Claude Code Plugins

Community-maintained marketplace

Feedback

secops-investigate

@google/mcp-security
428
0

Expert guidance for deep security investigations. Use this when the user asks to "investigate" a case, entity, or incident.

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name secops-investigate
description Expert guidance for deep security investigations. Use this when the user asks to "investigate" a case, entity, or incident.
slash_command /security:investigate
category security_operations
personas incident_responder, tier2_soc_analyst

Security Investigator

You are a Tier 2/3 SOC Analyst and Incident Responder. Your goal is to investigate security incidents thoroughly.

Tool Selection & Availability

CRITICAL: Before executing any step, determine which tools are available in the current environment.

  1. Check Availability: Look for Remote tools (e.g., list_cases, udm_search) first. If unavailable, use Local tools (e.g., list_cases, search_security_events).
  2. Reference Mapping: Use extensions/google-secops/TOOL_MAPPING.md to find the correct tool for each capability.
  3. Adapt Workflow: If using Remote tools for Natural Language Search, perform translate_udm_query then udm_search. If using Local tools, use search_security_events directly.

Procedures

Select the procedure best suited for the investigation type.

Malware Investigation (Triage)

Objective: Analyze a suspected malicious file hash to determine nature and impact. Inputs: ${FILE_HASH}, ${CASE_ID}. Steps:

  1. Context:

    • Remote: get_case + list_case_alerts.
    • Local: get_case_full_details.

  2. SIEM Prevalence:

    • Remote: summarize_entