description = "Security or threat intelligence question to ask Gemini" + +# SOAR Case Management Commands + +# SOAR list_cases +[[subCommands]] +name = "list-cases" +description = "List cases available in the Security Orchestration, Automation, and Response (SOAR) platform" +prompt = """ +{% if help %} +Usage: /secops list-cases [OPTIONS] + +List cases available in the Security Orchestration, Automation, and Response (SOAR) platform. + +In a SOAR context, a 'case' typically represents a security incident, investigation, +or a container for related alerts and response actions. Listing cases provides an +overview of ongoing or past security events being managed by the platform. + +Options: + --next-page-token Token to fetch the next page of results (optional) + --help Show this help message + +Examples: + /secops list-cases # List current cases + /secops list-cases --next-page-token="abc123xyz" # Get next page of results + +Use Cases: +- Get high-level overview of current incident queue within SOAR platform +- Find specific incidents to investigate further +- First step in triage workflow to understand ongoing security events +- Monitor case backlog and priorities + +The response includes: +- List of case objects with summary details (ID, name, status, priority) +- Case priorities (initial indicator - true importance requires deeper analysis) +- Associated metadata and timestamps +- Pagination tokens for additional results + +Important Triage Note: +Case priority is only an initial indicator. True importance must be assessed by +examining the full context (alerts, entities, potential impact, threat intelligence) +using tools like /secops get-case-details. + +Next Steps: +- Use /secops get-case-details --case-id=ID for comprehensive case analysis +- Use /secops list-alerts-by-case --case-id=ID to see associated alerts +- Use /secops change-case-priority if initial assessment suggests different priority +- Extract key indicators and use SIEM, TI, or other security tool integrations +{% else %} +Call the list_cases tool with: `list_cases(next_page_token={{next-page-token}})` +{% endif %} +""" + [[subCommands.args]] + name = "next-page-token" + required = false + description = "Token to fetch the next page of results" + +# SOAR post_case_comment +[[subCommands]] +name = "post-case-comment" +description = "Post a comment to a specific case within the SOAR platform for documentation and collaboration" +prompt = """ +{% if help %} +Usage: /secops post-case-comment [OPTIONS] + +Post a comment to a specific case within the SOAR platform. + +Cases are used to track security incidents and investigations. Adding comments +is essential for documenting findings, communication between analysts, recording +actions taken, or providing updates on the investigation progress. + +Options: + --case-id The unique identifier (ID) of the case [REQUIRED] + --comment The textual content of the comment to be recorded [REQUIRED] + --help Show this help message + +Examples: + /secops post-case-comment --case-id="523" --comment="Investigating potential impact" + /secops post-case-comment --case-id="724" --comment="Confirmed malicious activity - escalating" + /secops post-case-comment --case-id="891" --comment="False positive - benign admin activity" + +Use Cases: +- Document findings from other MCP tool investigations (SIEM, TI, EDR, Cloud) +- Record analyst actions and decisions during investigation +- Provide updates on investigation progress for team collaboration +- Maintain audit trail within the SOAR case +- Justify changes in case priority or status + +The response includes: +- Confirmation of successful comment posting +- Any error messages if posting fails +- Updated case comment history + +Workflow Integration: +- Use throughout investigation to document findings from various security tools +- Essential for collaboration and maintaining audit trail within SOAR case +- Document conclusions derived from MCP-enabled tools (SIEM, TI, EDR, Cloud posture) + +Next Steps: +- Continue investigation based on documented information +- Use comments to justify case priority changes or status updates +- Share key findings with other relevant systems (ticketing, reporting) +{% else %} +Call the post_case_comment tool with: `post_case_comment(case_id={{case-id}}, comment={{comment}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + [[subCommands.args]] + name = "comment" + required = true + description = "The textual content of the comment to be recorded" + +# SOAR list_alerts_by_case +[[subCommands]] +name = "list-alerts-by-case" +description = "List the security alerts associated with a specific case ID in the SOAR platform" +prompt = """ +{% if help %} +Usage: /secops list-alerts-by-case [OPTIONS] + +List the security alerts associated with a specific case ID in the SOAR platform. + +Alerts are notifications generated by security tools (like SIEMs, EDRs) indicating +potential security issues. In SOAR, alerts are often grouped into cases for +investigation and response. Listing alerts helps understand the scope of incidents. + +Options: + --case-id The unique identifier (ID) of the case [REQUIRED] + --next-page-token Token to fetch the next page of results (optional) + --help Show this help message + +Examples: + /secops list-alerts-by-case --case-id="523" + /secops list-alerts-by-case --case-id="724" --next-page-token="def456ghi" + +Use Cases: +- Understand specific triggers (alerts) and scope of incident in SOAR case +- Identify alert patterns and relationships within a case +- Get alert severity and metadata for investigation prioritization +- Find alert IDs for deeper event analysis + +The response includes: +- List of alert objects linked to the specified case +- Alert details: name, source, severity, timestamp +- Alert severity (initial guidance - actual risk depends on context and evidence) +- Associated alert metadata and identifiers + +Workflow Integration: +- Use after identifying a case of interest (via list-cases or get-case-details) +- Helps understand specific triggers and scope of incident in SOAR platform +- Provides foundation for deeper investigation into underlying events + +Next Steps: +- Use /secops list-events-by-alert to get raw events underlying specific alerts +- Use /secops list-alert-group-identifiers-by-case to understand alert groupings +- Use /secops get-entities-by-alert-group-identifiers to find entities in alert groups +- Extract indicators from alerts and use SIEM entity lookup or event search +- Correlate alert details with findings from other security tools (EDR, Network, Cloud, TI) +{% else %} +Call the list_alerts_by_case tool with: `list_alerts_by_case(case_id={{case-id}}, next_page_token={{next-page-token}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + [[subCommands.args]] + name = "next-page-token" + required = false + description = "Token to fetch the next page of results" + +# SOAR list_alert_group_identifiers_by_case +[[subCommands]] +name = "list-alert-group-identifiers" +description = "List alert group identifiers associated with a specific case ID in the SOAR platform" +prompt = """ +{% if help %} +Usage: /secops list-alert-group-identifiers [OPTIONS] + +List alert group identifiers associated with a specific case ID in the SOAR platform. + +In this SOAR implementation, alerts within a case can be grouped using identifiers, +potentially for correlation, playbook execution stages, or analyst assignment. +Retrieving these identifiers helps understand the internal structure of a case. + +Options: + --case-id The unique identifier (ID) of the case [REQUIRED] + --next-page-token Token to fetch the next page of results (optional) + --help Show this help message + +Examples: + /secops list-alert-group-identifiers --case-id="523" + /secops list-alert-group-identifiers --case-id="724" --next-page-token="ghi789jkl" + +Use Cases: +- Understand how alerts are grouped within the case +- Identify related sets of alerts for targeted actions +- Support playbook logic that operates on alert groups +- Prepare for entity retrieval from specific alert groups + +The response includes: +- List of alert group identifier strings associated with the case +- Group identifiers used for correlation and organization +- Identifiers that can be used with other SOAR tools + +Workflow Integration: +- Use after identifying a case and its associated alerts within SOAR platform +- Helps understand alert groupings relevant for playbook logic +- Prepares for targeted actions on specific alert groupings + +Next Steps: +- Use /secops get-entities-by-alert-group-identifiers to find entities in these groups +- Use identifiers as parameters for playbook actions or integrations +- Target specific alert groupings for automated or manual interventions +{% else %} +Call the list_alert_group_identifiers_by_case tool with: `list_alert_group_identifiers_by_case(case_id={{case-id}}, next_page_token={{next-page-token}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + [[subCommands.args]] + name = "next-page-token" + required = false + description = "Token to fetch the next page of results" + +# SOAR list_events_by_alert +[[subCommands]] +name = "list-events-by-alert" +description = "List the underlying security events associated with a specific alert within a given case" +prompt = """ +{% if help %} +Usage: /secops list-events-by-alert [OPTIONS] + +List the underlying security events associated with a specific alert within a given case. + +Security alerts (often derived from detection rules or IoC matches) are typically +triggered by one or more underlying events ingested into the security platform +(e.g., Chronicle). These events provide the raw data needed to validate alerts. + +Options: + --case-id The unique identifier (ID) of the case containing the alert [REQUIRED] + --alert-id The unique identifier (ID) of the specific alert [REQUIRED] + --next-page-token Token to fetch the next page of results (optional) + --help Show this help message + +Examples: + /secops list-events-by-alert --case-id="523" --alert-id="751" + /secops list-events-by-alert --case-id="724" --alert-id="892" --next-page-token="xyz123abc" + +Use Cases: +- Get ground truth event data (often from SIEM) to validate alerts +- Understand exact actions that occurred to trigger the alert +- Perform deep-dive investigations into specific alert triggers +- Extract detailed forensic information from underlying events + +The response includes: +- List of event objects (potentially in UDM format) related to the alert +- Raw data needed to validate alert and understand specific activity +- Event details for forensic analysis and investigation +- Timestamps and metadata for timeline reconstruction + +Workflow Integration: +- Use after identifying specific alert of interest within SOAR case +- Provides ground truth event data from SIEM for alert validation +- Essential for understanding exact actions that occurred + +Next Steps: +- Analyze event data (UDM format) for specific details: command lines, network connections, file hashes, user activity +- Extract new indicators from the events for further investigation +- Use entity lookup or threat intelligence tools to enrich newly found indicators +- Correlate event details with other related events using SIEM event search tools +- Document findings in case management system using commenting tools +{% else %} +Call the list_events_by_alert tool with: `list_events_by_alert(case_id={{case-id}}, alert_id={{alert-id}}, next_page_token={{next-page-token}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case containing the alert" + [[subCommands.args]] + name = "alert-id" + required = true + description = "The unique identifier (ID) of the specific alert" + [[subCommands.args]] + name = "next-page-token" + required = false + description = "Token to fetch the next page of results" + +# SOAR change_case_priority +[[subCommands]] +name = "change-case-priority" +description = "Change the priority level of a specific case in the SOAR platform" +prompt = """ +{% if help %} +Usage: /secops change-case-priority [OPTIONS] + +Change the priority level of a specific case in the SOAR platform. + +Case priority helps security teams triage incidents and focus on the most urgent +threats based on currently available information. Priority can change as more +context is gathered during investigation. + +Options: + --case-id The unique identifier (ID) of the case to update [REQUIRED] + --case-priority The new priority level to assign to the case [REQUIRED] + --help Show this help message + +Valid Priority Values: + PriorityUnspecified, PriorityInfo, PriorityLow, PriorityMedium, PriorityHigh, PriorityCritical + +Examples: + /secops change-case-priority --case-id="523" --case-priority="PriorityHigh" + /secops change-case-priority --case-id="724" --case-priority="PriorityLow" + /secops change-case-priority --case-id="891" --case-priority="PriorityCritical" + +Use Cases: +- Escalate case priority based on new information from MCP tools (SIEM, TI, EDR) +- De-escalate cases found to be false positives or low impact +- Ensure analyst focus aligns with actual risk posed by incident +- Adjust priority during investigation lifecycle based on findings + +The response includes: +- Confirmation of successful priority update +- Error messages if update fails +- Updated case priority information + +Workflow Integration: +- Use during triage or investigation when new information suggests incorrect priority +- Helps ensure analyst focus aligns with actual risk from multiple data sources +- Typically follows analysis using various MCP-enabled security tools + +Next Steps: +- Use /secops post-case-comment to document reason for priority change +- Adjust investigation efforts based on new priority level +- Consider resource allocation changes based on updated priority +{% else %} +Call the change_case_priority tool with: `change_case_priority(case_id={{case-id}}, case_priority={{case-priority}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case to update" + [[subCommands.args]] + name = "case-priority" + required = true + description = "The new priority level (PriorityUnspecified, PriorityInfo, PriorityLow, PriorityMedium, PriorityHigh, PriorityCritical)" + +# SOAR get_entities_by_alert_group_identifiers +[[subCommands]] +name = "get-entities-by-alert-groups" +description = "Retrieve entities (IPs, hostnames, users) involved in specific alert groups within a case" +prompt = """ +{% if help %} +Usage: /secops get-entities-by-alert-groups [OPTIONS] + +Retrieve entities (e.g., IP addresses, hostnames, users) involved in specific alert groups within a case. + +Understanding which entities are associated with alerts is fundamental for incident +investigation and response. This tool fetches entities linked to alert groups, +crucial for identifying affected assets, attack vectors, or compromised accounts. + +Options: + --case-id The unique identifier (ID) of the case [REQUIRED] + --alert-group-identifiers Comma-separated list of alert group identifiers [REQUIRED] + --help Show this help message + +Examples: + /secops get-entities-by-alert-groups --case-id="523" --alert-group-identifiers="rule_name_hash_guid" + /secops get-entities-by-alert-groups --case-id="724" --alert-group-identifiers="group1,group2,group3" + +Use Cases: +- Identify specific assets, users, or indicators involved in incident stages +- Get target entities for manual response actions or playbook automation +- Understand scope of impact from specific alert groupings +- Prepare entity lists for targeted response actions + +The response includes: +- List of entities (with identifiers, types, etc.) associated with alert groups +- Entity details and metadata for investigation context +- Information needed for targeted response actions + +Workflow Integration: +- Use after identifying relevant alert group identifiers within SOAR case +- Crucial for pinpointing specific assets/users/indicators in incident aspects +- Provides foundation for targeted response and investigation actions + +Next Steps: +- Analyze entity list to understand scope of impact +- Use /secops get-entity-details to get more SOAR-specific context on individual entities +- Use SIEM entity lookup tools to get broader historical context for these entities +- Use SIEM event search tools to find detailed logs related to entities' activities +- Use threat intelligence tools to enrich the identified entities +- Use entity list as input for targeted response actions via SOAR playbooks or security tools +{% else %} +Call the get_entities_by_alert_group_identifiers tool with: `get_entities_by_alert_group_identifiers(case_id={{case-id}}, alert_group_identifiers={{alert-group-identifiers}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case containing the alert groups" + [[subCommands.args]] + name = "alert-group-identifiers" + required = true + description = "Comma-separated list of identifiers for the alert groups" + +# SOAR get_entity_details +[[subCommands]] +name = "get-entity-details" +description = "Fetch detailed information about a specific entity known to the SOAR platform" +prompt = """ +{% if help %} +Usage: /secops get-entity-details [OPTIONS] + +Fetch detailed information about a specific entity known to the SOAR platform. + +Entities (like IPs, domains, users, assets) are central to security investigations. +This tool retrieves comprehensive details about a specific entity based on its +identifier, type, and environment, including enrichment data and risk scores. + +Options: + --entity-identifier The unique identifier of the entity (e.g., "192.168.1.100") [REQUIRED] + --entity-type The type of the entity (e.g., "IP Address") [REQUIRED] + --entity-environment The environment context for the entity (e.g., "Production") [REQUIRED] + --help Show this help message + +Examples: + /secops get-entity-details --entity-identifier="192.168.1.100" --entity-type="IP Address" --entity-environment="Production" + /secops get-entity-details --entity-identifier="user@company.com" --entity-type="User" --entity-environment="Corporate" + /secops get-entity-details --entity-identifier="workstation-01" --entity-type="Hostname" --entity-environment="Development" + +Use Cases: +- Get SOAR platform's specific view of entity with enrichments +- Retrieve threat intelligence scores and asset inventory details +- Understand related alerts or cases involving the entity +- Get risk scores and observed activity for the entity + +The response includes: +- Detailed attributes and related information for the specified entity +- Enrichment data performed by SOAR playbooks or integrations +- Risk scores and threat intelligence information +- Related alerts, cases, and observed activity + +Workflow Integration: +- Use after identifying specific entity of interest within SOAR platform +- Provides SOAR platform's enriched view including playbook-generated context +- Complements broader SIEM entity lookup tools with SOAR-specific enrichments + +Next Steps: +- Analyze enrichment data provided by SOAR platform (threat intel scores, asset details) +- Compare SOAR entity details with broader context from SIEM entity lookup tools +- Use findings to inform risk assessment and response decisions within SOAR workflow +- Document key details using case commenting tools +- Correlate with information from other security tools (EDR, Network, Cloud, TI) +{% else %} +Call the get_entity_details tool with: `get_entity_details(entity_identifier={{entity-identifier}}, entity_type={{entity-type}}, entity_environment={{entity-environment}})` +{% endif %} +""" + [[subCommands.args]] + name = "entity-identifier" + required = true + description = "The unique identifier of the entity" + [[subCommands.args]] + name = "entity-type" + required = true + description = "The type of the entity" + [[subCommands.args]] + name = "entity-environment" + required = true + description = "The environment context for the entity" + +# SOAR search_entity +[[subCommands]] +name = "search-entity" +description = "Search for entities within the SOAR platform based on various criteria" +prompt = """ +{% if help %} +Usage: /secops search-entity [OPTIONS] + +Search for entities within the SOAR platform based on various criteria. + +This tool provides a flexible way to find entities (assets, users, IOCs, etc.) +matching specific attributes. Useful for exploring the entity database or finding +potentially related entities during an investigation. + +Options: + --term Search term (e.g., partial IP, hostname fragment) (optional) + --type Comma-separated list of entity types to filter by (optional) + --is-suspicious Filter for entities marked as suspicious (true/false) (optional) + --is-internal-asset Filter for entities identified as internal assets (true/false) (optional) + --is-enriched Filter for entities that have undergone enrichment (true/false) (optional) + --network-name Comma-separated list of networks to filter by (optional) + --environment-name Comma-separated list of environments to filter by (optional) + --help Show this help message + +Examples: + /secops search-entity --term="192.168" # Search for IPs starting with 192.168 + /secops search-entity --type="IP Address,Hostname" # Search for IPs and hostnames + /secops search-entity --is-suspicious=true # Find all suspicious entities + /secops search-entity --is-internal-asset=false # Find external entities + /secops search-entity --network-name="DMZ,Production" # Search in specific networks + /secops search-entity --environment-name="Production" # Search in production environment + +Use Cases: +- Exploratory analysis within SOAR platform's entity database +- Find potentially related entities based on partial information +- Identify entities with specific characteristics (suspicious, internal, enriched) +- Discover assets with shared characteristics in specific environments + +The response includes: +- List of entity objects matching the search criteria +- Entity attributes and metadata for investigation context +- Filtering results based on specified criteria + +Workflow Integration: +- Useful for exploratory analysis when you don't have specific identifier from alert/case +- Can help identify potentially related entities based on shared characteristics +- Supports discovery of suspicious hosts in specific environments as known by SOAR + +Next Steps: +- Analyze the list of returned entities for patterns or relationships +- Use /secops get-entity-details for more SOAR-specific information on entities found +- Use SIEM entity lookup tools for broader historical context on interesting entities +- Use threat intelligence tools to enrich findings from the search results +{% else %} +Call the search_entity tool with: `search_entity(term={{term}}, type={{type}}, is_suspicious={{is-suspicious}}, is_internal_asset={{is-internal-asset}}, is_enriched={{is-enriched}}, network_name={{network-name}}, environment_name={{environment-name}})` +{% endif %} +""" + [[subCommands.args]] + name = "term" + required = false + description = "Search term to match against entity identifiers or names" + [[subCommands.args]] + name = "type" + required = false + description = "Comma-separated list of entity types to filter by" + [[subCommands.args]] + name = "is-suspicious" + required = false + description = "Filter for entities marked as suspicious (true/false)" + [[subCommands.args]] + name = "is-internal-asset" + required = false + description = "Filter for entities identified as internal assets (true/false)" + [[subCommands.args]] + name = "is-enriched" + required = false + description = "Filter for entities that have undergone enrichment processes (true/false)" + [[subCommands.args]] + name = "network-name" + required = false + description = "Comma-separated list of networks to filter entities by" + [[subCommands.args]] + name = "environment-name" + required = false + description = "Comma-separated list of environments to filter entities by" + +# SOAR get_case_full_details +[[subCommands]] +name = "get-case-details" +description = "Retrieve comprehensive details for a specific case by aggregating core information, alerts, and comments" +prompt = """ +{% if help %} +Usage: /secops get-case-details [OPTIONS] + +Retrieve comprehensive details for a specific case by aggregating its core information, associated alerts, and comments. + +This tool provides a consolidated view of a security case by fetching its primary +details (status, priority, description), all linked security alerts, and the full +history of comments added by analysts or automation. + +Options: + --case-id The unique identifier (ID) of the case for full details [REQUIRED] + --help Show this help message + +Examples: + /secops get-case-details --case-id="523" + /secops get-case-details --case-id="724" + +Use Cases: +- Primary tool for starting investigation of specific case identified within SOAR +- Get comprehensive initial overview by gathering core SOAR case data in one call +- Understand complete incident context, scope, investigation progress, and collaboration notes +- Starting point for full investigation (requires deeper analysis using subsequent tools) + +The response includes: +- case_details: Raw API response for basic case information +- case_alerts: Raw API response containing list of alerts associated with the case +- case_comments: Raw API response containing list of comments for the case + +Important Triage Note: +Use the priority field as initial guide only. Analyze the combined details (alerts, +comments, entities involved, potential impact, related threat intelligence) to +determine the true importance and urgency of the case. + +Workflow Integration: +- Primary tool for starting investigation of specific case identified within SOAR platform +- Provides comprehensive initial overview - this is a starting point for full investigation +- Requires deeper analysis using subsequent tools for complete understanding + +Next Steps (Essential for Full Investigation): +- Analyze case_details for status, priority, and description +- Examine case_alerts to understand triggers - use /secops list-events-by-alert for underlying event data +- Review case_comments for analyst notes or previous actions +- Identify key entities from alerts or comments +- Use /secops get-entities-by-alert-groups to find entities associated with case/alert groups +- Enrich findings using SIEM (entity-lookup, search-events), TI (threat-intel), EDR, Cloud tools +- Document investigation progress using case commenting tools +- Consider adjusting case priority using priority management tools based on findings +{% else %} +Call the get_case_full_details tool with: `get_case_full_details(case_id={{case-id}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case for full details" \ No newline at end of file From dfacc090b675d41df341fabc7cef5f9c954012b1 Mon Sep 17 00:00:00 2001 From: Dan Dye Date: Wed, 30 Jul 2025 22:52:18 -0400 Subject: [PATCH 09/16] Add comprehensive GTI slash commands for Google Threat Intelligence MCP tools Implements 14 slash commands covering all major GTI MCP capabilities: - Threat search: search-threats, search-campaigns, search-actors, search-malware, search-vulns - Analysis: file-report, domain-report, ip-report, url-report - Collections: get-collection, collection-timeline, collection-mitre - Intelligence: search-iocs, search-darkweb - Profiles: list-profiles, get-profile Each command includes comprehensive help text, usage examples, supported parameters, and next-step recommendations following established conventions. --- .gemini/commands/gti.toml | 1035 +++++++++++++++++++++++++++++++++++++ 1 file changed, 1035 insertions(+) create mode 100644 .gemini/commands/gti.toml diff --git a/.gemini/commands/gti.toml b/.gemini/commands/gti.toml new file mode 100644 index 00000000..a97e7025 --- /dev/null +++ b/.gemini/commands/gti.toml @@ -0,0 +1,1035 @@ +description = "Implement slash commands to call Google Threat Intelligence MCP Tools" +prompt = """ +You are implementing /slash-commands to call the available Google Threat Intelligence MCP Tools +""" + +# GTI search_threats +[[subCommands]] +name = "search-threats" +description = "Search for threats in Google Threat Intelligence platform (threat actors, malware families, campaigns, reports, vulnerabilities)" +prompt = """ +{% if help %} +Usage: /gti search-threats [OPTIONS] + +Search threats in the Google Threat Intelligence platform. + +Threats are modeled as collections. This command provides a unified search across +all threat types with optional filtering by collection type for more precise results. + +Options: + --query Search query to find threats [REQUIRED] + --collection-type Filter by threat type (optional) + --limit Maximum number of threats to return (default: 5) + --order-by Sort order (default: "relevance-") + --help Show this help message + +Collection Types: + threat-actor Search for specific actors, groups, or APTs + malware-family Search for malware, trojans, viruses, ransomware families + software-toolkit Search for legitimate tools often used with malware + campaign Search for specific attack campaigns + report Search for analysis reports + vulnerability Search for specific CVEs or vulnerabilities + collection Generic collections (use if no other type fits) + +Order By Options: + relevance+ / relevance- Sort by relevance (ascending/descending) + creation_date+ / creation_date- Sort by creation date + +Examples: + /gti search-threats --query="APT41" # Search all threat types + /gti search-threats --query="ransomware" --collection-type="malware-family" + /gti search-threats --query="Log4j" --collection-type="vulnerability" --limit=10 + /gti search-threats --query="Cobalt Strike" --collection-type="software-toolkit" + /gti search-threats --query="NotPetya" --order-by="creation_date-" + +The response includes: +- Full collection objects with detailed threat information +- Threat actor details, TTPs, and associations +- Malware family characteristics and indicators +- Campaign timelines and targets +- Vulnerability details and exploitation information + +Use Cases: +- Research specific threat actors or groups +- Find information about malware families +- Investigate attack campaigns +- Get context on vulnerabilities +- Discover related threats and associations + +Next Steps: +- Use /gti get-collection --id=ID for detailed collection information +- Use /gti collection-timeline --id=ID for threat actor/campaign timelines +- Use /gti collection-mitre --id=ID for MITRE ATT&CK mappings +{% else %} +Call the search_threats tool with: `search_threats(query={{query}}, collection_type={{collection-type}}, limit={{limit}}, order_by={{order-by}})` +{% endif %} +""" + [[subCommands.args]] + name = "query" + required = true + description = "Search query to find threats" + [[subCommands.args]] + name = "collection-type" + required = false + description = "Filter by threat type (threat-actor, malware-family, software-toolkit, campaign, report, vulnerability, collection)" + [[subCommands.args]] + name = "limit" + required = false + default = "5" + description = "Maximum number of threats to return" + [[subCommands.args]] + name = "order-by" + required = false + default = "relevance-" + description = "Order results by relevance or creation_date (+ for ascending, - for descending)" + +# GTI search_campaigns +[[subCommands]] +name = "search-campaigns" +description = "Search threat campaigns in Google Threat Intelligence platform" +prompt = """ +{% if help %} +Usage: /gti search-campaigns [OPTIONS] + +Search threat campaigns in the Google Threat Intelligence platform. + +Campaigns are modeled as collections representing coordinated attack activities +by threat actors targeting specific organizations, industries, or regions. + +Options: + --query Search query to find campaigns [REQUIRED] + --limit Maximum number of campaigns to return (default: 10) + --order-by Sort order (default: "relevance-") + --help Show this help message + +Examples: + /gti search-campaigns --query="SolarWinds" # Search for SolarWinds campaign + /gti search-campaigns --query="healthcare" --limit=20 # Campaigns targeting healthcare + /gti search-campaigns --query="APT1" --order-by="creation_date-" + /gti search-campaigns --query="ransomware 2023" # Recent ransomware campaigns + +Use Cases: +- Research major attack campaigns +- Find campaigns targeting specific industries +- Investigate coordinated threat actor activities +- Analyze campaign TTPs and indicators + +Next Steps: +- Use /gti get-collection --id=ID for detailed campaign information +- Use /gti collection-timeline --id=ID for campaign timeline events +- Use /gti collection-relations --id=ID to find related entities +{% else %} +Call the search_campaigns tool with: `search_campaigns(query={{query}}, limit={{limit}}, order_by={{order-by}})` +{% endif %} +""" + [[subCommands.args]] + name = "query" + required = true + description = "Search query to find campaigns" + [[subCommands.args]] + name = "limit" + required = false + default = "10" + description = "Maximum number of campaigns to return" + [[subCommands.args]] + name = "order-by" + required = false + default = "relevance-" + description = "Order results by relevance or creation_date" + +# GTI search_threat_actors +[[subCommands]] +name = "search-actors" +description = "Search threat actors in Google Threat Intelligence platform" +prompt = """ +{% if help %} +Usage: /gti search-actors [OPTIONS] + +Search threat actors in the Google Threat Intelligence platform. + +Threat actors are modeled as collections representing individuals, groups, +or organizations conducting malicious cyber activities. + +Options: + --query Search query to find threat actors [REQUIRED] + --limit Maximum number of actors to return (default: 10) + --order-by Sort order (default: "relevance-") + --help Show this help message + +Examples: + /gti search-actors --query="APT28" # Search for specific APT group + /gti search-actors --query="Lazarus Group" # Search by group name + /gti search-actors --query="ransomware" --limit=15 # Actors involved in ransomware + /gti search-actors --query="nation-state China" # Chinese nation-state actors + +Use Cases: +- Research specific APT groups or threat actors +- Find actors associated with particular malware families +- Investigate nation-state threat groups +- Analyze actor TTPs and capabilities + +Next Steps: +- Use /gti get-collection --id=ID for detailed actor profile +- Use /gti collection-timeline --id=ID for actor activity timeline +- Use /gti collection-mitre --id=ID for actor's MITRE ATT&CK techniques +{% else %} +Call the search_threat_actors tool with: `search_threat_actors(query={{query}}, limit={{limit}}, order_by={{order-by}})` +{% endif %} +""" + [[subCommands.args]] + name = "query" + required = true + description = "Search query to find threat actors" + [[subCommands.args]] + name = "limit" + required = false + default = "10" + description = "Maximum number of actors to return" + [[subCommands.args]] + name = "order-by" + required = false + default = "relevance-" + description = "Order results by relevance or creation_date" + +# GTI search_malware_families +[[subCommands]] +name = "search-malware" +description = "Search malware families in Google Threat Intelligence platform" +prompt = """ +{% if help %} +Usage: /gti search-malware [OPTIONS] + +Search malware families in the Google Threat Intelligence platform. + +Malware families are modeled as collections representing related malicious +software variants sharing common characteristics, code, or functionality. + +Options: + --query Search query to find malware families [REQUIRED] + --limit Maximum number of families to return (default: 10) + --order-by Sort order (default: "relevance-") + --help Show this help message + +Examples: + /gti search-malware --query="Emotet" # Search for specific malware + /gti search-malware --query="banking trojan" # Search by malware type + /gti search-malware --query="Cobalt Strike" --limit=5 # Limit results + /gti search-malware --query="ransomware 2024" --order-by="creation_date-" + +Malware Categories: +- Trojans, viruses, worms +- Ransomware families +- Banking malware +- RATs (Remote Access Trojans) +- Botnets and bot malware +- Crypto miners +- Loaders and droppers + +Use Cases: +- Research specific malware families +- Find variants of known malware +- Investigate malware used in campaigns +- Analyze malware capabilities and indicators + +Next Steps: +- Use /gti get-collection --id=ID for detailed malware analysis +- Use /gti collection-relations --id=ID to find associated files/IOCs +- Use /gti file-report --hash=HASH for specific malware samples +{% else %} +Call the search_malware_families tool with: `search_malware_families(query={{query}}, limit={{limit}}, order_by={{order-by}})` +{% endif %} +""" + [[subCommands.args]] + name = "query" + required = true + description = "Search query to find malware families" + [[subCommands.args]] + name = "limit" + required = false + default = "10" + description = "Maximum number of families to return" + [[subCommands.args]] + name = "order-by" + required = false + default = "relevance-" + description = "Order results by relevance or creation_date" + +# GTI search_vulnerabilities +[[subCommands]] +name = "search-vulns" +description = "Search vulnerabilities (CVEs) in Google Threat Intelligence platform" +prompt = """ +{% if help %} +Usage: /gti search-vulns [OPTIONS] + +Search vulnerabilities (CVEs) in the Google Threat Intelligence platform. + +Vulnerabilities are modeled as collections containing detailed information +about security flaws, their exploitation, and associated threats. + +Options: + --query Search query to find vulnerabilities [REQUIRED] + --limit Maximum number of vulnerabilities to return (default: 10) + --order-by Sort order (default: "relevance-") + --help Show this help message + +Examples: + /gti search-vulns --query="CVE-2023-44487" # Search specific CVE + /gti search-vulns --query="Log4j" # Search by vulnerability name + /gti search-vulns --query="Apache" --limit=20 # Apache vulnerabilities + /gti search-vulns --query="critical RCE" --order-by="relevance-" + /gti search-vulns --query="Microsoft Exchange" # Exchange vulnerabilities + +Search Tips: +- Use CVE identifiers (CVE-YYYY-NNNNN) +- Search by product or vendor names +- Include vulnerability types (RCE, SQLi, XSS, etc.) +- Use severity terms (critical, high, medium, low) +- Search by exploitation status (exploited, poc) + +Use Cases: +- Research specific CVE details and impact +- Find vulnerabilities affecting particular products +- Investigate exploited vulnerabilities +- Track vulnerability disclosure timelines +- Analyze vulnerability exploitation trends + +Next Steps: +- Use /gti get-collection --id=ID for detailed vulnerability information +- Use /gti collection-relations --id=ID to find exploitation tools/campaigns +- Use /gti search-iocs to find related indicators +{% else %} +Call the search_vulnerabilities tool with: `search_vulnerabilities(query={{query}}, limit={{limit}}, order_by={{order-by}})` +{% endif %} +""" + [[subCommands.args]] + name = "query" + required = true + description = "Search query to find vulnerabilities" + [[subCommands.args]] + name = "limit" + required = false + default = "10" + description = "Maximum number of vulnerabilities to return" + [[subCommands.args]] + name = "order-by" + required = false + default = "relevance-" + description = "Order results by relevance or creation_date" + +# GTI get_file_report +[[subCommands]] +name = "file-report" +description = "Get comprehensive file analysis report using MD5/SHA-1/SHA-256 hash" +prompt = """ +{% if help %} +Usage: /gti file-report [OPTIONS] + +Get comprehensive file analysis report using file hash. + +Returns concise summary of key threat details including detection statistics, +threat classification, and important indicators from VirusTotal analysis. + +Options: + --hash MD5, SHA-1, or SHA-256 hash of the file [REQUIRED] + --help Show this help message + +Examples: + /gti file-report --hash="8ab2cfcd123456789abcdef" # MD5 hash + /gti file-report --hash="e4d909c290d0fb1ca068ffaddf22cbd0" # SHA-1 hash + /gti file-report --hash="a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3" # SHA-256 + +Hash Formats Supported: +- MD5: 32 hexadecimal characters +- SHA-1: 40 hexadecimal characters +- SHA-256: 64 hexadecimal characters + +The response includes: +- Detection statistics from multiple AV engines +- File metadata (size, type, names) +- Threat classification and malware family +- Behavioral analysis results +- File reputation and prevalence +- Submission and analysis timestamps +- Related campaigns and threat actors (if applicable) + +Use Cases: +- Analyze suspicious files found in investigations +- Verify file reputation before execution +- Research malware samples and variants +- Investigate files flagged by security tools +- Validate file safety for incident response + +Next Steps: +- Use /gti file-behavior --hash=HASH for detailed behavioral analysis +- Use /gti file-relations --hash=HASH to find related entities +- Use /gti search-threats with malware family names found in report +{% else %} +Call the get_file_report tool with: `get_file_report(hash={{hash}})` +{% endif %} +""" + [[subCommands.args]] + name = "hash" + required = true + description = "MD5, SHA-1, or SHA-256 hash of the file to analyze" + +# GTI get_domain_report +[[subCommands]] +name = "domain-report" +description = "Get comprehensive domain analysis report from Google Threat Intelligence" +prompt = """ +{% if help %} +Usage: /gti domain-report [OPTIONS] + +Get comprehensive domain analysis report from Google Threat Intelligence. + +Provides detailed analysis of domain reputation, threat associations, +and security-relevant information from VirusTotal's extensive database. + +Options: + --domain Domain name to analyze [REQUIRED] + --help Show this help message + +Examples: + /gti domain-report --domain="malicious.example.com" # Analyze specific domain + /gti domain-report --domain="google.com" # Analyze legitimate domain + /gti domain-report --domain="phishing-site.net" # Check suspicious domain + +Domain Format: +- Provide domain name only (no protocol/scheme) +- Examples: example.com, subdomain.example.org, malware.net +- Do not include: http://, https://, www. (unless part of subdomain) + +The response includes: +- Domain reputation and threat classification +- DNS resolution information +- WHOIS registration details +- Associated malware and campaigns +- Detection statistics from security vendors +- Domain creation and modification dates +- Related domains and subdomains +- Certificate and hosting information + +Use Cases: +- Investigate suspicious domains found in logs or alerts +- Validate domain reputation before allowing access +- Research domains associated with phishing campaigns +- Analyze C2 infrastructure used by malware +- Check domains flagged by security monitoring tools + +Next Steps: +- Use /gti domain-relations --domain=DOMAIN to find related entities +- Use /gti search-threats to research associated campaigns +- Use /gti url-report for specific URLs on the domain +{% else %} +Call the get_domain_report tool with: `get_domain_report(domain={{domain}})` +{% endif %} +""" + [[subCommands.args]] + name = "domain" + required = true + description = "Domain name to analyze" + +# GTI get_ip_address_report +[[subCommands]] +name = "ip-report" +description = "Get comprehensive IP address analysis report (IPv4/IPv6) from Google Threat Intelligence" +prompt = """ +{% if help %} +Usage: /gti ip-report [OPTIONS] + +Get comprehensive IP address analysis report from Google Threat Intelligence. + +Provides detailed analysis of IP reputation, threat associations, geolocation, +and security-relevant information from VirusTotal's database. + +Options: + --ip-address IP address to analyze (IPv4 or IPv6) [REQUIRED] + --help Show this help message + +Examples: + /gti ip-report --ip-address="192.168.1.100" # IPv4 address + /gti ip-report --ip-address="203.0.113.42" # Public IPv4 + /gti ip-report --ip-address="2001:db8::1" # IPv6 address + /gti ip-report --ip-address="8.8.8.8" # Well-known IP + +Supported Formats: +- IPv4: Standard dotted decimal notation (192.168.1.1) +- IPv6: Standard colon notation (2001:db8::1) +- Both private and public IP addresses + +The response includes: +- IP reputation and threat classification +- Geolocation information (country, city, ASN) +- Associated malware and threat campaigns +- Hosting provider and network information +- Detection statistics from security vendors +- Historical analysis and first/last seen dates +- Related domains and URLs hosted on the IP +- Port scan and service information + +Use Cases: +- Investigate suspicious IP addresses from network logs +- Validate IP reputation for firewall rules +- Research command and control servers +- Analyze IP addresses flagged in security alerts +- Check hosting infrastructure for malicious domains + +Next Steps: +- Use /gti ip-relations --ip-address=IP to find related entities +- Use /gti search-threats to research associated campaigns +- Use /gti domain-report for domains hosted on the IP +{% else %} +Call the get_ip_address_report tool with: `get_ip_address_report(ip_address={{ip-address}})` +{% endif %} +""" + [[subCommands.args]] + name = "ip-address" + required = true + description = "IP address to analyze (IPv4 or IPv6)" + +# GTI get_url_report +[[subCommands]] +name = "url-report" +description = "Get comprehensive URL analysis report from Google Threat Intelligence" +prompt = """ +{% if help %} +Usage: /gti url-report [OPTIONS] + +Get comprehensive URL analysis report from Google Threat Intelligence. + +Provides detailed analysis of URL reputation, threat associations, content analysis, +and security-relevant information from VirusTotal's scanning engines. + +Options: + --url URL to analyze [REQUIRED] + --help Show this help message + +Examples: + /gti url-report --url="https://malicious.example.com/payload.exe" + /gti url-report --url="http://phishing-site.net/login.php" + /gti url-report --url="https://cdn.example.org/suspicious-file.zip" + +URL Format: +- Include full URL with protocol (http:// or https://) +- Examples: https://example.com/path, http://malware.net/download +- URL encoding will be handled automatically + +The response includes: +- URL reputation and threat classification +- Content analysis and file downloads +- Detection statistics from security vendors +- Screenshots and visual analysis +- Redirect chain information +- Associated malware and campaigns +- Domain and IP hosting information +- HTTP response details and headers + +Use Cases: +- Investigate suspicious URLs from email or web logs +- Validate URL safety before user access +- Research phishing and malware distribution sites +- Analyze URLs flagged by security monitoring +- Check download links for malicious content + +Next Steps: +- Use /gti url-relations --url=URL to find related entities +- Use /gti domain-report --domain=DOMAIN for the hosting domain +- Use /gti file-report --hash=HASH for downloaded files +{% else %} +Call the get_url_report tool with: `get_url_report(url={{url}})` +{% endif %} +""" + [[subCommands.args]] + name = "url" + required = true + description = "URL to analyze" + +# GTI get_collection_report +[[subCommands]] +name = "get-collection" +description = "Get detailed information about a specific threat collection by ID" +prompt = """ +{% if help %} +Usage: /gti get-collection [OPTIONS] + +Get detailed information about a specific threat collection by ID. + +At Google Threat Intelligence, threats are modeled as 'collections' with different +types like malware-family, threat-actor, campaign, report, or vulnerability. + +Options: + --id Google Threat Intelligence collection identifier [REQUIRED] + --help Show this help message + +Examples: + /gti get-collection --id="f2ca1bb6c7e907d06dafe4687f" # Get collection details + /gti get-collection --id="threat-actor-apt41" # Threat actor collection + /gti get-collection --id="malware-emotet-2024" # Malware family collection + +Collection Types: +- malware-family: Malware families and variants +- threat-actor: APT groups and threat actors +- campaign: Attack campaigns and operations +- report: Threat intelligence reports +- vulnerability: CVE and vulnerability information +- collection: Generic threat collections + +The response includes: +- Collection metadata and classification +- Detailed threat information and context +- Associated indicators of compromise (IOCs) +- Attribution and actor information +- Timeline of threat activity +- MITRE ATT&CK technique mappings +- Related collections and entities + +Use Cases: +- Get comprehensive details about a specific threat +- Research threat actor profiles and capabilities +- Investigate malware family characteristics +- Analyze campaign scope and targets +- Review vulnerability exploitation details + +Next Steps: +- Use /gti collection-timeline --id=ID for activity timeline +- Use /gti collection-mitre --id=ID for MITRE ATT&CK mappings +- Use /gti collection-relations --id=ID to find related entities +{% else %} +Call the get_collection_report tool with: `get_collection_report(id={{id}})` +{% endif %} +""" + [[subCommands.args]] + name = "id" + required = true + description = "Google Threat Intelligence collection identifier" + +# GTI search_iocs +[[subCommands]] +name = "search-iocs" +description = "Search Indicators of Compromise (IOC) in Google Threat Intelligence platform" +prompt = """ +{% if help %} +Usage: /gti search-iocs [OPTIONS] + +Search Indicators of Compromise (IOC) in the Google Threat Intelligence platform. + +Search for different IOC types using entity modifiers with support for various +search parameters and ordering options. + +Options: + --query Search query to find IOCs [REQUIRED] + --limit Maximum number of IOCs to return (default: 10) + --order-by Sort order (default: "last_submission_date-") + --help Show this help message + +Entity Types and Supported Orders: + file: first_submission_date, last_submission_date, positives, times_submitted, size + url: first_submission_date, last_submission_date, positives, times_submitted, status + domain: creation_date, last_modification_date, last_update_date, positives + ip: ip, last_modification_date, positives + +Search Modifiers: +Use entity: prefix to specify IOC type: + entity:file Search files only + entity:url Search URLs only + entity:domain Search domains only + entity:ip Search IP addresses only + +Integer Modifiers (for numeric fields): + p:60+ Greater than 60 (positives > 60) + p:60- Less than 60 (positives < 60) + p:60 Equal to 60 (positives = 60) + +Examples: + /gti search-iocs --query="malware.exe" # Search all IOC types + /gti search-iocs --query="entity:file p:5+" # Files with >5 detections + /gti search-iocs --query="entity:domain creation_date:2024-01-01+" # Recent domains + /gti search-iocs --query="entity:ip 192.168" --limit=20 # IP addresses matching pattern + /gti search-iocs --query="phishing" --order-by="positives-" + +Advanced Search Examples: + /gti search-iocs --query="entity:file type:pdf p:10+" # Malicious PDFs + /gti search-iocs --query="entity:url status:malicious" # Malicious URLs + /gti search-iocs --query="entity:domain registrar:namecheap" # Domains by registrar + +Use Cases: +- Find malicious files by name or characteristics +- Search for suspicious domains and URLs +- Investigate IP addresses with threat associations +- Discover IOCs related to specific campaigns +- Research indicators by detection statistics + +Next Steps: +- Use /gti file-report --hash=HASH for detailed file analysis +- Use /gti domain-report --domain=DOMAIN for domain details +- Use /gti ip-report --ip-address=IP for IP analysis +- Use /gti url-report --url=URL for URL investigation +{% else %} +Call the search_iocs tool with: `search_iocs(query={{query}}, limit={{limit}}, order_by={{order-by}})` +{% endif %} +""" + [[subCommands.args]] + name = "query" + required = true + description = "Search query to find IOCs" + [[subCommands.args]] + name = "limit" + required = false + default = "10" + description = "Maximum number of IOCs to return" + [[subCommands.args]] + name = "order-by" + required = false + default = "last_submission_date-" + description = "Order results (see help for entity-specific options)" + +# GTI collection timeline events +[[subCommands]] +name = "collection-timeline" +description = "Retrieve timeline events for a threat collection (campaigns/threat actors) with curated analyst information" +prompt = """ +{% if help %} +Usage: /gti collection-timeline [OPTIONS] + +Retrieve timeline events for a threat collection with curated analyst information. + +This provides super valuable curated information produced by security analysts +at Google Threat Intelligence, particularly useful for campaigns and threat actors. + +Options: + --id Collection identifier [REQUIRED] + --help Show this help message + +Examples: + /gti collection-timeline --id="threat-actor-apt41" # APT41 timeline + /gti collection-timeline --id="campaign-solarwinds" # Campaign timeline + /gti collection-timeline --id="malware-emotet-2024" # Malware timeline + +Common Display Grouping: +Events are typically grouped by the "event_category" field for better organization: +- Initial Access +- Persistence +- Defense Evasion +- Credential Access +- Discovery +- Lateral Movement +- Collection +- Exfiltration +- Impact + +The response includes: +- Chronological timeline of threat activities +- Curated analyst insights and context +- Event categories mapped to MITRE ATT&CK +- Attribution details and evidence +- Campaign phases and evolution +- Technical indicators and TTPs +- Victim information and targeting + +Use Cases: +- Research threat actor activity patterns +- Understand campaign progression and phases +- Analyze threat evolution over time +- Investigate attack methodologies +- Plan defense strategies based on historical patterns + +Next Steps: +- Use /gti collection-mitre --id=ID for MITRE ATT&CK technique details +- Use /gti collection-relations --id=ID to find associated IOCs +- Use /gti search-threats to find related threat collections +{% else %} +Call the get_collection_timeline_events tool with: `get_collection_timeline_events(id={{id}})` +{% endif %} +""" + [[subCommands.args]] + name = "id" + required = true + description = "Collection identifier" + +# GTI collection MITRE tree +[[subCommands]] +name = "collection-mitre" +description = "Retrieve MITRE ATT&CK tactics and techniques associated with a threat collection" +prompt = """ +{% if help %} +Usage: /gti collection-mitre [OPTIONS] + +Retrieve MITRE ATT&CK tactics and techniques associated with a threat collection. + +Returns the tactics and techniques that security analysts have mapped to +specific threat actors, malware families, or campaigns. + +Options: + --id Collection identifier [REQUIRED] + --help Show this help message + +Examples: + /gti collection-mitre --id="threat-actor-apt28" # APT28 MITRE mappings + /gti collection-mitre --id="malware-cobalt-strike" # Cobalt Strike techniques + /gti collection-mitre --id="campaign-petya-2017" # NotPetya campaign TTPs + +The response includes: +- MITRE ATT&CK tactics (TA####) with descriptions +- Specific techniques (T####) and sub-techniques (T####.###) +- Technique descriptions and context +- Relationship between tactics and techniques +- Evidence and examples of technique usage + +MITRE ATT&CK Tactic Categories: +- TA0001: Initial Access +- TA0002: Execution +- TA0003: Persistence +- TA0004: Privilege Escalation +- TA0005: Defense Evasion +- TA0006: Credential Access +- TA0007: Discovery +- TA0008: Lateral Movement +- TA0009: Collection +- TA0010: Exfiltration +- TA0011: Command and Control +- TA0040: Impact + +Use Cases: +- Map threat actor capabilities to MITRE framework +- Understand attack patterns and methodologies +- Plan defensive strategies and controls +- Assess organizational security gaps +- Research threat behavior patterns + +Next Steps: +- Use /gti collection-timeline --id=ID for detailed activity timeline +- Use /gti search-threats --query="T####" to find other threats using same techniques +- Use threat intelligence to enhance detection rules and monitoring +{% else %} +Call the get_collection_mitre_tree tool with: `get_collection_mitre_tree(id={{id}})` +{% endif %} +""" + [[subCommands.args]] + name = "id" + required = true + description = "Collection identifier" + +# GTI list threat profiles +[[subCommands]] +name = "list-profiles" +description = "List your threat profiles that filter Google TI intelligence for organization-specific threats" +prompt = """ +{% if help %} +Usage: /gti list-profiles [OPTIONS] + +List your threat profiles at Google Threat Intelligence. + +Threat Profiles filter all of Google TI's threat intelligence so you can focus +only on the threats that matter most to your organization based on industries, +regions, and other criteria. + +Options: + --limit Maximum number of profiles to return (default: 10) + --help Show this help message + +Examples: + /gti list-profiles # List all threat profiles + /gti list-profiles --limit=20 # List up to 20 profiles + +Threat Profile Benefits: +- Apply top-level filters for Target Industries and Target Regions +- Get more focused view of relevant threats +- Receive personalized threat intelligence recommendations +- Filter out noise from irrelevant geographic or industry threats + +Profile Information Includes: +- Profile name and description +- Configured interests (industries, regions, actor motivations) +- Enable/disable status for ML recommendations +- Creation and modification dates +- Associated threat count estimates + +Use Cases: +- Review configured organizational threat filters +- Identify most relevant threat profiles for current investigations +- Find profiles matching specific industry or geographic focus +- Validate threat intelligence filtering settings + +Next Steps: +- Use /gti get-profile --profile-id=ID for detailed profile information +- Use /gti profile-recommendations --profile-id=ID to see relevant threats +- Use /gti profile-timeline --profile-id=ID for association timeline + +Important Note: +When searching for threats, check threat profiles first before performing +general searches. Profile recommendations are more relevant to your organization +than generic search results. +{% else %} +Call the list_threat_profiles tool with: `list_threat_profiles(limit={{limit}})` +{% endif %} +""" + [[subCommands.args]] + name = "limit" + required = false + default = "10" + description = "Maximum number of profiles to return" + +# GTI get threat profile +[[subCommands]] +name = "get-profile" +description = "Get detailed information about a specific threat profile" +prompt = """ +{% if help %} +Usage: /gti get-profile [OPTIONS] + +Get detailed information about a specific threat profile. + +Retrieves comprehensive configuration and settings for a threat profile, +including interests, targeting criteria, and recommendation settings. + +Options: + --profile-id Threat Profile identifier [REQUIRED] + --help Show this help message + +Examples: + /gti get-profile --profile-id="profile-healthcare-na" # Healthcare North America profile + /gti get-profile --profile-id="profile-financial-global" # Financial services profile + +Profile Information Includes: +- Profile name, description, and metadata +- Creation and last modification dates +- Recommendation settings (ML-enabled or manual) +- Configured interests and filtering criteria: + * Target Industries (healthcare, financial, government, etc.) + * Target Regions (ISO-3166 country codes) + * Source Regions (threat actor origins) + * Malware Roles (banking, ransomware, espionage, etc.) + * Actor Motivations (financial, espionage, hacktivism, etc.) + +Interest Categories: +- INTEREST_TYPE_TARGETED_INDUSTRY: Industries frequently targeted +- INTEREST_TYPE_TARGETED_REGION: Geographic regions of interest +- INTEREST_TYPE_SOURCE_REGION: Threat actor source regions +- INTEREST_TYPE_MALWARE_ROLE: Types of malware functionality +- INTEREST_TYPE_ACTOR_MOTIVATION: Threat actor motivations + +Use Cases: +- Review threat profile configuration and scope +- Understand filtering criteria for threat intelligence +- Validate profile settings match organizational needs +- Audit threat intelligence personalization settings + +Next Steps: +- Use /gti profile-recommendations --profile-id=ID to see relevant threats +- Use /gti profile-timeline --profile-id=ID for threat associations +- Use /gti search-threats with profile-specific criteria +{% else %} +Call the get_threat_profile tool with: `get_threat_profile(profile_id={{profile-id}})` +{% endif %} +""" + [[subCommands.args]] + name = "profile-id" + required = true + description = "Threat Profile identifier" + +# GTI search digital threat monitoring +[[subCommands]] +name = "search-darkweb" +description = "Search Digital Threat Monitoring (DTM) for darkweb content using Lucene syntax" +prompt = """ +{% if help %} +Usage: /gti search-darkweb [OPTIONS] + +Search Digital Threat Monitoring (DTM) using Lucene syntax. + +Search darkweb forums, paste sites, Telegram channels, compromised data, +and other underground sources for threats targeting your organization. + +Options: + --query Lucene-like query string [REQUIRED] + --size Number of results per page (0-25, default: 10) + --since Timestamp to search from (optional) + --until Timestamp to search until (optional) + --doc-type Document type filter (optional) + --help Show this help message + +Document Types (doc_type): + web_content_publish General website content + document Office documents and PDFs + domain_discovery Newly discovered domain names + email Malicious emails + forum_post Darkweb forum posts + message Chat messages (Telegram, etc.) + paste Paste site content (Pastebin, etc.) + shop_listing Items for sale on dark web + +Threat Types (threat_type): + information-security/apt Advanced Persistent Threat + information-security/botnet Botnet infrastructure + information-security/compromised Compromised infrastructure + information-security/doxing Personal information disclosure + information-security/exploit Exploits and vulnerabilities + information-security/information-leak Information leaks + information-security/malware Malware samples and families + information-security/phishing Phishing campaigns + information-security/ransomware Ransomware activities + information-security/ransomware-victim-listing Ransomware victim data + +Searchable Fields: + author.identity.name Forum post author handle + subject Subject line of forum post + body Body text of content + inet_location.url URL where content was found + language Content language + title Web page title + channel.name Telegram channel name + domain DNS domain name + cve CVE entry by ID + +Examples: + /gti search-darkweb --query="your-company-name" + /gti search-darkweb --query="domain:yourcompany.com" --doc-type="forum_post" + /gti search-darkweb --query="CVE-2023-44487" --size=20 + /gti search-darkweb --query="author.identity.name:cybercriminal" --doc-type="message" + +Advanced Examples: + # Search for company mentions in ransomware forums + /gti search-darkweb --query="body:(CompanyName AND ransomware)" --doc-type="forum_post" + + # Find credential leaks + /gti search-darkweb --query="@yourcompany.com" --doc-type="paste" + + # Monitor threat actor communications + /gti search-darkweb --query="channel.name:apt-group" --doc-type="message" + +Use Cases: +- Monitor mentions of your organization on dark web +- Track credential leaks and data breaches +- Research threat actor communications +- Find stolen corporate data and documents +- Monitor ransomware victim listings +- Track vulnerability discussions and exploits + +Note: Search requests are limited to 60 seconds duration. +{% else %} +Call the search_digital_threat_monitoring tool with: `search_digital_threat_monitoring(query={{query}}, size={{size}}, since={{since}}, until={{until}}, doc_type={{doc-type}})` +{% endif %} +""" + [[subCommands.args]] + name = "query" + required = true + description = "Lucene-like query string for document search" + [[subCommands.args]] + name = "size" + required = false + default = "10" + description = "Number of results per page (0-25)" + [[subCommands.args]] + name = "since" + required = false + description = "Timestamp to search for documents since" + [[subCommands.args]] + name = "until" + required = false + description = "Timestamp to search for documents until" + [[subCommands.args]] + name = "doc-type" + required = false + description = "Document type filter (forum_post, message, paste, etc.)" \ No newline at end of file From 6283e64a16e7fd7192f506ec8204a3b7f6226349 Mon Sep 17 00:00:00 2001 From: Dan Dye Date: Wed, 30 Jul 2025 22:58:48 -0400 Subject: [PATCH 10/16] Add SOAR case management commands for Gemini CLI - Integration of 10 SOAR case management MCP tools as Gemini CLI subcommands - Includes case listing, commenting, alert management, and entity operations - Features comprehensive case investigation and triage capabilities - Supports case priority management and entity enrichment workflows - Enables natural language SOAR case management through Gemini CLI interface --- .gemini/commands/secops/soar.toml | 627 ++++++++++++++++++++++++++++++ 1 file changed, 627 insertions(+) create mode 100644 .gemini/commands/secops/soar.toml diff --git a/.gemini/commands/secops/soar.toml b/.gemini/commands/secops/soar.toml new file mode 100644 index 00000000..33a08adb --- /dev/null +++ b/.gemini/commands/secops/soar.toml @@ -0,0 +1,627 @@ +description = "Implement slash command to call MCP Tools" +prompt = """ +You are implementing /slash-commands to call the available MCP Tools +""" + +# SOAR Case Management Commands + +# SOAR list_cases +[[subCommands]] +name = "list-cases" +description = "List cases available in the Security Orchestration, Automation, and Response (SOAR) platform" +prompt = """ +{% if help %} +Usage: /secops list-cases [OPTIONS] + +List cases available in the Security Orchestration, Automation, and Response (SOAR) platform. + +In a SOAR context, a 'case' typically represents a security incident, investigation, +or a container for related alerts and response actions. Listing cases provides an +overview of ongoing or past security events being managed by the platform. + +Options: + --next-page-token Token to fetch the next page of results (optional) + --help Show this help message + +Examples: + /secops list-cases # List current cases + /secops list-cases --next-page-token="abc123xyz" # Get next page of results + +Use Cases: +- Get high-level overview of current incident queue within SOAR platform +- Find specific incidents to investigate further +- First step in triage workflow to understand ongoing security events +- Monitor case backlog and priorities + +The response includes: +- List of case objects with summary details (ID, name, status, priority) +- Case priorities (initial indicator - true importance requires deeper analysis) +- Associated metadata and timestamps +- Pagination tokens for additional results + +Important Triage Note: +Case priority is only an initial indicator. True importance must be assessed by +examining the full context (alerts, entities, potential impact, threat intelligence) +using tools like /secops get-case-details. + +Next Steps: +- Use /secops get-case-details --case-id=ID for comprehensive case analysis +- Use /secops list-alerts-by-case --case-id=ID to see associated alerts +- Use /secops change-case-priority if initial assessment suggests different priority +- Extract key indicators and use SIEM, TI, or other security tool integrations +{% else %} +Call the list_cases tool with: `list_cases(next_page_token={{next-page-token}})` +{% endif %} +""" + [[subCommands.args]] + name = "next-page-token" + required = false + description = "Token to fetch the next page of results" + +# SOAR post_case_comment +[[subCommands]] +name = "post-case-comment" +description = "Post a comment to a specific case within the SOAR platform for documentation and collaboration" +prompt = """ +{% if help %} +Usage: /secops post-case-comment [OPTIONS] + +Post a comment to a specific case within the SOAR platform. + +Cases are used to track security incidents and investigations. Adding comments +is essential for documenting findings, communication between analysts, recording +actions taken, or providing updates on the investigation progress. + +Options: + --case-id The unique identifier (ID) of the case [REQUIRED] + --comment The textual content of the comment to be recorded [REQUIRED] + --help Show this help message + +Examples: + /secops post-case-comment --case-id="523" --comment="Investigating potential impact" + /secops post-case-comment --case-id="724" --comment="Confirmed malicious activity - escalating" + /secops post-case-comment --case-id="891" --comment="False positive - benign admin activity" + +Use Cases: +- Document findings from other MCP tool investigations (SIEM, TI, EDR, Cloud) +- Record analyst actions and decisions during investigation +- Provide updates on investigation progress for team collaboration +- Maintain audit trail within the SOAR case +- Justify changes in case priority or status + +The response includes: +- Confirmation of successful comment posting +- Any error messages if posting fails +- Updated case comment history + +Workflow Integration: +- Use throughout investigation to document findings from various security tools +- Essential for collaboration and maintaining audit trail within SOAR case +- Document conclusions derived from MCP-enabled tools (SIEM, TI, EDR, Cloud posture) + +Next Steps: +- Continue investigation based on documented information +- Use comments to justify case priority changes or status updates +- Share key findings with other relevant systems (ticketing, reporting) +{% else %} +Call the post_case_comment tool with: `post_case_comment(case_id={{case-id}}, comment={{comment}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + [[subCommands.args]] + name = "comment" + required = true + description = "The textual content of the comment to be recorded" + +# SOAR list_alerts_by_case +[[subCommands]] +name = "list-alerts-by-case" +description = "List the security alerts associated with a specific case ID in the SOAR platform" +prompt = """ +{% if help %} +Usage: /secops list-alerts-by-case [OPTIONS] + +List the security alerts associated with a specific case ID in the SOAR platform. + +Alerts are notifications generated by security tools (like SIEMs, EDRs) indicating +potential security issues. In SOAR, alerts are often grouped into cases for +investigation and response. Listing alerts helps understand the scope of incidents. + +Options: + --case-id The unique identifier (ID) of the case [REQUIRED] + --next-page-token Token to fetch the next page of results (optional) + --help Show this help message + +Examples: + /secops list-alerts-by-case --case-id="523" + /secops list-alerts-by-case --case-id="724" --next-page-token="def456ghi" + +Use Cases: +- Understand specific triggers (alerts) and scope of incident in SOAR case +- Identify alert patterns and relationships within a case +- Get alert severity and metadata for investigation prioritization +- Find alert IDs for deeper event analysis + +The response includes: +- List of alert objects linked to the specified case +- Alert details: name, source, severity, timestamp +- Alert severity (initial guidance - actual risk depends on context and evidence) +- Associated alert metadata and identifiers + +Workflow Integration: +- Use after identifying a case of interest (via list-cases or get-case-details) +- Helps understand specific triggers and scope of incident in SOAR platform +- Provides foundation for deeper investigation into underlying events + +Next Steps: +- Use /secops list-events-by-alert to get raw events underlying specific alerts +- Use /secops list-alert-group-identifiers-by-case to understand alert groupings +- Use /secops get-entities-by-alert-group-identifiers to find entities in alert groups +- Extract indicators from alerts and use SIEM entity lookup or event search +- Correlate alert details with findings from other security tools (EDR, Network, Cloud, TI) +{% else %} +Call the list_alerts_by_case tool with: `list_alerts_by_case(case_id={{case-id}}, next_page_token={{next-page-token}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + [[subCommands.args]] + name = "next-page-token" + required = false + description = "Token to fetch the next page of results" + +# SOAR list_alert_group_identifiers_by_case +[[subCommands]] +name = "list-alert-group-identifiers" +description = "List alert group identifiers associated with a specific case ID in the SOAR platform" +prompt = """ +{% if help %} +Usage: /secops list-alert-group-identifiers [OPTIONS] + +List alert group identifiers associated with a specific case ID in the SOAR platform. + +In this SOAR implementation, alerts within a case can be grouped using identifiers, +potentially for correlation, playbook execution stages, or analyst assignment. +Retrieving these identifiers helps understand the internal structure of a case. + +Options: + --case-id The unique identifier (ID) of the case [REQUIRED] + --next-page-token Token to fetch the next page of results (optional) + --help Show this help message + +Examples: + /secops list-alert-group-identifiers --case-id="523" + /secops list-alert-group-identifiers --case-id="724" --next-page-token="ghi789jkl" + +Use Cases: +- Understand how alerts are grouped within the case +- Identify related sets of alerts for targeted actions +- Support playbook logic that operates on alert groups +- Prepare for entity retrieval from specific alert groups + +The response includes: +- List of alert group identifier strings associated with the case +- Group identifiers used for correlation and organization +- Identifiers that can be used with other SOAR tools + +Workflow Integration: +- Use after identifying a case and its associated alerts within SOAR platform +- Helps understand alert groupings relevant for playbook logic +- Prepares for targeted actions on specific alert groupings + +Next Steps: +- Use /secops get-entities-by-alert-group-identifiers to find entities in these groups +- Use identifiers as parameters for playbook actions or integrations +- Target specific alert groupings for automated or manual interventions +{% else %} +Call the list_alert_group_identifiers_by_case tool with: `list_alert_group_identifiers_by_case(case_id={{case-id}}, next_page_token={{next-page-token}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + [[subCommands.args]] + name = "next-page-token" + required = false + description = "Token to fetch the next page of results" + +# SOAR list_events_by_alert +[[subCommands]] +name = "list-events-by-alert" +description = "List the underlying security events associated with a specific alert within a given case" +prompt = """ +{% if help %} +Usage: /secops list-events-by-alert [OPTIONS] + +List the underlying security events associated with a specific alert within a given case. + +Security alerts (often derived from detection rules or IoC matches) are typically +triggered by one or more underlying events ingested into the security platform +(e.g., Chronicle). These events provide the raw data needed to validate alerts. + +Options: + --case-id The unique identifier (ID) of the case containing the alert [REQUIRED] + --alert-id The unique identifier (ID) of the specific alert [REQUIRED] + --next-page-token Token to fetch the next page of results (optional) + --help Show this help message + +Examples: + /secops list-events-by-alert --case-id="523" --alert-id="751" + /secops list-events-by-alert --case-id="724" --alert-id="892" --next-page-token="xyz123abc" + +Use Cases: +- Get ground truth event data (often from SIEM) to validate alerts +- Understand exact actions that occurred to trigger the alert +- Perform deep-dive investigations into specific alert triggers +- Extract detailed forensic information from underlying events + +The response includes: +- List of event objects (potentially in UDM format) related to the alert +- Raw data needed to validate alert and understand specific activity +- Event details for forensic analysis and investigation +- Timestamps and metadata for timeline reconstruction + +Workflow Integration: +- Use after identifying specific alert of interest within SOAR case +- Provides ground truth event data from SIEM for alert validation +- Essential for understanding exact actions that occurred + +Next Steps: +- Analyze event data (UDM format) for specific details: command lines, network connections, file hashes, user activity +- Extract new indicators from the events for further investigation +- Use entity lookup or threat intelligence tools to enrich newly found indicators +- Correlate event details with other related events using SIEM event search tools +- Document findings in case management system using commenting tools +{% else %} +Call the list_events_by_alert tool with: `list_events_by_alert(case_id={{case-id}}, alert_id={{alert-id}}, next_page_token={{next-page-token}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case containing the alert" + [[subCommands.args]] + name = "alert-id" + required = true + description = "The unique identifier (ID) of the specific alert" + [[subCommands.args]] + name = "next-page-token" + required = false + description = "Token to fetch the next page of results" + +# SOAR change_case_priority +[[subCommands]] +name = "change-case-priority" +description = "Change the priority level of a specific case in the SOAR platform" +prompt = """ +{% if help %} +Usage: /secops change-case-priority [OPTIONS] + +Change the priority level of a specific case in the SOAR platform. + +Case priority helps security teams triage incidents and focus on the most urgent +threats based on currently available information. Priority can change as more +context is gathered during investigation. + +Options: + --case-id The unique identifier (ID) of the case to update [REQUIRED] + --case-priority The new priority level to assign to the case [REQUIRED] + --help Show this help message + +Valid Priority Values: + PriorityUnspecified, PriorityInfo, PriorityLow, PriorityMedium, PriorityHigh, PriorityCritical + +Examples: + /secops change-case-priority --case-id="523" --case-priority="PriorityHigh" + /secops change-case-priority --case-id="724" --case-priority="PriorityLow" + /secops change-case-priority --case-id="891" --case-priority="PriorityCritical" + +Use Cases: +- Escalate case priority based on new information from MCP tools (SIEM, TI, EDR) +- De-escalate cases found to be false positives or low impact +- Ensure analyst focus aligns with actual risk posed by incident +- Adjust priority during investigation lifecycle based on findings + +The response includes: +- Confirmation of successful priority update +- Error messages if update fails +- Updated case priority information + +Workflow Integration: +- Use during triage or investigation when new information suggests incorrect priority +- Helps ensure analyst focus aligns with actual risk from multiple data sources +- Typically follows analysis using various MCP-enabled security tools + +Next Steps: +- Use /secops post-case-comment to document reason for priority change +- Adjust investigation efforts based on new priority level +- Consider resource allocation changes based on updated priority +{% else %} +Call the change_case_priority tool with: `change_case_priority(case_id={{case-id}}, case_priority={{case-priority}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case to update" + [[subCommands.args]] + name = "case-priority" + required = true + description = "The new priority level (PriorityUnspecified, PriorityInfo, PriorityLow, PriorityMedium, PriorityHigh, PriorityCritical)" + +# SOAR get_entities_by_alert_group_identifiers +[[subCommands]] +name = "get-entities-by-alert-groups" +description = "Retrieve entities (IPs, hostnames, users) involved in specific alert groups within a case" +prompt = """ +{% if help %} +Usage: /secops get-entities-by-alert-groups [OPTIONS] + +Retrieve entities (e.g., IP addresses, hostnames, users) involved in specific alert groups within a case. + +Understanding which entities are associated with alerts is fundamental for incident +investigation and response. This tool fetches entities linked to alert groups, +crucial for identifying affected assets, attack vectors, or compromised accounts. + +Options: + --case-id The unique identifier (ID) of the case [REQUIRED] + --alert-group-identifiers Comma-separated list of alert group identifiers [REQUIRED] + --help Show this help message + +Examples: + /secops get-entities-by-alert-groups --case-id="523" --alert-group-identifiers="rule_name_hash_guid" + /secops get-entities-by-alert-groups --case-id="724" --alert-group-identifiers="group1,group2,group3" + +Use Cases: +- Identify specific assets, users, or indicators involved in incident stages +- Get target entities for manual response actions or playbook automation +- Understand scope of impact from specific alert groupings +- Prepare entity lists for targeted response actions + +The response includes: +- List of entities (with identifiers, types, etc.) associated with alert groups +- Entity details and metadata for investigation context +- Information needed for targeted response actions + +Workflow Integration: +- Use after identifying relevant alert group identifiers within SOAR case +- Crucial for pinpointing specific assets/users/indicators in incident aspects +- Provides foundation for targeted response and investigation actions + +Next Steps: +- Analyze entity list to understand scope of impact +- Use /secops get-entity-details to get more SOAR-specific context on individual entities +- Use SIEM entity lookup tools to get broader historical context for these entities +- Use SIEM event search tools to find detailed logs related to entities' activities +- Use threat intelligence tools to enrich the identified entities +- Use entity list as input for targeted response actions via SOAR playbooks or security tools +{% else %} +Call the get_entities_by_alert_group_identifiers tool with: `get_entities_by_alert_group_identifiers(case_id={{case-id}}, alert_group_identifiers={{alert-group-identifiers}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case containing the alert groups" + [[subCommands.args]] + name = "alert-group-identifiers" + required = true + description = "Comma-separated list of identifiers for the alert groups" + +# SOAR get_entity_details +[[subCommands]] +name = "get-entity-details" +description = "Fetch detailed information about a specific entity known to the SOAR platform" +prompt = """ +{% if help %} +Usage: /secops get-entity-details [OPTIONS] + +Fetch detailed information about a specific entity known to the SOAR platform. + +Entities (like IPs, domains, users, assets) are central to security investigations. +This tool retrieves comprehensive details about a specific entity based on its +identifier, type, and environment, including enrichment data and risk scores. + +Options: + --entity-identifier The unique identifier of the entity (e.g., "192.168.1.100") [REQUIRED] + --entity-type The type of the entity (e.g., "IP Address") [REQUIRED] + --entity-environment The environment context for the entity (e.g., "Production") [REQUIRED] + --help Show this help message + +Examples: + /secops get-entity-details --entity-identifier="192.168.1.100" --entity-type="IP Address" --entity-environment="Production" + /secops get-entity-details --entity-identifier="user@company.com" --entity-type="User" --entity-environment="Corporate" + /secops get-entity-details --entity-identifier="workstation-01" --entity-type="Hostname" --entity-environment="Development" + +Use Cases: +- Get SOAR platform's specific view of entity with enrichments +- Retrieve threat intelligence scores and asset inventory details +- Understand related alerts or cases involving the entity +- Get risk scores and observed activity for the entity + +The response includes: +- Detailed attributes and related information for the specified entity +- Enrichment data performed by SOAR playbooks or integrations +- Risk scores and threat intelligence information +- Related alerts, cases, and observed activity + +Workflow Integration: +- Use after identifying specific entity of interest within SOAR platform +- Provides SOAR platform's enriched view including playbook-generated context +- Complements broader SIEM entity lookup tools with SOAR-specific enrichments + +Next Steps: +- Analyze enrichment data provided by SOAR platform (threat intel scores, asset details) +- Compare SOAR entity details with broader context from SIEM entity lookup tools +- Use findings to inform risk assessment and response decisions within SOAR workflow +- Document key details using case commenting tools +- Correlate with information from other security tools (EDR, Network, Cloud, TI) +{% else %} +Call the get_entity_details tool with: `get_entity_details(entity_identifier={{entity-identifier}}, entity_type={{entity-type}}, entity_environment={{entity-environment}})` +{% endif %} +""" + [[subCommands.args]] + name = "entity-identifier" + required = true + description = "The unique identifier of the entity" + [[subCommands.args]] + name = "entity-type" + required = true + description = "The type of the entity" + [[subCommands.args]] + name = "entity-environment" + required = true + description = "The environment context for the entity" + +# SOAR search_entity +[[subCommands]] +name = "search-entity" +description = "Search for entities within the SOAR platform based on various criteria" +prompt = """ +{% if help %} +Usage: /secops search-entity [OPTIONS] + +Search for entities within the SOAR platform based on various criteria. + +This tool provides a flexible way to find entities (assets, users, IOCs, etc.) +matching specific attributes. Useful for exploring the entity database or finding +potentially related entities during an investigation. + +Options: + --term Search term (e.g., partial IP, hostname fragment) (optional) + --type Comma-separated list of entity types to filter by (optional) + --is-suspicious Filter for entities marked as suspicious (true/false) (optional) + --is-internal-asset Filter for entities identified as internal assets (true/false) (optional) + --is-enriched Filter for entities that have undergone enrichment (true/false) (optional) + --network-name Comma-separated list of networks to filter by (optional) + --environment-name Comma-separated list of environments to filter by (optional) + --help Show this help message + +Examples: + /secops search-entity --term="192.168" # Search for IPs starting with 192.168 + /secops search-entity --type="IP Address,Hostname" # Search for IPs and hostnames + /secops search-entity --is-suspicious=true # Find all suspicious entities + /secops search-entity --is-internal-asset=false # Find external entities + /secops search-entity --network-name="DMZ,Production" # Search in specific networks + /secops search-entity --environment-name="Production" # Search in production environment + +Use Cases: +- Exploratory analysis within SOAR platform's entity database +- Find potentially related entities based on partial information +- Identify entities with specific characteristics (suspicious, internal, enriched) +- Discover assets with shared characteristics in specific environments + +The response includes: +- List of entity objects matching the search criteria +- Entity attributes and metadata for investigation context +- Filtering results based on specified criteria + +Workflow Integration: +- Useful for exploratory analysis when you don't have specific identifier from alert/case +- Can help identify potentially related entities based on shared characteristics +- Supports discovery of suspicious hosts in specific environments as known by SOAR + +Next Steps: +- Analyze the list of returned entities for patterns or relationships +- Use /secops get-entity-details for more SOAR-specific information on entities found +- Use SIEM entity lookup tools for broader historical context on interesting entities +- Use threat intelligence tools to enrich findings from the search results +{% else %} +Call the search_entity tool with: `search_entity(term={{term}}, type={{type}}, is_suspicious={{is-suspicious}}, is_internal_asset={{is-internal-asset}}, is_enriched={{is-enriched}}, network_name={{network-name}}, environment_name={{environment-name}})` +{% endif %} +""" + [[subCommands.args]] + name = "term" + required = false + description = "Search term to match against entity identifiers or names" + [[subCommands.args]] + name = "type" + required = false + description = "Comma-separated list of entity types to filter by" + [[subCommands.args]] + name = "is-suspicious" + required = false + description = "Filter for entities marked as suspicious (true/false)" + [[subCommands.args]] + name = "is-internal-asset" + required = false + description = "Filter for entities identified as internal assets (true/false)" + [[subCommands.args]] + name = "is-enriched" + required = false + description = "Filter for entities that have undergone enrichment processes (true/false)" + [[subCommands.args]] + name = "network-name" + required = false + description = "Comma-separated list of networks to filter entities by" + [[subCommands.args]] + name = "environment-name" + required = false + description = "Comma-separated list of environments to filter entities by" + +# SOAR get_case_full_details +[[subCommands]] +name = "get-case-details" +description = "Retrieve comprehensive details for a specific case by aggregating core information, alerts, and comments" +prompt = """ +{% if help %} +Usage: /secops get-case-details [OPTIONS] + +Retrieve comprehensive details for a specific case by aggregating its core information, associated alerts, and comments. + +This tool provides a consolidated view of a security case by fetching its primary +details (status, priority, description), all linked security alerts, and the full +history of comments added by analysts or automation. + +Options: + --case-id The unique identifier (ID) of the case for full details [REQUIRED] + --help Show this help message + +Examples: + /secops get-case-details --case-id="523" + /secops get-case-details --case-id="724" + +Use Cases: +- Primary tool for starting investigation of specific case identified within SOAR +- Get comprehensive initial overview by gathering core SOAR case data in one call +- Understand complete incident context, scope, investigation progress, and collaboration notes +- Starting point for full investigation (requires deeper analysis using subsequent tools) + +The response includes: +- case_details: Raw API response for basic case information +- case_alerts: Raw API response containing list of alerts associated with the case +- case_comments: Raw API response containing list of comments for the case + +Important Triage Note: +Use the priority field as initial guide only. Analyze the combined details (alerts, +comments, entities involved, potential impact, related threat intelligence) to +determine the true importance and urgency of the case. + +Workflow Integration: +- Primary tool for starting investigation of specific case identified within SOAR platform +- Provides comprehensive initial overview - this is a starting point for full investigation +- Requires deeper analysis using subsequent tools for complete understanding + +Next Steps (Essential for Full Investigation): +- Analyze case_details for status, priority, and description +- Examine case_alerts to understand triggers - use /secops list-events-by-alert for underlying event data +- Review case_comments for analyst notes or previous actions +- Identify key entities from alerts or comments +- Use /secops get-entities-by-alert-groups to find entities associated with case/alert groups +- Enrich findings using SIEM (entity-lookup, search-events), TI (threat-intel), EDR, Cloud tools +- Document investigation progress using case commenting tools +- Consider adjusting case priority using priority management tools based on findings +{% else %} +Call the get_case_full_details tool with: `get_case_full_details(case_id={{case-id}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case for full details" \ No newline at end of file From 79533b03ac84c6ff7ca7a8c875416618f503232a Mon Sep 17 00:00:00 2001 From: Dan Dye Date: Wed, 30 Jul 2025 23:02:57 -0400 Subject: [PATCH 11/16] Add /gti help subcommand to list all available GTI commands by category --- .gemini/commands/gti.toml | 57 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 56 insertions(+), 1 deletion(-) diff --git a/.gemini/commands/gti.toml b/.gemini/commands/gti.toml index a97e7025..fbfc1b81 100644 --- a/.gemini/commands/gti.toml +++ b/.gemini/commands/gti.toml @@ -1032,4 +1032,59 @@ Call the search_digital_threat_monitoring tool with: `search_digital_threat_moni [[subCommands.args]] name = "doc-type" required = false - description = "Document type filter (forum_post, message, paste, etc.)" \ No newline at end of file + description = "Document type filter (forum_post, message, paste, etc.)" + +# GTI help +[[subCommands]] +name = "help" +description = "Show available GTI subcommands and their descriptions" +prompt = """ +{% if help %} +Usage: /gti help + +Show available GTI subcommands organized by category. + +THREAT SEARCH COMMANDS: + search-threats Search all threat types (actors, malware, campaigns, reports, vulnerabilities) + search-campaigns Search threat campaigns and coordinated attacks + search-actors Search threat actors and APT groups + search-malware Search malware families and variants + search-vulns Search vulnerabilities and CVEs + +IOC ANALYSIS COMMANDS: + file-report Analyze files by hash (MD5/SHA-1/SHA-256) + domain-report Analyze domain reputation and threat associations + ip-report Analyze IP addresses (IPv4/IPv6) for threats + url-report Analyze URL reputation and content safety + search-iocs Search indicators of compromise (files, domains, IPs, URLs) + +COLLECTION MANAGEMENT: + get-collection Get detailed information about threat collections + collection-timeline Get timeline events for threat actors and campaigns + collection-mitre Get MITRE ATT&CK technique mappings + +THREAT PROFILES: + list-profiles List organization-specific threat profiles + get-profile Get detailed threat profile configuration + +DARK WEB MONITORING: + search-darkweb Search Digital Threat Monitoring for underground activity + +GETTING DETAILED HELP: + /gti COMMAND --help Show detailed help for any specific command + +Examples: + /gti search-threats --help # Detailed help for threat search + /gti file-report --help # Detailed help for file analysis + /gti search-darkweb --help # Detailed help for dark web monitoring + +Use Cases: +- Research threat actors, malware families, and attack campaigns +- Analyze suspicious files, domains, IPs, and URLs +- Monitor dark web for mentions of your organization +- Get threat intelligence tailored to your industry and region +- Map threats to MITRE ATT&CK framework for defense planning +{% else %} +# Help command doesn't call any MCP tools - it just displays command information +{% endif %} +""" \ No newline at end of file From 9dcc66a13666fbf3fe71602fe960883ffcaa2ed3 Mon Sep 17 00:00:00 2001 From: Dan Dye Date: Wed, 30 Jul 2025 23:19:46 -0400 Subject: [PATCH 12/16] Implement comprehensive CrowdStrike Falcon slash commands for SOAR integration - Add 20 detailed slash commands organized into 8 functional categories - Cover host management, incident response, detection/alert management - Include IOC management, file analysis, incident management capabilities - Add identity protection and system commands - Provide comprehensive help documentation with examples and use cases - Include security considerations for high-risk operations - Map to 20 out of 28 available CrowdStrike Falcon MCP tools (71% coverage) - Validate TOML syntax and ensure proper escaping --- .../soar/marketplace/crowdstrikefalcon.toml | 1252 +++++++++++++++++ 1 file changed, 1252 insertions(+) create mode 100644 .gemini/commands/secops/soar/marketplace/crowdstrikefalcon.toml diff --git a/.gemini/commands/secops/soar/marketplace/crowdstrikefalcon.toml b/.gemini/commands/secops/soar/marketplace/crowdstrikefalcon.toml new file mode 100644 index 00000000..93c35c17 --- /dev/null +++ b/.gemini/commands/secops/soar/marketplace/crowdstrikefalcon.toml @@ -0,0 +1,1252 @@ +description = "CrowdStrike Falcon SOAR marketplace integration slash commands for endpoint security operations" +prompt = """ +You are implementing /slash-commands to call the available CrowdStrike Falcon MCP Tools defined in: +server/secops-soar/secops_soar_mcp/marketplace/crowdstrikefalcon.py + +These commands enable endpoint detection and response (EDR) operations including: +- Host management and information gathering +- Detection and alert management +- Incident response actions (containment, isolation) +- Script execution and command running on endpoints +- IOC management and threat hunting +- File analysis and malware scanning +""" + +# CrowdStrike Falcon Host Management Commands + +[[subCommands]] +name = "list-hosts" +description = "List and filter hosts in CrowdStrike Falcon based on various criteria" +prompt = """ +{% if help %} +Usage: /crowdstrike list-hosts [OPTIONS] + +List and filter hosts in CrowdStrike Falcon based on various criteria. + +Options: + --case-id The unique identifier (ID) of the case [REQUIRED] + --alert-group-identifiers Comma-separated identifiers for the alert groups [REQUIRED] + --customer-id ID of the customer for which to execute the action (optional) + --filter-logic Logic to use when searching for hosts (optional) + --filter-value Value to use for filtering hosts (optional) + --max-hosts-to-return Maximum number of hosts to return (default: 50, max: 1000) + --help Show this help message + +Examples: + /crowdstrike list-hosts --case-id="523" --alert-group-identifiers="group1" + /crowdstrike list-hosts --case-id="724" --alert-group-identifiers="group1,group2" --max-hosts-to-return=100 + +Use Cases: +- Get inventory of endpoints managed by CrowdStrike Falcon +- Filter hosts based on specific criteria for targeted response +- Identify hosts for containment or investigation +- Gather host information for incident scoping + +The response includes: +- List of hosts with their identifiers and metadata +- Host status and connectivity information +- System information for each host +{% else %} +Call the crowd_strike_falcon_list_hosts tool with: `crowd_strike_falcon_list_hosts(case_id={{case-id}}, alert_group_identifiers={{alert-group-identifiers}}, customer_id={{customer-id}}, filter_logic={{filter-logic}}, filter_value={{filter-value}}, max_hosts_to_return={{max-hosts-to-return}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + [[subCommands.args]] + name = "alert-group-identifiers" + required = true + description = "Comma-separated identifiers for the alert groups" + [[subCommands.args]] + name = "customer-id" + required = false + description = "ID of the customer for which to execute the action" + [[subCommands.args]] + name = "filter-logic" + required = false + description = "Logic to use when searching for hosts" + [[subCommands.args]] + name = "filter-value" + required = false + description = "Value to use for filtering hosts" + [[subCommands.args]] + name = "max-hosts-to-return" + required = false + default = "50" + description = "Maximum number of hosts to return (max: 1000)" + +[[subCommands]] +name = "get-host-info" +description = "Get detailed information about specific hosts in CrowdStrike Falcon" +prompt = """ +{% if help %} +Usage: /crowdstrike get-host-info [OPTIONS] + +Get detailed information about specific hosts in CrowdStrike Falcon. + +Options: + --case-id The unique identifier (ID) of the case [REQUIRED] + --alert-group-identifiers Comma-separated identifiers for the alert groups [REQUIRED] + --customer-id ID of the customer for which to execute the action (optional) + --create-insight If enabled, create insights containing information about entities (optional) + --help Show this help message + +Examples: + /crowdstrike get-host-info --case-id="523" --alert-group-identifiers="group1" + /crowdstrike get-host-info --case-id="724" --alert-group-identifiers="group1,group2" --create-insight=true + +Use Cases: +- Get detailed system information for specific hosts +- Gather host configuration and status details +- Create insights for targeted host entities +- Support incident analysis with comprehensive host data + +The response includes: +- Detailed host information including OS, hardware, and configuration +- Network interfaces and connectivity status +- Installed software and security agent status +- Host behavior and activity metrics +{% else %} +Call the crowd_strike_falcon_get_host_information tool with: `crowd_strike_falcon_get_host_information(case_id={{case-id}}, alert_group_identifiers={{alert-group-identifiers}}, customer_id={{customer-id}}, create_insight={{create-insight}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + [[subCommands.args]] + name = "alert-group-identifiers" + required = true + description = "Comma-separated identifiers for the alert groups" + [[subCommands.args]] + name = "customer-id" + required = false + description = "ID of the customer for which to execute the action" + [[subCommands.args]] + name = "create-insight" + required = false + description = "If enabled, create insights containing information about entities" + +[[subCommands]] +name = "get-hosts-by-ioc" +description = "Find hosts that have encountered specific Indicators of Compromise (IOCs)" +prompt = """ +{% if help %} +Usage: /crowdstrike get-hosts-by-ioc [OPTIONS] + +Find hosts that have encountered specific Indicators of Compromise (IOCs). + +Options: + --case-id The unique identifier (ID) of the case [REQUIRED] + --alert-group-identifiers Comma-separated identifiers for the alert groups [REQUIRED] + --help Show this help message + +Examples: + /crowdstrike get-hosts-by-ioc --case-id="523" --alert-group-identifiers="group1" + /crowdstrike get-hosts-by-ioc --case-id="724" --alert-group-identifiers="group1,group2" + +Use Cases: +- Identify hosts that have encountered specific IOCs +- Scope incident impact across affected endpoints +- Find hosts for targeted containment or investigation +- Support threat hunting and lateral movement analysis + +The response includes: +- List of hosts that have encountered the IOCs +- IOC details and first/last seen timestamps +- Host information for affected endpoints +- Context for incident scoping and containment decisions +{% else %} +Call the crowd_strike_falcon_get_hosts_by_ioc tool with: `crowd_strike_falcon_get_hosts_by_ioc(case_id={{case-id}}, alert_group_identifiers={{alert-group-identifiers}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + [[subCommands.args]] + name = "alert-group-identifiers" + required = true + description = "Comma-separated identifiers for the alert groups" + +# CrowdStrike Falcon Incident Response Commands + +[[subCommands]] +name = "contain-endpoint" +description = "Contain (isolate) endpoints to prevent lateral movement during incident response" +prompt = """ +{% if help %} +Usage: /crowdstrike contain-endpoint [OPTIONS] + +Contain (isolate) endpoints to prevent lateral movement during incident response. + +IMPORTANT: This action will isolate endpoints from the network, preventing normal business operations. +Use with caution and ensure proper authorization before execution. + +Options: + --case-id The unique identifier (ID) of the case [REQUIRED] + --alert-group-identifiers Comma-separated identifiers for the alert groups [REQUIRED] + --customer-id ID of the customer for which to execute the action (optional) + --fail-if-timeout If enabled, action will fail if not all endpoints were contained (optional) + --help Show this help message + +Examples: + /crowdstrike contain-endpoint --case-id="523" --alert-group-identifiers="group1" + /crowdstrike contain-endpoint --case-id="724" --alert-group-identifiers="group1,group2" --fail-if-timeout=true + +Use Cases: +- Isolate compromised endpoints to prevent lateral movement +- Contain endpoints during active incident response +- Quarantine systems showing malicious activity +- Implement emergency containment procedures + +CAUTION: +- Containment will isolate endpoints from the network +- Ensure proper incident response procedures are followed +- Coordinate with business stakeholders before containment +- Have remediation plan ready before executing containment + +The response includes: +- Status of containment action for each endpoint +- Success/failure details for containment attempts +- Timing information for containment operations +{% else %} +Call the crowd_strike_falcon_contain_endpoint tool with: `crowd_strike_falcon_contain_endpoint(case_id={{case-id}}, alert_group_identifiers={{alert-group-identifiers}}, customer_id={{customer-id}}, fail_if_timeout={{fail-if-timeout}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + [[subCommands.args]] + name = "alert-group-identifiers" + required = true + description = "Comma-separated identifiers for the alert groups" + [[subCommands.args]] + name = "customer-id" + required = false + description = "ID of the customer for which to execute the action" + [[subCommands.args]] + name = "fail-if-timeout" + required = false + description = "If enabled, action will fail if not all endpoints were contained" + +[[subCommands]] +name = "run-script" +description = "Execute PowerShell scripts on endpoints for incident response and investigation" +prompt = """ +{% if help %} +Usage: /crowdstrike run-script [OPTIONS] + +Execute PowerShell scripts on endpoints for incident response and investigation. + +IMPORTANT: Script execution has significant security implications. Ensure proper authorization +and validate script content before execution. + +Options: + --case-id The unique identifier (ID) of the case [REQUIRED] + --alert-group-identifiers Comma-separated identifiers for the alert groups [REQUIRED] + --customer-id ID of the customer for which to execute the action (optional) + --script-name Name of the script file to execute (optional if raw-script provided) + --raw-script Raw PowerShell script payload to execute (optional if script-name provided) + --hostname Comma-separated list of hostnames to execute on (optional) + --help Show this help message + +Examples: + /crowdstrike run-script --case-id="523" --alert-group-identifiers="group1" --script-name="investigation.ps1" + /crowdstrike run-script --case-id="724" --alert-group-identifiers="group1,group2" --raw-script="Get-Process" + +Use Cases: +- Execute investigation scripts to gather forensic data +- Run remediation scripts to clean infected endpoints +- Collect system information for incident analysis +- Execute custom security tools on targeted endpoints + +SECURITY CONSIDERATIONS: +- Validate all script content before execution +- Follow principle of least privilege +- Monitor script execution results carefully +- Ensure proper incident response authorization +- Log all script executions for audit purposes + +The response includes: +- Script execution status for each targeted endpoint +- Output/results from script execution +- Error messages or execution failures +- Timing and completion information +{% else %} +Call the crowd_strike_falcon_run_script tool with: `crowd_strike_falcon_run_script(case_id={{case-id}}, alert_group_identifiers={{alert-group-identifiers}}, customer_id={{customer-id}}, script_name={{script-name}}, raw_script={{raw-script}}, hostname={{hostname}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + [[subCommands.args]] + name = "alert-group-identifiers" + required = true + description = "Comma-separated identifiers for the alert groups" + [[subCommands.args]] + name = "customer-id" + required = false + description = "ID of the customer for which to execute the action" + [[subCommands.args]] + name = "script-name" + required = false + description = "Name of the script file to execute" + [[subCommands.args]] + name = "raw-script" + required = false + description = "Raw PowerShell script payload to execute" + [[subCommands.args]] + name = "hostname" + required = false + description = "Comma-separated list of hostnames to execute on" + +[[subCommands]] +name = "execute-command" +description = "Execute specific commands on endpoints for investigation and response" +prompt = """ +{% if help %} +Usage: /crowdstrike execute-command [OPTIONS] + +Execute specific commands on endpoints for investigation and response. + +IMPORTANT: Command execution has significant security implications. Ensure proper authorization +and validate commands before execution. + +Options: + --case-id The unique identifier (ID) of the case [REQUIRED] + --alert-group-identifiers Comma-separated identifiers for the alert groups [REQUIRED] + --command Command to execute on the hosts [REQUIRED] + --customer-id ID of the customer for which to execute the action (optional) + --admin-command If enabled, execute commands with admin-level permissions (optional) + --hostname Comma-separated list of hostnames to execute on (optional) + --help Show this help message + +Examples: + /crowdstrike execute-command --case-id="523" --alert-group-identifiers="group1" --command="netstat -an" + /crowdstrike execute-command --case-id="724" --alert-group-identifiers="group1,group2" --command="Get-Process" --admin-command=true + +Common Investigation Commands: + - netstat -an # Show network connections + - tasklist # List running processes + - dir C:\\Temp # List directory contents + - Get-Process # PowerShell process list + - Get-EventLog Security -Newest 100 # Recent security events + +Use Cases: +- Execute investigation commands to gather forensic data +- Run diagnostic commands for system analysis +- Execute response commands for threat mitigation +- Collect specific information for incident analysis + +SECURITY CONSIDERATIONS: +- Validate all commands before execution +- Use admin-command flag only when necessary +- Monitor command execution results carefully +- Ensure proper incident response authorization +- Log all command executions for audit purposes + +The response includes: +- Command execution status for each targeted endpoint +- Output/results from command execution +- Error messages or execution failures +- Timing and completion information +{% else %} +Call the crowd_strike_falcon_execute_command tool with: `crowd_strike_falcon_execute_command(case_id={{case-id}}, alert_group_identifiers={{alert-group-identifiers}}, command={{command}}, customer_id={{customer-id}}, admin_command={{admin-command}}, hostname={{hostname}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + [[subCommands.args]] + name = "alert-group-identifiers" + required = true + description = "Comma-separated identifiers for the alert groups" + [[subCommands.args]] + name = "command" + required = true + description = "Command to execute on the hosts" + [[subCommands.args]] + name = "customer-id" + required = false + description = "ID of the customer for which to execute the action" + [[subCommands.args]] + name = "admin-command" + required = false + description = "If enabled, execute commands with admin-level permissions" + [[subCommands.args]] + name = "hostname" + required = false + description = "Comma-separated list of hostnames to execute on" + +# CrowdStrike Falcon Detection and Alert Management Commands + +[[subCommands]] +name = "add-detection-comment" +description = "Add comments to CrowdStrike Falcon detections for documentation and analysis" +prompt = """ +{% if help %} +Usage: /crowdstrike add-detection-comment [OPTIONS] + +Add comments to CrowdStrike Falcon detections for documentation and analysis. + +Options: + --case-id The unique identifier (ID) of the case [REQUIRED] + --alert-group-identifiers Comma-separated identifiers for the alert groups [REQUIRED] + --detection-id ID of the detection to add a comment to [REQUIRED] + --comment Comment content to add to the detection [REQUIRED] + --help Show this help message + +Examples: + /crowdstrike add-detection-comment --case-id="523" --alert-group-identifiers="group1" --detection-id="det_123" --comment="Confirmed malicious activity" + /crowdstrike add-detection-comment --case-id="724" --alert-group-identifiers="group1,group2" --detection-id="det_456" --comment="False positive - authorized software" + +Use Cases: +- Document analysis findings for specific detections +- Add context for detection triage and investigation +- Record analyst decisions and reasoning +- Maintain audit trail for detection handling + +The response includes: +- Confirmation of comment addition +- Detection ID and comment details +- Timestamp information for the comment +{% else %} +Call the crowd_strike_falcon_add_comment_to_detection tool with: `crowd_strike_falcon_add_comment_to_detection(case_id={{case-id}}, alert_group_identifiers={{alert-group-identifiers}}, detection_id={{detection-id}}, comment={{comment}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + [[subCommands.args]] + name = "alert-group-identifiers" + required = true + description = "Comma-separated identifiers for the alert groups" + [[subCommands.args]] + name = "detection-id" + required = true + description = "ID of the detection to add a comment to" + [[subCommands.args]] + name = "comment" + required = true + description = "Comment content to add to the detection" + +[[subCommands]] +name = "close-detection" +description = "Close CrowdStrike Falcon detections after investigation and analysis" +prompt = """ +{% if help %} +Usage: /crowdstrike close-detection [OPTIONS] + +Close CrowdStrike Falcon detections after investigation and analysis. + +Options: + --case-id The unique identifier (ID) of the case [REQUIRED] + --alert-group-identifiers Comma-separated identifiers for the alert groups [REQUIRED] + --detection-id ID of the detection to close [REQUIRED] + --hide-detection If enabled, hide the detection in the UI (optional) + --help Show this help message + +Examples: + /crowdstrike close-detection --case-id="523" --alert-group-identifiers="group1" --detection-id="det_123" + /crowdstrike close-detection --case-id="724" --alert-group-identifiers="group1,group2" --detection-id="det_456" --hide-detection=true + +Use Cases: +- Close confirmed false positive detections +- Mark resolved detections as complete +- Clean up detection queue after investigation +- Hide irrelevant detections from active view + +IMPORTANT: +- Ensure proper investigation before closing detections +- Add comments before closing to document reasoning +- Consider impact on detection metrics and reporting +- Follow organization's detection handling procedures + +The response includes: +- Confirmation of detection closure +- Detection ID and closure status +- Timestamp information for the closure action +{% else %} +Call the crowd_strike_falcon_close_detection tool with: `crowd_strike_falcon_close_detection(case_id={{case-id}}, alert_group_identifiers={{alert-group-identifiers}}, detection_id={{detection-id}}, hide_detection={{hide-detection}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + [[subCommands.args]] + name = "alert-group-identifiers" + required = true + description = "Comma-separated identifiers for the alert groups" + [[subCommands.args]] + name = "detection-id" + required = true + description = "ID of the detection to close" + [[subCommands.args]] + name = "hide-detection" + required = false + description = "If enabled, hide the detection in the UI" + +[[subCommands]] +name = "update-alert" +description = "Update CrowdStrike Falcon alert status, verdict, and assignment" +prompt = """ +{% if help %} +Usage: /crowdstrike update-alert [OPTIONS] + +Update CrowdStrike Falcon alert status, verdict, and assignment. + +Options: + --case-id The unique identifier (ID) of the case [REQUIRED] + --alert-group-identifiers Comma-separated identifiers for the alert groups [REQUIRED] + --alert-id ID of the alert to update [REQUIRED] + --status Status for the alert (optional) + --verdict Verdict for the alert (optional) + --assign-to Name/email of analyst to assign alert to (optional) + --help Show this help message + +Examples: + /crowdstrike update-alert --case-id="523" --alert-group-identifiers="group1" --alert-id="alert_123" --status="Closed" + /crowdstrike update-alert --case-id="724" --alert-group-identifiers="group1,group2" --alert-id="alert_456" --verdict="True Positive" --assign-to="analyst@company.com" + +Valid Status Values: + - New, In Progress, Closed, Reopened + +Valid Verdict Values: + - True Positive, False Positive, Benign Positive, Unknown + +Use Cases: +- Update alert status during investigation workflow +- Set verdict after analysis completion +- Assign alerts to specific analysts for investigation +- Maintain accurate alert state in CrowdStrike console + +The response includes: +- Confirmation of alert update +- Updated alert details and status +- Assignment information if applicable +{% else %} +Call the crowd_strike_falcon_update_alert tool with: `crowd_strike_falcon_update_alert(case_id={{case-id}}, alert_group_identifiers={{alert-group-identifiers}}, alert_id={{alert-id}}, status={{status}}, verdict={{verdict}}, assign_to={{assign-to}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + [[subCommands.args]] + name = "alert-group-identifiers" + required = true + description = "Comma-separated identifiers for the alert groups" + [[subCommands.args]] + name = "alert-id" + required = true + description = "ID of the alert to update" + [[subCommands.args]] + name = "status" + required = false + description = "Status for the alert" + [[subCommands.args]] + name = "verdict" + required = false + description = "Verdict for the alert" + [[subCommands.args]] + name = "assign-to" + required = false + description = "Name/email of analyst to assign alert to" + +[[subCommands]] +name = "add-alert-comment" +description = "Add comments to CrowdStrike Falcon alerts for documentation and collaboration" +prompt = """ +{% if help %} +Usage: /crowdstrike add-alert-comment [OPTIONS] + +Add comments to CrowdStrike Falcon alerts for documentation and collaboration. + +Options: + --case-id The unique identifier (ID) of the case [REQUIRED] + --alert-group-identifiers Comma-separated identifiers for the alert groups [REQUIRED] + --alert-id ID of the alert to add a comment to [REQUIRED] + --comment Comment content to add to the alert [REQUIRED] + --help Show this help message + +Examples: + /crowdstrike add-alert-comment --case-id="523" --alert-group-identifiers="group1" --alert-id="alert_123" --comment="Investigating potential compromise" + /crowdstrike add-alert-comment --case-id="724" --alert-group-identifiers="group1,group2" --alert-id="alert_456" --comment="Coordinating with IR team" + +Use Cases: +- Document investigation progress and findings +- Add analysis notes for team collaboration +- Record decisions and next steps +- Maintain audit trail for alert handling + +The response includes: +- Confirmation of comment addition +- Alert ID and comment details +- Timestamp information for the comment +{% else %} +Call the crowd_strike_falcon_add_alert_comment tool with: `crowd_strike_falcon_add_alert_comment(case_id={{case-id}}, alert_group_identifiers={{alert-group-identifiers}}, alert_id={{alert-id}}, comment={{comment}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + [[subCommands.args]] + name = "alert-group-identifiers" + required = true + description = "Comma-separated identifiers for the alert groups" + [[subCommands.args]] + name = "alert-id" + required = true + description = "ID of the alert to add a comment to" + [[subCommands.args]] + name = "comment" + required = true + description = "Comment content to add to the alert" + +# CrowdStrike Falcon IOC and Threat Management Commands + +[[subCommands]] +name = "upload-iocs" +description = "Upload Indicators of Compromise (IOCs) to CrowdStrike Falcon for detection and blocking" +prompt = """ +{% if help %} +Usage: /crowdstrike upload-iocs [OPTIONS] + +Upload Indicators of Compromise (IOCs) to CrowdStrike Falcon for detection and blocking. + +Options: + --case-id The unique identifier (ID) of the case [REQUIRED] + --alert-group-identifiers Comma-separated identifiers for the alert groups [REQUIRED] + --platform Comma-separated platforms for the IOC (Windows, Linux, Mac) [REQUIRED] + --severity Severity level for the IOC [REQUIRED] + --comment Comment with context related to IOC (optional) + --host-group-name Name of the host group (optional) + --action Action for uploaded IOCs (Detect/Block) (optional) + --help Show this help message + +Examples: + /crowdstrike upload-iocs --case-id="523" --alert-group-identifiers="group1" --platform="Windows,Linux" --severity="High" --comment="Malicious domain from threat intel" + /crowdstrike upload-iocs --case-id="724" --alert-group-identifiers="group1,group2" --platform="Windows" --severity="Critical" --action="Block" + +Platform Values: + - Windows, Linux, Mac (comma-separated) + +Severity Values: + - Low, Medium, High, Critical + +Action Values: + - Detect: Monitor and alert on IOC matches + - Block: Block IOC matches (only available for hashes) + +Use Cases: +- Upload threat intelligence IOCs for detection +- Add known malicious indicators to CrowdStrike +- Implement proactive blocking of malicious hashes +- Share IOCs across security team for consistent detection + +IMPORTANT: +- Block action only works with file hashes +- All other IOC types automatically use Detect policy +- Ensure IOC accuracy before uploading +- Consider impact on legitimate business operations + +The response includes: +- Confirmation of IOC upload +- IOC details and assigned actions +- Platform coverage information +{% else %} +Call the crowd_strike_falcon_upload_io_cs tool with: `crowd_strike_falcon_upload_io_cs(case_id={{case-id}}, alert_group_identifiers={{alert-group-identifiers}}, platform={{platform}}, severity={{severity}}, comment={{comment}}, host_group_name={{host-group-name}}, action={{action}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + [[subCommands.args]] + name = "alert-group-identifiers" + required = true + description = "Comma-separated identifiers for the alert groups" + [[subCommands.args]] + name = "platform" + required = true + description = "Comma-separated platforms for the IOC (Windows, Linux, Mac)" + [[subCommands.args]] + name = "severity" + required = true + description = "Severity level for the IOC" + [[subCommands.args]] + name = "comment" + required = false + description = "Comment with context related to IOC" + [[subCommands.args]] + name = "host-group-name" + required = false + description = "Name of the host group" + [[subCommands.args]] + name = "action" + required = false + description = "Action for uploaded IOCs (Detect/Block)" + +[[subCommands]] +name = "update-ioc-info" +description = "Update information for existing custom IOCs in CrowdStrike Falcon" +prompt = """ +{% if help %} +Usage: /crowdstrike update-ioc-info [OPTIONS] + +Update information for existing custom IOCs in CrowdStrike Falcon. + +Options: + --case-id The unique identifier (ID) of the case [REQUIRED] + --alert-group-identifiers Comma-separated identifiers for the alert groups [REQUIRED] + --description New description for custom IOCs (optional) + --source Source for custom IOCs (optional) + --expiration-days Days until expiration (optional) + --detect-policy If enabled, IOCs will send notifications when identified (optional) + --help Show this help message + +Examples: + /crowdstrike update-ioc-info --case-id="523" --alert-group-identifiers="group1" --description="Updated threat intel source" + /crowdstrike update-ioc-info --case-id="724" --alert-group-identifiers="group1,group2" --expiration-days="30" --detect-policy=true + +Use Cases: +- Update IOC metadata with new information +- Change IOC expiration dates +- Modify detection policies for existing IOCs +- Update IOC sources and descriptions + +The response includes: +- Confirmation of IOC information update +- Updated IOC details and metadata +- Policy changes if applicable +{% else %} +Call the crowd_strike_falcon_update_ioc_information tool with: `crowd_strike_falcon_update_ioc_information(case_id={{case-id}}, alert_group_identifiers={{alert-group-identifiers}}, description={{description}}, source={{source}}, expiration_days={{expiration-days}}, detect_policy={{detect-policy}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + [[subCommands.args]] + name = "alert-group-identifiers" + required = true + description = "Comma-separated identifiers for the alert groups" + [[subCommands.args]] + name = "description" + required = false + description = "New description for custom IOCs" + [[subCommands.args]] + name = "source" + required = false + description = "Source for custom IOCs" + [[subCommands.args]] + name = "expiration-days" + required = false + description = "Days until expiration" + [[subCommands.args]] + name = "detect-policy" + required = false + description = "If enabled, IOCs will send notifications when identified" + +# CrowdStrike Falcon File Analysis and Malware Scanning Commands + +[[subCommands]] +name = "submit-url" +description = "Submit URLs to CrowdStrike Falcon sandbox for analysis" +prompt = """ +{% if help %} +Usage: /crowdstrike submit-url [OPTIONS] + +Submit URLs to CrowdStrike Falcon sandbox for analysis. + +Options: + --case-id The unique identifier (ID) of the case [REQUIRED] + --alert-group-identifiers Comma-separated identifiers for the alert groups [REQUIRED] + --urls URLs to submit for analysis [REQUIRED] + --sandbox-environment Sandbox environment for analysis (optional) + --network-environment Network environment for analysis (optional) + --check-duplicate Check if URL was already submitted previously (optional) + --help Show this help message + +Examples: + /crowdstrike submit-url --case-id="523" --alert-group-identifiers="group1" --urls="https://suspicious-site.com" + /crowdstrike submit-url --case-id="724" --alert-group-identifiers="group1,group2" --urls="https://malware.example.com" --check-duplicate=true + +Use Cases: +- Analyze suspicious URLs found during investigation +- Submit potential malicious links for sandbox analysis +- Get detailed analysis of URL behavior and content +- Verify URL safety before allowing access + +SECURITY CONSIDERATIONS: +- URLs will be accessed by sandbox environment +- Avoid submitting internal or sensitive URLs +- Consider network isolation for sandbox analysis +- Review analysis results before making decisions + +The response includes: +- Submission confirmation and analysis ID +- Analysis results when available +- URL behavior analysis and risk assessment +- IOCs and artifacts discovered during analysis +{% else %} +Call the crowd_strike_falcon_submit_url tool with: `crowd_strike_falcon_submit_url(case_id={{case-id}}, alert_group_identifiers={{alert-group-identifiers}}, ur_ls={{urls}}, sandbox_environment={{sandbox-environment}}, network_environment={{network-environment}}, check_duplicate={{check-duplicate}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + [[subCommands.args]] + name = "alert-group-identifiers" + required = true + description = "Comma-separated identifiers for the alert groups" + [[subCommands.args]] + name = "urls" + required = true + description = "URLs to submit for analysis" + [[subCommands.args]] + name = "sandbox-environment" + required = false + description = "Sandbox environment for analysis" + [[subCommands.args]] + name = "network-environment" + required = false + description = "Network environment for analysis" + [[subCommands.args]] + name = "check-duplicate" + required = false + description = "Check if URL was already submitted previously" + +[[subCommands]] +name = "download-file" +description = "Download threat files from CrowdStrike Falcon for further analysis" +prompt = """ +{% if help %} +Usage: /crowdstrike download-file [OPTIONS] + +Download threat files from CrowdStrike Falcon for further analysis. + +IMPORTANT: Downloaded files may contain malware. Handle with extreme caution and use appropriate +security measures including isolated environments and malware analysis tools. + +Options: + --case-id The unique identifier (ID) of the case [REQUIRED] + --alert-group-identifiers Comma-separated identifiers for the alert groups [REQUIRED] + --download-folder-path Path to folder where threat file will be stored [REQUIRED] + --overwrite If enabled, overwrite files with the same name [REQUIRED] + --customer-id ID of the customer for which to execute the action (optional) + --help Show this help message + +Examples: + /crowdstrike download-file --case-id="523" --alert-group-identifiers="group1" --download-folder-path="/tmp/malware" --overwrite=true + /crowdstrike download-file --case-id="724" --alert-group-identifiers="group1,group2" --download-folder-path="/home/analyst/samples" --overwrite=false + +Use Cases: +- Download malware samples for detailed analysis +- Obtain threat files for reverse engineering +- Save evidence files for forensic investigation +- Get samples for signature development + +SECURITY WARNINGS: +- Files may contain active malware +- Use isolated analysis environment only +- Implement proper containment measures +- Follow organization's malware handling procedures +- Ensure antivirus exclusions are configured properly + +The response includes: +- Download confirmation and file location +- File details and metadata +- SHA256 hash for file verification +- Size and download completion status +{% else %} +Call the crowd_strike_falcon_download_file tool with: `crowd_strike_falcon_download_file(case_id={{case-id}}, alert_group_identifiers={{alert-group-identifiers}}, download_folder_path={{download-folder-path}}, overwrite={{overwrite}}, customer_id={{customer-id}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + [[subCommands.args]] + name = "alert-group-identifiers" + required = true + description = "Comma-separated identifiers for the alert groups" + [[subCommands.args]] + name = "download-folder-path" + required = true + description = "Path to folder where threat file will be stored" + [[subCommands.args]] + name = "overwrite" + required = true + description = "If enabled, overwrite files with the same name" + [[subCommands.args]] + name = "customer-id" + required = false + description = "ID of the customer for which to execute the action" + +[[subCommands]] +name = "on-demand-scan" +description = "Initiate on-demand malware scans on specific endpoints and file paths" +prompt = """ +{% if help %} +Usage: /crowdstrike on-demand-scan [OPTIONS] + +Initiate on-demand malware scans on specific endpoints and file paths. + +Options: + --case-id The unique identifier (ID) of the case [REQUIRED] + --alert-group-identifiers Comma-separated identifiers for the alert groups [REQUIRED] + --file-paths-to-scan Comma-separated list of paths to scan [REQUIRED] + --customer-id ID of the customer for which to execute the action (optional) + --file-paths-to-exclude-from-scan Comma-separated list of paths to exclude from scan (optional) + --host-group-name Comma-separated list of host group names for scanning (optional) + --scan-description Description for the scan (optional) + --cpu-priority CPU priority for scanning (optional) + --quarantine-hosts If enabled, quarantine hosts during scanning (optional) + --create-endpoint-notification If enabled, create endpoint notification (optional) + --help Show this help message + +Examples: + /crowdstrike on-demand-scan --case-id="523" --alert-group-identifiers="group1" --file-paths-to-scan="C:\\Temp,C:\\Users" + /crowdstrike on-demand-scan --case-id="724" --alert-group-identifiers="group1,group2" --file-paths-to-scan="C:\\Windows\\System32" --quarantine-hosts=true + +Common Scan Paths: + - C:\\Temp, C:\\Windows\\Temp # Temporary directories + - C:\\Users\\%USERNAME%\\Downloads # User download folders + - C:\\Windows\\System32 # System directory + - /tmp, /var/tmp # Linux temp directories + - /home/*/Downloads # Linux user downloads + +Use Cases: +- Scan specific directories for malware after compromise +- Perform targeted scans on suspicious file locations +- Verify system cleanliness after remediation +- Execute proactive scans on high-risk locations + +SCAN CONSIDERATIONS: +- Scanning may impact system performance +- Consider business hours and system usage +- Quarantine option will isolate hosts during scan +- CPU priority settings affect scan speed vs. performance impact + +The response includes: +- Scan initiation confirmation and scan ID +- Targeted endpoints and file paths +- Scan progress and completion status +- Results summary and detected threats +{% else %} +Call the crowd_strike_falcon_on_demand_scan tool with: `crowd_strike_falcon_on_demand_scan(case_id={{case-id}}, alert_group_identifiers={{alert-group-identifiers}}, file_paths_to_scan={{file-paths-to-scan}}, customer_id={{customer-id}}, file_paths_to_exclude_from_scan={{file-paths-to-exclude-from-scan}}, host_group_name={{host-group-name}}, scan_description={{scan-description}}, quarantine_hosts={{quarantine-hosts}}, create_endpoint_notification={{create-endpoint-notification}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + [[subCommands.args]] + name = "alert-group-identifiers" + required = true + description = "Comma-separated identifiers for the alert groups" + [[subCommands.args]] + name = "file-paths-to-scan" + required = true + description = "Comma-separated list of paths to scan" + [[subCommands.args]] + name = "customer-id" + required = false + description = "ID of the customer for which to execute the action" + [[subCommands.args]] + name = "file-paths-to-exclude-from-scan" + required = false + description = "Comma-separated list of paths to exclude from scan" + [[subCommands.args]] + name = "host-group-name" + required = false + description = "Comma-separated list of host group names for scanning" + [[subCommands.args]] + name = "scan-description" + required = false + description = "Description for the scan" + [[subCommands.args]] + name = "quarantine-hosts" + required = false + description = "If enabled, quarantine hosts during scanning" + [[subCommands.args]] + name = "create-endpoint-notification" + required = false + description = "If enabled, create endpoint notification" + +# CrowdStrike Falcon Incident Management Commands + +[[subCommands]] +name = "update-incident" +description = "Update CrowdStrike Falcon incident status, assignment, and details" +prompt = """ +{% if help %} +Usage: /crowdstrike update-incident [OPTIONS] + +Update CrowdStrike Falcon incident status, assignment, and details. + +Options: + --case-id The unique identifier (ID) of the case [REQUIRED] + --alert-group-identifiers Comma-separated identifiers for the alert groups [REQUIRED] + --incident-id ID of the incident to update [REQUIRED] + --customer-id ID of the customer for which to execute the action (optional) + --status Status for the incident (optional) + --assign-to Name/email of analyst to assign incident to (optional) + --help Show this help message + +Examples: + /crowdstrike update-incident --case-id="523" --alert-group-identifiers="group1" --incident-id="inc_123" --status="In Progress" + /crowdstrike update-incident --case-id="724" --alert-group-identifiers="group1,group2" --incident-id="inc_456" --assign-to="John Doe" + +Valid Status Values: + - New, In Progress, Closed, Reopened + +Assignment Notes: + - Use "Unassign" to remove assignment from incident + - For names, use format: "First Last" (e.g., "John Doe") + - Email addresses are also accepted + - API accepts any value even if user doesn't exist + +Use Cases: +- Update incident status during investigation workflow +- Assign incidents to specific analysts +- Track incident progress through resolution +- Maintain accurate incident state in CrowdStrike console + +The response includes: +- Confirmation of incident update +- Updated incident details and status +- Assignment information if applicable +{% else %} +Call the crowd_strike_falcon_update_incident tool with: `crowd_strike_falcon_update_incident(case_id={{case-id}}, alert_group_identifiers={{alert-group-identifiers}}, incident_id={{incident-id}}, customer_id={{customer-id}}, status={{status}}, assign_to={{assign-to}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + [[subCommands.args]] + name = "alert-group-identifiers" + required = true + description = "Comma-separated identifiers for the alert groups" + [[subCommands.args]] + name = "incident-id" + required = true + description = "ID of the incident to update" + [[subCommands.args]] + name = "customer-id" + required = false + description = "ID of the customer for which to execute the action" + [[subCommands.args]] + name = "status" + required = false + description = "Status for the incident" + [[subCommands.args]] + name = "assign-to" + required = false + description = "Name/email of analyst to assign incident to" + +[[subCommands]] +name = "add-incident-comment" +description = "Add comments to CrowdStrike Falcon incidents for documentation and collaboration" +prompt = """ +{% if help %} +Usage: /crowdstrike add-incident-comment [OPTIONS] + +Add comments to CrowdStrike Falcon incidents for documentation and collaboration. + +Options: + --case-id The unique identifier (ID) of the case [REQUIRED] + --alert-group-identifiers Comma-separated identifiers for the alert groups [REQUIRED] + --incident-id ID of the incident to add a comment to [REQUIRED] + --comment Comment content for the incident [REQUIRED] + --help Show this help message + +Examples: + /crowdstrike add-incident-comment --case-id="523" --alert-group-identifiers="group1" --incident-id="inc_123" --comment="Escalating to IR team" + /crowdstrike add-incident-comment --case-id="724" --alert-group-identifiers="group1,group2" --incident-id="inc_456" --comment="Containment complete, beginning forensics" + +Use Cases: +- Document incident investigation progress +- Add analysis findings and recommendations +- Record response actions taken +- Facilitate team collaboration on incidents + +The response includes: +- Confirmation of comment addition +- Incident ID and comment details +- Timestamp information for the comment +{% else %} +Call the crowd_strike_falcon_add_incident_comment tool with: `crowd_strike_falcon_add_incident_comment(case_id={{case-id}}, alert_group_identifiers={{alert-group-identifiers}}, incident_id={{incident-id}}, comment={{comment}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + [[subCommands.args]] + name = "alert-group-identifiers" + required = true + description = "Comma-separated identifiers for the alert groups" + [[subCommands.args]] + name = "incident-id" + required = true + description = "ID of the incident to add a comment to" + [[subCommands.args]] + name = "comment" + required = true + description = "Comment content for the incident" + +# CrowdStrike Falcon Identity Protection Commands + +[[subCommands]] +name = "add-identity-detection-comment" +description = "Add comments to CrowdStrike Falcon Identity Protection detections" +prompt = """ +{% if help %} +Usage: /crowdstrike add-identity-detection-comment [OPTIONS] + +Add comments to CrowdStrike Falcon Identity Protection detections. + +Options: + --case-id The unique identifier (ID) of the case [REQUIRED] + --alert-group-identifiers Comma-separated identifiers for the alert groups [REQUIRED] + --detection-id ID of the identity protection detection to update [REQUIRED] + --comment Comment content for the detection [REQUIRED] + --help Show this help message + +Examples: + /crowdstrike add-identity-detection-comment --case-id="523" --alert-group-identifiers="group1" --detection-id="idp_123" --comment="Investigating identity compromise" + /crowdstrike add-identity-detection-comment --case-id="724" --alert-group-identifiers="group1,group2" --detection-id="idp_456" --comment="Confirmed credential theft" + +Use Cases: +- Document analysis of identity-based attacks +- Add context for credential compromise investigations +- Record findings from identity protection detections +- Maintain audit trail for identity security incidents + +The response includes: +- Confirmation of comment addition +- Detection ID and comment details +- Timestamp information for the comment +{% else %} +Call the crowd_strike_falcon_add_identity_protection_detection_comment tool with: `crowd_strike_falcon_add_identity_protection_detection_comment(case_id={{case-id}}, alert_group_identifiers={{alert-group-identifiers}}, detection_id={{detection-id}}, comment={{comment}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + [[subCommands.args]] + name = "alert-group-identifiers" + required = true + description = "Comma-separated identifiers for the alert groups" + [[subCommands.args]] + name = "detection-id" + required = true + description = "ID of the identity protection detection to update" + [[subCommands.args]] + name = "comment" + required = true + description = "Comment content for the detection" + +# CrowdStrike Falcon System Commands + +[[subCommands]] +name = "ping" +description = "Test connectivity to CrowdStrike Falcon API and verify integration status" +prompt = """ +{% if help %} +Usage: /crowdstrike ping [OPTIONS] + +Test connectivity to CrowdStrike Falcon API and verify integration status. + +Options: + --case-id The unique identifier (ID) of the case [REQUIRED] + --alert-group-identifiers Comma-separated identifiers for the alert groups [REQUIRED] + --help Show this help message + +Examples: + /crowdstrike ping --case-id="523" --alert-group-identifiers="group1" + /crowdstrike ping --case-id="724" --alert-group-identifiers="group1,group2" + +Use Cases: +- Verify CrowdStrike Falcon API connectivity +- Test integration configuration and credentials +- Troubleshoot connection issues +- Validate SOAR to CrowdStrike integration + +The response includes: +- Connectivity status and response time +- API authentication verification +- Integration health information +- Error details if connection fails +{% else %} +Call the crowd_strike_falcon_ping tool with: `crowd_strike_falcon_ping(case_id={{case-id}}, alert_group_identifiers={{alert-group-identifiers}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + [[subCommands.args]] + name = "alert-group-identifiers" + required = true + description = "Comma-separated identifiers for the alert groups" + +[[subCommands]] +name = "get-event-offset" +description = "Get event offset information for CrowdStrike Falcon event processing" +prompt = """ +{% if help %} +Usage: /crowdstrike get-event-offset [OPTIONS] + +Get event offset information for CrowdStrike Falcon event processing. + +Options: + --case-id The unique identifier (ID) of the case [REQUIRED] + --alert-group-identifiers Comma-separated identifiers for the alert groups [REQUIRED] + --max-events-to-process Maximum number of events to process from offset [REQUIRED] + --help Show this help message + +Examples: + /crowdstrike get-event-offset --case-id="523" --alert-group-identifiers="group1" --max-events-to-process="1000" + /crowdstrike get-event-offset --case-id="724" --alert-group-identifiers="group1,group2" --max-events-to-process="500" + +Use Cases: +- Retrieve event processing offset information +- Manage event stream processing for integrations +- Monitor event consumption and processing lag +- Troubleshoot event processing issues + +The response includes: +- Current event offset information +- Event processing status and metrics +- Available events for processing +- Offset management details +{% else %} +Call the crowd_strike_falcon_get_event_offset tool with: `crowd_strike_falcon_get_event_offset(case_id={{case-id}}, alert_group_identifiers={{alert-group-identifiers}}, max_events_to_process={{max-events-to-process}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + [[subCommands.args]] + name = "alert-group-identifiers" + required = true + description = "Comma-separated identifiers for the alert groups" + [[subCommands.args]] + name = "max-events-to-process" + required = true + description = "Maximum number of events to process from offset" \ No newline at end of file From d4454e53fcf9a890462718f09aa0fd1e05a8ac80 Mon Sep 17 00:00:00 2001 From: Dan Dye Date: Wed, 30 Jul 2025 23:26:34 -0400 Subject: [PATCH 13/16] Add comprehensive help command for CrowdStrike Falcon slash commands - Add main 'help' subcommand showing all available commands organized by category - Include security warnings for high-risk operations (containment, scripts, file downloads) - Provide usage examples and command reference structure - Maintain TOML syntax validation --- .../soar/marketplace/crowdstrikefalcon.toml | 58 +++++++++++++++++++ 1 file changed, 58 insertions(+) diff --git a/.gemini/commands/secops/soar/marketplace/crowdstrikefalcon.toml b/.gemini/commands/secops/soar/marketplace/crowdstrikefalcon.toml index 93c35c17..f5fe7a5f 100644 --- a/.gemini/commands/secops/soar/marketplace/crowdstrikefalcon.toml +++ b/.gemini/commands/secops/soar/marketplace/crowdstrikefalcon.toml @@ -12,6 +12,64 @@ These commands enable endpoint detection and response (EDR) operations including - File analysis and malware scanning """ +# CrowdStrike Falcon Help Command + +[[subCommands]] +name = "help" +description = "Show help information for CrowdStrike Falcon SOAR marketplace integration commands" +prompt = """ +CrowdStrike Falcon SOAR Marketplace Integration + +This integration provides comprehensive endpoint detection and response (EDR) capabilities through CrowdStrike Falcon. + +Available Commands: + +HOST MANAGEMENT: + /secops:soar:marketplace:crowdstrikefalcon list-hosts - List and filter hosts + /secops:soar:marketplace:crowdstrikefalcon get-host-info - Get detailed host information + /secops:soar:marketplace:crowdstrikefalcon get-hosts-by-ioc - Find hosts with specific IOCs + +INCIDENT RESPONSE: + /secops:soar:marketplace:crowdstrikefalcon contain-endpoint - Isolate endpoints (CAUTION: Network isolation) + /secops:soar:marketplace:crowdstrikefalcon run-script - Execute PowerShell scripts on endpoints + /secops:soar:marketplace:crowdstrikefalcon execute-command - Run specific commands on endpoints + +DETECTION & ALERT MANAGEMENT: + /secops:soar:marketplace:crowdstrikefalcon add-detection-comment - Add comments to detections + /secops:soar:marketplace:crowdstrikefalcon close-detection - Close detections after investigation + /secops:soar:marketplace:crowdstrikefalcon update-alert - Update alert status and assignment + /secops:soar:marketplace:crowdstrikefalcon add-alert-comment - Add comments to alerts + +IOC & THREAT MANAGEMENT: + /secops:soar:marketplace:crowdstrikefalcon upload-iocs - Upload IOCs for detection/blocking + /secops:soar:marketplace:crowdstrikefalcon update-ioc-info - Update IOC information + +FILE ANALYSIS & MALWARE SCANNING: + /secops:soar:marketplace:crowdstrikefalcon submit-url - Submit URLs to sandbox + /secops:soar:marketplace:crowdstrikefalcon download-file - Download threat files (CAUTION: Malware) + /secops:soar:marketplace:crowdstrikefalcon on-demand-scan - Initiate endpoint scans + +INCIDENT MANAGEMENT: + /secops:soar:marketplace:crowdstrikefalcon update-incident - Update incident status and assignment + /secops:soar:marketplace:crowdstrikefalcon add-incident-comment - Add comments to incidents + +IDENTITY PROTECTION: + /secops:soar:marketplace:crowdstrikefalcon add-identity-detection-comment - Add comments to identity detections + +SYSTEM COMMANDS: + /secops:soar:marketplace:crowdstrikefalcon ping - Test API connectivity + /secops:soar:marketplace:crowdstrikefalcon get-event-offset - Get event processing offset + +For detailed help on any command, add --help to the command: + Example: /secops:soar:marketplace:crowdstrikefalcon list-hosts --help + +SECURITY NOTES: +- Commands like contain-endpoint will isolate systems from the network +- Script execution and file downloads require proper security precautions +- Always verify IOCs before uploading to prevent false positives +- Follow your organization's incident response procedures +""" + # CrowdStrike Falcon Host Management Commands [[subCommands]] From 2308e84ae727506341189e08d26310d862c4adfc Mon Sep 17 00:00:00 2001 From: Dan Dye Date: Wed, 30 Jul 2025 23:30:35 -0400 Subject: [PATCH 14/16] Implement Chronicle SOAR marketplace slash commands - Add comprehensive Chronicle TOML configuration following CrowdStrike Falcon conventions - Implement 16 slash commands covering all Chronicle MCP tools - Include detailed help text, usage examples, and security context - Add proper subCommands structure with required/optional args definitions - Support rule details, detection analysis, UDM queries, IoC management, and connectivity testing --- .../secops/soar/marketplace/chronicle.toml | 290 ++++++++++++++++++ 1 file changed, 290 insertions(+) create mode 100644 .gemini/commands/secops/soar/marketplace/chronicle.toml diff --git a/.gemini/commands/secops/soar/marketplace/chronicle.toml b/.gemini/commands/secops/soar/marketplace/chronicle.toml new file mode 100644 index 00000000..ae82a292 --- /dev/null +++ b/.gemini/commands/secops/soar/marketplace/chronicle.toml @@ -0,0 +1,290 @@ +description = "Google Chronicle SOAR marketplace integration slash commands for SIEM security operations" + +[[subCommands]] +name = "rule-details" +description = "Fetch detailed information about a Chronicle SIEM detection rule" +prompt = """ +{% if help %} +Usage: /chronicle rule-details + +Fetch detailed information about a Chronicle SIEM detection rule by its ID. + +Arguments: + rule_id (required) The unique identifier of the Chronicle detection rule + +Example: + /chronicle rule-details ru_12345678-1234-1234-1234-123456789012 + +Security Context: +- Requires active SOAR case with case_id and alert_group_identifiers +- Used for understanding detection logic and rule effectiveness analysis +- Essential for alert triage and false positive reduction +{% else %} +Call the google_chronicle_get_rule_details tool with: `google_chronicle_get_rule_details(case_id={{case-id}}, alert_group_identifiers={{alert-group-identifiers}}, rule_id={{rule-id}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + + [[subCommands.args]] + name = "alert-group-identifiers" + required = true + description = "Identifiers for the alert groups" + + [[subCommands.args]] + name = "rule-id" + required = true + description = "The unique identifier of the Chronicle detection rule" + +[[subCommands]] +name = "detection-details" +description = "Fetch detailed information about a specific Chronicle detection" +prompt = """ +{% if help %} +Usage: /chronicle detection-details + +Fetch detailed information about a specific detection generated by a Chronicle rule. + +Arguments: + rule_id (required) The unique identifier of the Chronicle detection rule + detection_id (required) The unique identifier of the specific detection + +Example: + /chronicle detection-details ru_12345678-1234-1234-1234-123456789012 de_87654321-4321-4321-4321-210987654321 + +Security Context: +- Requires active SOAR case with case_id and alert_group_identifiers +- Used for detailed analysis of specific security events +- Critical for incident response and threat hunting activities +{% else %} +Call the google_chronicle_get_detection_details tool with: `google_chronicle_get_detection_details(case_id={{case-id}}, alert_group_identifiers={{alert-group-identifiers}}, rule_id={{rule-id}}, detection_id={{detection-id}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + + [[subCommands.args]] + name = "alert-group-identifiers" + required = true + description = "Identifiers for the alert groups" + + [[subCommands.args]] + name = "rule-id" + required = true + description = "The unique identifier of the Chronicle detection rule" + + [[subCommands.args]] + name = "detection-id" + required = true + description = "The unique identifier of the specific detection" + +[[subCommands]] +name = "udm-query" +description = "Execute custom UDM query in Chronicle SIEM with flexible time filtering" +prompt = """ +{% if help %} +Usage: /chronicle udm-query [time_frame] [start_time] [end_time] [max_results] + +Execute a custom UDM (Unified Data Model) query against Chronicle SIEM data. + +Arguments: + query (required) The UDM query to execute in Chronicle + time_frame (optional) Predefined time frame options + start_time (optional) Custom start time in ISO 8601 format + end_time (optional) Custom end time in ISO 8601 format + max_results (optional) Maximum number of results to return (default: 50, max: 10000) + +Time Frame Options: +- "Alert Time Till Now" +- "30 Minutes Around Alert Time" +- "1 Hour Around Alert Time" +- "5 Minutes Around Alert Time" +- "Custom" (requires start_time) + +Examples: + /chronicle udm-query "metadata.event_type = 'NETWORK_CONNECTION' AND target.port = 443" "Last 24 Hours" + /chronicle udm-query "principal.hostname = 'suspicious-host'" "Custom" "2024-01-01T00:00:00Z" "2024-01-02T00:00:00Z" 100 + +Security Context: +- Limited to 120 executions per hour for performance +- Maximum 90-day time window supported +- Use for threat hunting, IOC validation, and incident investigation +{% else %} +Call the google_chronicle_execute_udm_query tool with: `google_chronicle_execute_udm_query(case_id={{case-id}}, alert_group_identifiers={{alert-group-identifiers}}, query={{query}}{% if time-frame %}, time_frame={{time-frame}}{% endif %}{% if start-time %}, start_time={{start-time}}{% endif %}{% if end-time %}, end_time={{end-time}}{% endif %}{% if max-results %}, max_results_to_return={{max-results}}{% endif %})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + + [[subCommands.args]] + name = "alert-group-identifiers" + required = true + description = "Identifiers for the alert groups" + + [[subCommands.args]] + name = "query" + required = true + description = "The UDM query to execute in Chronicle" + + [[subCommands.args]] + name = "time-frame" + required = false + description = "Predefined time frame for the query" + + [[subCommands.args]] + name = "start-time" + required = false + description = "Custom start time in ISO 8601 format" + + [[subCommands.args]] + name = "end-time" + required = false + description = "Custom end time in ISO 8601 format" + + [[subCommands.args]] + name = "max-results" + required = false + description = "Maximum number of results to return" + +[[subCommands]] +name = "list-iocs" +description = "List all IoCs discovered within your enterprise in specified time range" +prompt = """ +{% if help %} +Usage: /chronicle list-iocs [start_time] [max_iocs] + +List all Indicators of Compromise (IoCs) discovered within your enterprise. + +Arguments: + start_time (optional) Start time in RFC 3339 format (default: 3 days ago) + max_iocs (optional) Maximum number of IoCs to return (1-10000, default: 50) + +Example: + /chronicle list-iocs "2024-01-01T00:00:00Z" 100 + /chronicle list-iocs + +Security Context: +- Returns active IoCs from threat intelligence feeds +- Use for threat hunting and IOC validation +- Essential for proactive threat detection +{% else %} +Call the google_chronicle_list_io_cs tool with: `google_chronicle_list_io_cs(case_id={{case-id}}, alert_group_identifiers={{alert-group-identifiers}}{% if start-time %}, start_time={{start-time}}{% endif %}{% if max-iocs %}, max_io_cs_to_fetch={{max-iocs}}{% endif %})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + + [[subCommands.args]] + name = "alert-group-identifiers" + required = true + description = "Identifiers for the alert groups" + + [[subCommands.args]] + name = "start-time" + required = false + description = "Start time in RFC 3339 format" + + [[subCommands.args]] + name = "max-iocs" + required = false + description = "Maximum number of IoCs to return" + +[[subCommands]] +name = "enrich-ip" +description = "Enrich IP address entities using Chronicle IoC information" +prompt = """ +{% if help %} +Usage: /chronicle enrich-ip [create_insight] [only_suspicious_insight] + +Enrich IP address entities using Chronicle's IoC database information. + +Arguments: + severity_threshold (required) Lowest severity to mark as suspicious + mark_suspicious_n_a (required) Mark as suspicious if severity unavailable (true/false) + create_insight (optional) Create insight with enrichment info (true/false) + only_suspicious_insight (optional) Only create insights for suspicious entities (true/false) + +Severity Options: +- "Info", "Low", "Medium", "High", "Critical" + +Example: + /chronicle enrich-ip "Medium" true true false + /chronicle enrich-ip "High" false + +Security Context: +- Supports IP Address entities only +- Enriches with threat intelligence data +- Critical for IP reputation analysis and threat assessment +{% else %} +Call the google_chronicle_enrich_ip tool with: `google_chronicle_enrich_ip(case_id={{case-id}}, alert_group_identifiers={{alert-group-identifiers}}, lowest_suspicious_severity={{severity-threshold}}, mark_suspicious_n_a_severity={{mark-suspicious-n-a}}{% if create-insight %}, create_insight={{create-insight}}{% endif %}{% if only-suspicious-insight %}, only_suspicious_insight={{only-suspicious-insight}}{% endif %})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + + [[subCommands.args]] + name = "alert-group-identifiers" + required = true + description = "Identifiers for the alert groups" + + [[subCommands.args]] + name = "severity-threshold" + required = true + description = "Lowest severity level to mark as suspicious" + + [[subCommands.args]] + name = "mark-suspicious-n-a" + required = true + description = "Mark as suspicious if severity information is not available" + + [[subCommands.args]] + name = "create-insight" + required = false + description = "Create insight containing enrichment information" + + [[subCommands.args]] + name = "only-suspicious-insight" + required = false + description = "Only create insights for suspicious entities" + +[[subCommands]] +name = "ping" +description = "Test connectivity to Chronicle integration" +prompt = """ +{% if help %} +Usage: /chronicle ping + +Test connectivity to Chronicle integration with configured parameters. + +No additional arguments required. + +Example: + /chronicle ping + +Security Context: +- Validates Chronicle integration configuration +- Tests authentication and connectivity +- Essential for troubleshooting integration issues +{% else %} +Call the google_chronicle_ping tool with: `google_chronicle_ping(case_id={{case-id}}, alert_group_identifiers={{alert-group-identifiers}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + + [[subCommands.args]] + name = "alert-group-identifiers" + required = true + description = "Identifiers for the alert groups" \ No newline at end of file From 2e2a2a07b5c8d908d3ece18b1bb06895fef47df5 Mon Sep 17 00:00:00 2001 From: Dan Dye Date: Wed, 30 Jul 2025 23:39:26 -0400 Subject: [PATCH 15/16] Add help command to Chronicle SOAR marketplace slash commands - Include help subCommand at top of Chronicle TOML configuration - Provide overview of available Chronicle commands and their purposes - Add security context and usage guidance for Chronicle integration --- .../secops/soar/marketplace/chronicle.toml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/.gemini/commands/secops/soar/marketplace/chronicle.toml b/.gemini/commands/secops/soar/marketplace/chronicle.toml index ae82a292..fd4c51a0 100644 --- a/.gemini/commands/secops/soar/marketplace/chronicle.toml +++ b/.gemini/commands/secops/soar/marketplace/chronicle.toml @@ -1,5 +1,31 @@ description = "Google Chronicle SOAR marketplace integration slash commands for SIEM security operations" +[[subCommands]] +name = "help" +description = "Show help for Chronicle SOAR marketplace integration commands" +prompt = """ +{% if help %} +Chronicle SOAR Marketplace Integration Commands + +Available Commands: +- rule-details: Fetch detailed information about Chronicle detection rules +- detection-details: Get specific detection analysis and details +- udm-query: Execute custom UDM queries with flexible time filtering +- list-iocs: List enterprise IoCs discovered in specified time range +- enrich-ip: Enrich IP addresses using Chronicle threat intelligence +- ping: Test Chronicle integration connectivity + +Use /chronicle --help for detailed command usage. + +Security Context: +- All commands require active SOAR case context +- Chronicle integration provides SIEM data analysis capabilities +- Essential for threat hunting, incident response, and IOC validation +{% else %} +Display help information for Chronicle SOAR marketplace integration commands. +{% endif %} +""" + [[subCommands]] name = "rule-details" description = "Fetch detailed information about a Chronicle SIEM detection rule" From 6f7e57730bff6ea161e5d5e70978f1573191f1cd Mon Sep 17 00:00:00 2001 From: Dan Dye Date: Thu, 31 Jul 2025 22:39:47 -0400 Subject: [PATCH 16/16] Bug fixes --- .gemini/commands/scc.toml | 8 +- .gemini/commands/secops.toml | 39 +-- .gemini/commands/secops/soar.toml | 135 +++++--- .../secops/soar/marketplace/chronicle.toml | 47 +-- .../soar/marketplace/crowdstrikefalcon.toml | 12 +- .../secops/soar/marketplace/virustotal.toml | 318 ++++++++++++++++++ 6 files changed, 456 insertions(+), 103 deletions(-) create mode 100644 .gemini/commands/secops/soar/marketplace/virustotal.toml diff --git a/.gemini/commands/scc.toml b/.gemini/commands/scc.toml index 71ec6703..7dd752e1 100644 --- a/.gemini/commands/scc.toml +++ b/.gemini/commands/scc.toml @@ -74,7 +74,7 @@ Get remediation steps for a specific Security Command Center finding. Retrieves the remediation steps (nextSteps) for a specific finding within a project, along with details of the affected resource fetched from Cloud Asset Inventory (CAI). -The finding can be identified either by its resource name and category (for ACTIVE +The finding can be identified either by its resource name and category (for ACTIVE findings) or directly by its finding ID (regardless of state). Options: @@ -98,16 +98,16 @@ Method 2 - By Finding ID (any state): Resource Name Examples: Container clusters: //container.googleapis.com/projects/PROJECT/locations/LOCATION/clusters/CLUSTER - + Compute instances: //compute.googleapis.com/projects/PROJECT/zones/ZONE/instances/INSTANCE - + Storage buckets: //storage.googleapis.com/projects/_/buckets/BUCKET Common Categories: - GKE_SECURITY_BULLETIN - - COMPUTE_ENGINE_SECURITY_BULLETIN + - COMPUTE_ENGINE_SECURITY_BULLETIN - CLOUD_SQL_SECURITY_BULLETIN - OPEN_FIREWALL - WEAK_SSL_POLICY diff --git a/.gemini/commands/secops.toml b/.gemini/commands/secops.toml index be89cbc3..c75a0dde 100644 --- a/.gemini/commands/secops.toml +++ b/.gemini/commands/secops.toml @@ -3,6 +3,7 @@ prompt = """ You are implementing /slash-commands to call the available MCP Tools """ + # SecOps entity_lookup [[subCommands]] name = "entity-lookup" @@ -14,7 +15,7 @@ Usage: /secops entity-lookup [OPTIONS] Look up an entity (IP, domain, hash, user, etc.) in Chronicle SIEM for enrichment. Provides a comprehensive summary of an entity's activity based on historical log data -within Chronicle over a specified time period. Chronicle automatically attempts to +within Chronicle over a specified time period. Chronicle automatically attempts to detect the entity type from the value provided. Options: @@ -70,7 +71,7 @@ Options: Examples: /secops ioc-matches # Get IoC matches from last 24 hours - /secops ioc-matches --hours-back 72 # Get IoC matches from last 3 days + /secops ioc-matches --hours-back 72 # Get IoC matches from last 3 days /secops ioc-matches --max-matches 50 # Get up to 50 IoC matches /secops ioc-matches --hours-back 48 --max-matches 100 @@ -302,7 +303,7 @@ At least one optional field should be provided to perform a meaningful update. Options: --alert-id Unique ID of the alert to update [REQUIRED] --reason Reason for closing alert - --priority Alert priority level + --priority Alert priority level --status Alert lifecycle status --verdict Investigation verdict (true/false positive) --severity Severity score (0-100) @@ -342,7 +343,7 @@ Examples: Use Cases: - Mark alerts as true/false positives after investigation -- Escalate or de-escalate alert priority based on impact assessment +- Escalate or de-escalate alert priority based on impact assessment - Add investigation comments and findings - Set final disposition when closing alerts - Update severity based on additional evidence @@ -637,10 +638,10 @@ Examples: severity = \"Medium\" yara_version = \"YL2.0\" events: - \$process.metadata.event_type = \"PROCESS_LAUNCH\" - \$process.principal.process.command_line = /powershell.*downloadfile/i + $process.metadata.event_type = "PROCESS_LAUNCH" + $process.principal.process.command_line = /powershell.*downloadfile/i condition: - \$process + $process }" YARA-L 2.0 Rule Structure: @@ -653,10 +654,10 @@ YARA-L 2.0 Rule Structure: mitre_attack_tactic = "TA0001" mitre_attack_technique = "T1059.001" events: # Event matching conditions using UDM fields - \$event.metadata.event_type = "PROCESS_LAUNCH" - \$event.principal.hostname != "" + $event.metadata.event_type = "PROCESS_LAUNCH" + $event.principal.hostname != "" condition: # Logic combining events - \$event + $event } Rule Development Best Practices: @@ -715,10 +716,10 @@ Examples: author = \"Security Team\" yara_version = \"YL2.0\" events: - \$e.metadata.event_type = \"NETWORK_CONNECTION\" - \$e.target.port = 443 + $e.metadata.event_type = "NETWORK_CONNECTION" + $e.target.port = 443 condition: - \$e + $e }" /secops test-rule --rule-text="..." --hours-back=24 --max-results=50 @@ -791,11 +792,11 @@ Examples: severity = \"Medium\" yara_version = \"YL2.0\" events: - \$e.metadata.event_type = \"NETWORK_CONNECTION\" - \$e.target.ip != \"\" - \$e.principal.hostname != \"\" + $e.metadata.event_type = "NETWORK_CONNECTION" + $e.target.ip != "" + $e.principal.hostname != "" condition: - \$e + $e }" Validation capabilities: @@ -918,7 +919,7 @@ Examples: /secops list-cases --next-page-token="abc123xyz" # Get next page of results Use Cases: -- Get high-level overview of current incident queue within SOAR platform +- Get high-level overview of current incident queue within SOAR platform - Find specific incidents to investigate further - First step in triage workflow to understand ongoing security events - Monitor case backlog and priorities @@ -930,7 +931,7 @@ The response includes: - Pagination tokens for additional results Important Triage Note: -Case priority is only an initial indicator. True importance must be assessed by +Case priority is only an initial indicator. True importance must be assessed by examining the full context (alerts, entities, potential impact, threat intelligence) using tools like /secops get-case-details. diff --git a/.gemini/commands/secops/soar.toml b/.gemini/commands/secops/soar.toml index 33a08adb..fa26693a 100644 --- a/.gemini/commands/secops/soar.toml +++ b/.gemini/commands/secops/soar.toml @@ -3,6 +3,41 @@ prompt = """ You are implementing /slash-commands to call the available MCP Tools """ +# SOAR Help Command +[[subCommands]] +name = "help" +description = "Show help information for SOAR (Security Orchestration, Automation, and Response) commands" +prompt = """ +SOAR (Security Orchestration, Automation, and Response) MCP Tools + +Security Orchestration, Automation, and Response (SOAR) platform integration for case management, +alert triage, entity investigation, and incident response workflow automation. + +Available Commands: + +CASE MANAGEMENT: + /secops:soar list-cases - List cases available in the SOAR platform + /secops:soar post-case-comment - Post a comment to a specific case for documentation + /secops:soar get-case-details - Retrieve comprehensive details for a specific case + /secops:soar change-case-priority - Change the priority level of a specific case + +ALERT INVESTIGATION: + /secops:soar list-alert-group-identifiers - List alert group identifiers for a case + /secops:soar list-alerts-by-case - List security alerts associated with a specific case + /secops:soar list-events-by-alert - List underlying security events for a specific alert + +ENTITY ANALYSIS: + /secops:soar get-entities-by-alert-groups - Retrieve entities involved in specific alert groups + /secops:soar get-entity-details - Fetch detailed information about a specific entity + /secops:soar search-entity - Search for entities based on various criteria + +For detailed help on any command, add --help to the command: + Example: /secops:soar list-cases --help + +These tools provide comprehensive SOAR platform integration for security incident management, +enabling efficient case triage, alert analysis, and entity investigation workflows. +""" + # SOAR Case Management Commands # SOAR list_cases @@ -11,7 +46,7 @@ name = "list-cases" description = "List cases available in the Security Orchestration, Automation, and Response (SOAR) platform" prompt = """ {% if help %} -Usage: /secops list-cases [OPTIONS] +Usage: /secops:soar list-cases [OPTIONS] List cases available in the Security Orchestration, Automation, and Response (SOAR) platform. @@ -24,8 +59,8 @@ Options: --help Show this help message Examples: - /secops list-cases # List current cases - /secops list-cases --next-page-token="abc123xyz" # Get next page of results + /secops:soar list-cases # List current cases + /secops:soar list-cases --next-page-token="abc123xyz" # Get next page of results Use Cases: - Get high-level overview of current incident queue within SOAR platform @@ -42,12 +77,12 @@ The response includes: Important Triage Note: Case priority is only an initial indicator. True importance must be assessed by examining the full context (alerts, entities, potential impact, threat intelligence) -using tools like /secops get-case-details. +using tools like /secops:soar get-case-details. Next Steps: -- Use /secops get-case-details --case-id=ID for comprehensive case analysis -- Use /secops list-alerts-by-case --case-id=ID to see associated alerts -- Use /secops change-case-priority if initial assessment suggests different priority +- Use /secops:soar get-case-details --case-id=ID for comprehensive case analysis +- Use /secops:soar list-alerts-by-case --case-id=ID to see associated alerts +- Use /secops:soar change-case-priority if initial assessment suggests different priority - Extract key indicators and use SIEM, TI, or other security tool integrations {% else %} Call the list_cases tool with: `list_cases(next_page_token={{next-page-token}})` @@ -64,7 +99,7 @@ name = "post-case-comment" description = "Post a comment to a specific case within the SOAR platform for documentation and collaboration" prompt = """ {% if help %} -Usage: /secops post-case-comment [OPTIONS] +Usage: /secops:soar post-case-comment [OPTIONS] Post a comment to a specific case within the SOAR platform. @@ -78,9 +113,9 @@ Options: --help Show this help message Examples: - /secops post-case-comment --case-id="523" --comment="Investigating potential impact" - /secops post-case-comment --case-id="724" --comment="Confirmed malicious activity - escalating" - /secops post-case-comment --case-id="891" --comment="False positive - benign admin activity" + /secops:soar post-case-comment --case-id="523" --comment="Investigating potential impact" + /secops:soar post-case-comment --case-id="724" --comment="Confirmed malicious activity - escalating" + /secops:soar post-case-comment --case-id="891" --comment="False positive - benign admin activity" Use Cases: - Document findings from other MCP tool investigations (SIEM, TI, EDR, Cloud) @@ -122,7 +157,7 @@ name = "list-alerts-by-case" description = "List the security alerts associated with a specific case ID in the SOAR platform" prompt = """ {% if help %} -Usage: /secops list-alerts-by-case [OPTIONS] +Usage: /secops:soar list-alerts-by-case [OPTIONS] List the security alerts associated with a specific case ID in the SOAR platform. @@ -136,8 +171,8 @@ Options: --help Show this help message Examples: - /secops list-alerts-by-case --case-id="523" - /secops list-alerts-by-case --case-id="724" --next-page-token="def456ghi" + /secops:soar list-alerts-by-case --case-id="523" + /secops:soar list-alerts-by-case --case-id="724" --next-page-token="def456ghi" Use Cases: - Understand specific triggers (alerts) and scope of incident in SOAR case @@ -157,9 +192,9 @@ Workflow Integration: - Provides foundation for deeper investigation into underlying events Next Steps: -- Use /secops list-events-by-alert to get raw events underlying specific alerts -- Use /secops list-alert-group-identifiers-by-case to understand alert groupings -- Use /secops get-entities-by-alert-group-identifiers to find entities in alert groups +- Use /secops:soar list-events-by-alert to get raw events underlying specific alerts +- Use /secops:soar list-alert-group-identifiers-by-case to understand alert groupings +- Use /secops:soar get-entities-by-alert-group-identifiers to find entities in alert groups - Extract indicators from alerts and use SIEM entity lookup or event search - Correlate alert details with findings from other security tools (EDR, Network, Cloud, TI) {% else %} @@ -181,7 +216,7 @@ name = "list-alert-group-identifiers" description = "List alert group identifiers associated with a specific case ID in the SOAR platform" prompt = """ {% if help %} -Usage: /secops list-alert-group-identifiers [OPTIONS] +Usage: /secops:soar list-alert-group-identifiers [OPTIONS] List alert group identifiers associated with a specific case ID in the SOAR platform. @@ -195,8 +230,8 @@ Options: --help Show this help message Examples: - /secops list-alert-group-identifiers --case-id="523" - /secops list-alert-group-identifiers --case-id="724" --next-page-token="ghi789jkl" + /secops:soar list-alert-group-identifiers --case-id="523" + /secops:soar list-alert-group-identifiers --case-id="724" --next-page-token="ghi789jkl" Use Cases: - Understand how alerts are grouped within the case @@ -215,7 +250,7 @@ Workflow Integration: - Prepares for targeted actions on specific alert groupings Next Steps: -- Use /secops get-entities-by-alert-group-identifiers to find entities in these groups +- Use /secops:soar get-entities-by-alert-group-identifiers to find entities in these groups - Use identifiers as parameters for playbook actions or integrations - Target specific alert groupings for automated or manual interventions {% else %} @@ -237,7 +272,7 @@ name = "list-events-by-alert" description = "List the underlying security events associated with a specific alert within a given case" prompt = """ {% if help %} -Usage: /secops list-events-by-alert [OPTIONS] +Usage: /secops:soar list-events-by-alert [OPTIONS] List the underlying security events associated with a specific alert within a given case. @@ -252,8 +287,8 @@ Options: --help Show this help message Examples: - /secops list-events-by-alert --case-id="523" --alert-id="751" - /secops list-events-by-alert --case-id="724" --alert-id="892" --next-page-token="xyz123abc" + /secops:soar list-events-by-alert --case-id="523" --alert-id="751" + /secops:soar list-events-by-alert --case-id="724" --alert-id="892" --next-page-token="xyz123abc" Use Cases: - Get ground truth event data (often from SIEM) to validate alerts @@ -301,7 +336,7 @@ name = "change-case-priority" description = "Change the priority level of a specific case in the SOAR platform" prompt = """ {% if help %} -Usage: /secops change-case-priority [OPTIONS] +Usage: /secops:soar change-case-priority [OPTIONS] Change the priority level of a specific case in the SOAR platform. @@ -318,9 +353,9 @@ Valid Priority Values: PriorityUnspecified, PriorityInfo, PriorityLow, PriorityMedium, PriorityHigh, PriorityCritical Examples: - /secops change-case-priority --case-id="523" --case-priority="PriorityHigh" - /secops change-case-priority --case-id="724" --case-priority="PriorityLow" - /secops change-case-priority --case-id="891" --case-priority="PriorityCritical" + /secops:soar change-case-priority --case-id="523" --case-priority="PriorityHigh" + /secops:soar change-case-priority --case-id="724" --case-priority="PriorityLow" + /secops:soar change-case-priority --case-id="891" --case-priority="PriorityCritical" Use Cases: - Escalate case priority based on new information from MCP tools (SIEM, TI, EDR) @@ -339,7 +374,7 @@ Workflow Integration: - Typically follows analysis using various MCP-enabled security tools Next Steps: -- Use /secops post-case-comment to document reason for priority change +- Use /secops:soar post-case-comment to document reason for priority change - Adjust investigation efforts based on new priority level - Consider resource allocation changes based on updated priority {% else %} @@ -361,7 +396,7 @@ name = "get-entities-by-alert-groups" description = "Retrieve entities (IPs, hostnames, users) involved in specific alert groups within a case" prompt = """ {% if help %} -Usage: /secops get-entities-by-alert-groups [OPTIONS] +Usage: /secops:soar get-entities-by-alert-groups [OPTIONS] Retrieve entities (e.g., IP addresses, hostnames, users) involved in specific alert groups within a case. @@ -375,8 +410,8 @@ Options: --help Show this help message Examples: - /secops get-entities-by-alert-groups --case-id="523" --alert-group-identifiers="rule_name_hash_guid" - /secops get-entities-by-alert-groups --case-id="724" --alert-group-identifiers="group1,group2,group3" + /secops:soar get-entities-by-alert-groups --case-id="523" --alert-group-identifiers="rule_name_hash_guid" + /secops:soar get-entities-by-alert-groups --case-id="724" --alert-group-identifiers="group1,group2,group3" Use Cases: - Identify specific assets, users, or indicators involved in incident stages @@ -396,7 +431,7 @@ Workflow Integration: Next Steps: - Analyze entity list to understand scope of impact -- Use /secops get-entity-details to get more SOAR-specific context on individual entities +- Use /secops:soar get-entity-details to get more SOAR-specific context on individual entities - Use SIEM entity lookup tools to get broader historical context for these entities - Use SIEM event search tools to find detailed logs related to entities' activities - Use threat intelligence tools to enrich the identified entities @@ -420,7 +455,7 @@ name = "get-entity-details" description = "Fetch detailed information about a specific entity known to the SOAR platform" prompt = """ {% if help %} -Usage: /secops get-entity-details [OPTIONS] +Usage: /secops:soar get-entity-details [OPTIONS] Fetch detailed information about a specific entity known to the SOAR platform. @@ -435,9 +470,9 @@ Options: --help Show this help message Examples: - /secops get-entity-details --entity-identifier="192.168.1.100" --entity-type="IP Address" --entity-environment="Production" - /secops get-entity-details --entity-identifier="user@company.com" --entity-type="User" --entity-environment="Corporate" - /secops get-entity-details --entity-identifier="workstation-01" --entity-type="Hostname" --entity-environment="Development" + /secops:soar get-entity-details --entity-identifier="192.168.1.100" --entity-type="IP Address" --entity-environment="Production" + /secops:soar get-entity-details --entity-identifier="user@company.com" --entity-type="User" --entity-environment="Corporate" + /secops:soar get-entity-details --entity-identifier="workstation-01" --entity-type="Hostname" --entity-environment="Development" Use Cases: - Get SOAR platform's specific view of entity with enrichments @@ -485,7 +520,7 @@ name = "search-entity" description = "Search for entities within the SOAR platform based on various criteria" prompt = """ {% if help %} -Usage: /secops search-entity [OPTIONS] +Usage: /secops:soar search-entity [OPTIONS] Search for entities within the SOAR platform based on various criteria. @@ -504,12 +539,12 @@ Options: --help Show this help message Examples: - /secops search-entity --term="192.168" # Search for IPs starting with 192.168 - /secops search-entity --type="IP Address,Hostname" # Search for IPs and hostnames - /secops search-entity --is-suspicious=true # Find all suspicious entities - /secops search-entity --is-internal-asset=false # Find external entities - /secops search-entity --network-name="DMZ,Production" # Search in specific networks - /secops search-entity --environment-name="Production" # Search in production environment + /secops:soar search-entity --term="192.168" # Search for IPs starting with 192.168 + /secops:soar search-entity --type="IP Address,Hostname" # Search for IPs and hostnames + /secops:soar search-entity --is-suspicious=true # Find all suspicious entities + /secops:soar search-entity --is-internal-asset=false # Find external entities + /secops:soar search-entity --network-name="DMZ,Production" # Search in specific networks + /secops:soar search-entity --environment-name="Production" # Search in production environment Use Cases: - Exploratory analysis within SOAR platform's entity database @@ -529,7 +564,7 @@ Workflow Integration: Next Steps: - Analyze the list of returned entities for patterns or relationships -- Use /secops get-entity-details for more SOAR-specific information on entities found +- Use /secops:soar get-entity-details for more SOAR-specific information on entities found - Use SIEM entity lookup tools for broader historical context on interesting entities - Use threat intelligence tools to enrich findings from the search results {% else %} @@ -571,7 +606,7 @@ name = "get-case-details" description = "Retrieve comprehensive details for a specific case by aggregating core information, alerts, and comments" prompt = """ {% if help %} -Usage: /secops get-case-details [OPTIONS] +Usage: /secops:soar get-case-details [OPTIONS] Retrieve comprehensive details for a specific case by aggregating its core information, associated alerts, and comments. @@ -584,8 +619,8 @@ Options: --help Show this help message Examples: - /secops get-case-details --case-id="523" - /secops get-case-details --case-id="724" + /secops:soar get-case-details --case-id="523" + /secops:soar get-case-details --case-id="724" Use Cases: - Primary tool for starting investigation of specific case identified within SOAR @@ -610,10 +645,10 @@ Workflow Integration: Next Steps (Essential for Full Investigation): - Analyze case_details for status, priority, and description -- Examine case_alerts to understand triggers - use /secops list-events-by-alert for underlying event data +- Examine case_alerts to understand triggers - use /secops:soar list-events-by-alert for underlying event data - Review case_comments for analyst notes or previous actions - Identify key entities from alerts or comments -- Use /secops get-entities-by-alert-groups to find entities associated with case/alert groups +- Use /secops:soar get-entities-by-alert-groups to find entities associated with case/alert groups - Enrich findings using SIEM (entity-lookup, search-events), TI (threat-intel), EDR, Cloud tools - Document investigation progress using case commenting tools - Consider adjusting case priority using priority management tools based on findings diff --git a/.gemini/commands/secops/soar/marketplace/chronicle.toml b/.gemini/commands/secops/soar/marketplace/chronicle.toml index fd4c51a0..2310c023 100644 --- a/.gemini/commands/secops/soar/marketplace/chronicle.toml +++ b/.gemini/commands/secops/soar/marketplace/chronicle.toml @@ -1,4 +1,5 @@ description = "Google Chronicle SOAR marketplace integration slash commands for SIEM security operations" +prompt = """You are taking commands and params and calling the available MCP Tools.""" [[subCommands]] name = "help" @@ -10,7 +11,7 @@ Chronicle SOAR Marketplace Integration Commands Available Commands: - rule-details: Fetch detailed information about Chronicle detection rules - detection-details: Get specific detection analysis and details -- udm-query: Execute custom UDM queries with flexible time filtering +- udm-query: Execute custom UDM queries with flexible time filtering - list-iocs: List enterprise IoCs discovered in specified time range - enrich-ip: Enrich IP addresses using Chronicle threat intelligence - ping: Test Chronicle integration connectivity @@ -53,12 +54,12 @@ Call the google_chronicle_get_rule_details tool with: `google_chronicle_get_rule name = "case-id" required = true description = "The unique identifier (ID) of the case" - + [[subCommands.args]] name = "alert-group-identifiers" required = true description = "Identifiers for the alert groups" - + [[subCommands.args]] name = "rule-id" required = true @@ -92,17 +93,17 @@ Call the google_chronicle_get_detection_details tool with: `google_chronicle_get name = "case-id" required = true description = "The unique identifier (ID) of the case" - + [[subCommands.args]] name = "alert-group-identifiers" required = true description = "Identifiers for the alert groups" - + [[subCommands.args]] name = "rule-id" required = true description = "The unique identifier of the Chronicle detection rule" - + [[subCommands.args]] name = "detection-id" required = true @@ -121,13 +122,13 @@ Arguments: query (required) The UDM query to execute in Chronicle time_frame (optional) Predefined time frame options start_time (optional) Custom start time in ISO 8601 format - end_time (optional) Custom end time in ISO 8601 format + end_time (optional) Custom end time in ISO 8601 format max_results (optional) Maximum number of results to return (default: 50, max: 10000) Time Frame Options: - "Alert Time Till Now" - "30 Minutes Around Alert Time" -- "1 Hour Around Alert Time" +- "1 Hour Around Alert Time" - "5 Minutes Around Alert Time" - "Custom" (requires start_time) @@ -147,32 +148,32 @@ Call the google_chronicle_execute_udm_query tool with: `google_chronicle_execute name = "case-id" required = true description = "The unique identifier (ID) of the case" - + [[subCommands.args]] name = "alert-group-identifiers" required = true description = "Identifiers for the alert groups" - + [[subCommands.args]] name = "query" required = true description = "The UDM query to execute in Chronicle" - + [[subCommands.args]] name = "time-frame" required = false description = "Predefined time frame for the query" - + [[subCommands.args]] name = "start-time" required = false description = "Custom start time in ISO 8601 format" - + [[subCommands.args]] name = "end-time" required = false description = "Custom end time in ISO 8601 format" - + [[subCommands.args]] name = "max-results" required = false @@ -207,17 +208,17 @@ Call the google_chronicle_list_io_cs tool with: `google_chronicle_list_io_cs(cas name = "case-id" required = true description = "The unique identifier (ID) of the case" - + [[subCommands.args]] name = "alert-group-identifiers" required = true description = "Identifiers for the alert groups" - + [[subCommands.args]] name = "start-time" required = false description = "Start time in RFC 3339 format" - + [[subCommands.args]] name = "max-iocs" required = false @@ -257,27 +258,27 @@ Call the google_chronicle_enrich_ip tool with: `google_chronicle_enrich_ip(case_ name = "case-id" required = true description = "The unique identifier (ID) of the case" - + [[subCommands.args]] name = "alert-group-identifiers" required = true description = "Identifiers for the alert groups" - + [[subCommands.args]] name = "severity-threshold" required = true description = "Lowest severity level to mark as suspicious" - + [[subCommands.args]] name = "mark-suspicious-n-a" required = true description = "Mark as suspicious if severity information is not available" - + [[subCommands.args]] name = "create-insight" required = false description = "Create insight containing enrichment information" - + [[subCommands.args]] name = "only-suspicious-insight" required = false @@ -309,7 +310,7 @@ Call the google_chronicle_ping tool with: `google_chronicle_ping(case_id={{case- name = "case-id" required = true description = "The unique identifier (ID) of the case" - + [[subCommands.args]] name = "alert-group-identifiers" required = true diff --git a/.gemini/commands/secops/soar/marketplace/crowdstrikefalcon.toml b/.gemini/commands/secops/soar/marketplace/crowdstrikefalcon.toml index f5fe7a5f..7e3c4acd 100644 --- a/.gemini/commands/secops/soar/marketplace/crowdstrikefalcon.toml +++ b/.gemini/commands/secops/soar/marketplace/crowdstrikefalcon.toml @@ -1,11 +1,9 @@ description = "CrowdStrike Falcon SOAR marketplace integration slash commands for endpoint security operations" -prompt = """ -You are implementing /slash-commands to call the available CrowdStrike Falcon MCP Tools defined in: -server/secops-soar/secops_soar_mcp/marketplace/crowdstrikefalcon.py +prompt = """You are taking commands and params and calling the available CrowdStrike Falcon MCP Tools. These commands enable endpoint detection and response (EDR) operations including: - Host management and information gathering -- Detection and alert management +- Detection and alert management - Incident response actions (containment, isolation) - Script execution and command running on endpoints - IOC management and threat hunting @@ -13,7 +11,6 @@ These commands enable endpoint detection and response (EDR) operations including """ # CrowdStrike Falcon Help Command - [[subCommands]] name = "help" description = "Show help information for CrowdStrike Falcon SOAR marketplace integration commands" @@ -26,7 +23,7 @@ Available Commands: HOST MANAGEMENT: /secops:soar:marketplace:crowdstrikefalcon list-hosts - List and filter hosts - /secops:soar:marketplace:crowdstrikefalcon get-host-info - Get detailed host information + /secops:soar:marketplace:crowdstrikefalcon get-host-info - Get detailed host information /secops:soar:marketplace:crowdstrikefalcon get-hosts-by-ioc - Find hosts with specific IOCs INCIDENT RESPONSE: @@ -65,11 +62,12 @@ For detailed help on any command, add --help to the command: SECURITY NOTES: - Commands like contain-endpoint will isolate systems from the network -- Script execution and file downloads require proper security precautions +- Script execution and file downloads require proper security precautions - Always verify IOCs before uploading to prevent false positives - Follow your organization's incident response procedures """ + # CrowdStrike Falcon Host Management Commands [[subCommands]] diff --git a/.gemini/commands/secops/soar/marketplace/virustotal.toml b/.gemini/commands/secops/soar/marketplace/virustotal.toml new file mode 100644 index 00000000..53521005 --- /dev/null +++ b/.gemini/commands/secops/soar/marketplace/virustotal.toml @@ -0,0 +1,318 @@ +description = "VirusTotal SOAR marketplace integration slash commands for threat analysis and file scanning" +prompt = "VirusTotal SOAR marketplace integration. Use '/virustotal help' for a list of commands." + +[[subCommands]] +name = "help" +description = "Show help for VirusTotal SOAR marketplace integration commands" +prompt = """ +{% if help %} +VirusTotal SOAR Marketplace Integration Commands + +Available Commands: +- scan-hash: Scan file hashes via VirusTotal with threat scoring +- ping: Test VirusTotal integration connectivity +- upload-scan-files: Upload and scan files from remote paths +- scan-url: Scan URLs for malicious content detection +- scan-ip: Scan IP addresses for threat intelligence +- get-domain-report: Retrieve comprehensive domain analysis reports + +Use /virustotal --help for detailed command usage. + +Security Context: +- All commands require active SOAR case context +- VirusTotal integration provides file, URL, IP, and domain threat analysis +- Essential for malware analysis, threat hunting, and IOC validation +- Supports threshold-based suspicious entity marking +{% else %} +Display help information for VirusTotal SOAR marketplace integration commands. +{% endif %} +""" + +[[subCommands]] +name = "scan-hash" +description = "Scan file hashes via VirusTotal with configurable threat threshold" +prompt = """ +{% if help %} +Usage: /virustotal scan-hash [OPTIONS] + +Scan file hashes via VirusTotal and mark entities as suspicious based on threat threshold. + +Options: + --case-id The unique identifier (ID) of the case [REQUIRED] + --alert-group-identifiers Comma-separated identifiers for alert groups [REQUIRED] + --threshold Threshold for marking entities suspicious (number of negative engines) [REQUIRED] + --rescan-after-days Days after which to automatically rescan if results are older (optional) + --help Show this help message + +Examples: + /virustotal scan-hash --case-id="523" --alert-group-identifiers="group1" --threshold="5" + /virustotal scan-hash --case-id="724" --alert-group-identifiers="group1,group2" --threshold="3" --rescan-after-days="7" + +Use Cases: +- Analyze file hashes found in security incidents for malware detection +- Validate suspicious files against VirusTotal's threat intelligence database +- Set custom thresholds for marking entities as suspicious based on engine detections +- Automatically rescan older results to get latest threat intelligence + +Security Context: +- Marks entities as suspicious if negative engine detections meet or exceed threshold +- Creates insights for threat analysis and investigation documentation +- Supports both automatic rescanning and manual threshold configuration +{% else %} +Call the virus_total_scan_hash tool with: `virus_total_scan_hash(case_id={{case-id}}, alert_group_identifiers={{alert-group-identifiers}}, threshold={{threshold}}{% if rescan-after-days %}, rescan_after_days={{rescan-after-days}}{% endif %})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + [[subCommands.args]] + name = "alert-group-identifiers" + required = true + description = "Comma-separated identifiers for the alert groups" + [[subCommands.args]] + name = "threshold" + required = true + description = "Threshold for marking entities suspicious (number of negative engines)" + [[subCommands.args]] + name = "rescan-after-days" + required = false + description = "Days after which to automatically rescan if results are older" + +[[subCommands]] +name = "ping" +description = "Test connectivity to VirusTotal integration" +prompt = """ +{% if help %} +Usage: /virustotal ping [OPTIONS] + +Test connectivity to VirusTotal integration with configured parameters. + +Options: + --case-id The unique identifier (ID) of the case [REQUIRED] + --alert-group-identifiers Comma-separated identifiers for alert groups [REQUIRED] + --help Show this help message + +Example: + /virustotal ping --case-id="523" --alert-group-identifiers="group1" + +Use Cases: +- Validate VirusTotal integration configuration and authentication +- Test API connectivity before running analysis commands +- Troubleshoot integration issues and verify API access +{% else %} +Call the virus_total_ping tool with: `virus_total_ping(case_id={{case-id}}, alert_group_identifiers={{alert-group-identifiers}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + [[subCommands.args]] + name = "alert-group-identifiers" + required = true + description = "Comma-separated identifiers for the alert groups" + +[[subCommands]] +name = "upload-scan-files" +description = "Upload and scan files from remote paths via VirusTotal" +prompt = """ +{% if help %} +Usage: /virustotal upload-scan-files [OPTIONS] + +Upload and scan files from remote paths (Windows share or Linux remote server) via VirusTotal. + +Options: + --case-id The unique identifier (ID) of the case [REQUIRED] + --alert-group-identifiers Comma-separated identifiers for alert groups [REQUIRED] + --threshold Entity risk threshold for suspicious marking [REQUIRED] + --file-paths Target file path for upload and scanning [REQUIRED] + --linux-server-address Linux server address (e.g., x.x.x.x) (optional) + --linux-user Linux server username (optional) + --linux-password Linux server password (optional) + --help Show this help message + +Examples: + /virustotal upload-scan-files --case-id="523" --alert-group-identifiers="group1" --threshold="3" --file-paths="/tmp/suspicious.exe" + /virustotal upload-scan-files --case-id="724" --alert-group-identifiers="group1" --threshold="5" --file-paths="C:\\\\temp\\\\malware.dll" --linux-server-address="192.168.1.100" --linux-user="analyst" --linux-password="password" + +Use Cases: +- Upload suspicious files found during incident response for malware analysis +- Scan files from remote systems without transferring them locally +- Analyze files from both Windows shares and Linux remote servers +- Get comprehensive threat intelligence on uploaded files + +Security Context: +- Supports file upload from both Windows and Linux remote systems +- Applies configurable risk thresholds for suspicious entity marking +- Essential for malware analysis and file-based threat hunting +{% else %} +Call the virus_total_upload_and_scan_files tool with: `virus_total_upload_and_scan_files(case_id={{case-id}}, alert_group_identifiers={{alert-group-identifiers}}, threshold={{threshold}}, file_paths={{file-paths}}{% if linux-server-address %}, linux_server_address={{linux-server-address}}{% endif %}{% if linux-user %}, linux_user={{linux-user}}{% endif %}{% if linux-password %}, linux_password={{linux-password}}{% endif %})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + [[subCommands.args]] + name = "alert-group-identifiers" + required = true + description = "Comma-separated identifiers for the alert groups" + [[subCommands.args]] + name = "threshold" + required = true + description = "Entity risk threshold for suspicious marking" + [[subCommands.args]] + name = "file-paths" + required = true + description = "Target file path for upload and scanning" + [[subCommands.args]] + name = "linux-server-address" + required = false + description = "Linux server address (e.g., x.x.x.x)" + [[subCommands.args]] + name = "linux-user" + required = false + description = "Linux server username" + [[subCommands.args]] + name = "linux-password" + required = false + description = "Linux server password" + +[[subCommands]] +name = "scan-url" +description = "Scan URLs for malicious content detection via VirusTotal" +prompt = """ +{% if help %} +Usage: /virustotal scan-url [OPTIONS] + +Scan URLs for malicious content detection using VirusTotal's threat intelligence. + +Options: + --case-id The unique identifier (ID) of the case [REQUIRED] + --alert-group-identifiers Comma-separated identifiers for alert groups [REQUIRED] + --threshold Threshold for marking URLs suspicious (number of negative engines) [REQUIRED] + --rescan-after-days Days after which to automatically rescan if results are older (optional) + --help Show this help message + +Examples: + /virustotal scan-url --case-id="523" --alert-group-identifiers="group1" --threshold="3" + /virustotal scan-url --case-id="724" --alert-group-identifiers="group1,group2" --threshold="5" --rescan-after-days="30" + +Use Cases: +- Analyze suspicious URLs found in phishing campaigns or malicious emails +- Validate URLs against VirusTotal's threat intelligence database +- Set custom thresholds for marking URLs as malicious based on engine detections +- Monitor URL reputation changes over time with automatic rescanning + +Security Context: +- Essential for phishing detection and malicious URL analysis +- Marks URLs as suspicious based on configurable engine threshold +- Supports automatic rescanning to get latest threat intelligence +{% else %} +Call the virus_total_scan_url tool with: `virus_total_scan_url(case_id={{case-id}}, alert_group_identifiers={{alert-group-identifiers}}, threshold={{threshold}}{% if rescan-after-days %}, rescan_after_days={{rescan-after-days}}{% endif %})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + [[subCommands.args]] + name = "alert-group-identifiers" + required = true + description = "Comma-separated identifiers for the alert groups" + [[subCommands.args]] + name = "threshold" + required = true + description = "Threshold for marking URLs suspicious (number of negative engines)" + [[subCommands.args]] + name = "rescan-after-days" + required = false + description = "Days after which to automatically rescan if results are older" + +[[subCommands]] +name = "scan-ip" +description = "Scan IP addresses for threat intelligence via VirusTotal" +prompt = """ +{% if help %} +Usage: /virustotal scan-ip [OPTIONS] + +Scan IP addresses for threat intelligence using VirusTotal's database. + +Options: + --case-id The unique identifier (ID) of the case [REQUIRED] + --alert-group-identifiers Comma-separated identifiers for alert groups [REQUIRED] + --threshold Threshold for detected malicious samples related to IP (optional) + --help Show this help message + +Examples: + /virustotal scan-ip --case-id="523" --alert-group-identifiers="group1" + /virustotal scan-ip --case-id="724" --alert-group-identifiers="group1,group2" --threshold="10" + +Use Cases: +- Analyze suspicious IP addresses found in network traffic or security alerts +- Validate IP reputation against VirusTotal's threat intelligence +- Identify command and control servers or malicious infrastructure +- Set thresholds for marking IPs as suspicious based on related malicious samples + +Security Context: +- Essential for network-based threat hunting and IP reputation analysis +- Marks IPs as suspicious if related malicious samples exceed threshold +- Supports threat intelligence gathering for network security investigations +{% else %} +Call the virus_total_scan_ip tool with: `virus_total_scan_ip(case_id={{case-id}}, alert_group_identifiers={{alert-group-identifiers}}{% if threshold %}, threshold={{threshold}}{% endif %})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + [[subCommands.args]] + name = "alert-group-identifiers" + required = true + description = "Comma-separated identifiers for the alert groups" + [[subCommands.args]] + name = "threshold" + required = false + description = "Threshold for detected malicious samples related to IP" + +[[subCommands]] +name = "get-domain-report" +description = "Retrieve comprehensive domain analysis reports from VirusTotal" +prompt = """ +{% if help %} +Usage: /virustotal get-domain-report [OPTIONS] + +Retrieve comprehensive domain analysis reports from VirusTotal's threat intelligence. + +Options: + --case-id The unique identifier (ID) of the case [REQUIRED] + --alert-group-identifiers Comma-separated identifiers for alert groups [REQUIRED] + --help Show this help message + +Examples: + /virustotal get-domain-report --case-id="523" --alert-group-identifiers="group1" + /virustotal get-domain-report --case-id="724" --alert-group-identifiers="group1,group2" + +Use Cases: +- Get detailed analysis of suspicious domains found in security incidents +- Analyze domain reputation and associated threat intelligence +- Investigate phishing domains or malicious infrastructure +- Gather comprehensive domain information for threat hunting + +Security Context: +- Provides detailed domain reputation and threat intelligence analysis +- Essential for investigating suspicious domains in phishing and malware campaigns +- Supports comprehensive domain-based threat hunting activities +{% else %} +Call the virus_total_get_domain_report tool with: `virus_total_get_domain_report(case_id={{case-id}}, alert_group_identifiers={{alert-group-identifiers}})` +{% endif %} +""" + [[subCommands.args]] + name = "case-id" + required = true + description = "The unique identifier (ID) of the case" + [[subCommands.args]] + name = "alert-group-identifiers" + required = true + description = "Comma-separated identifiers for the alert groups" \ No newline at end of file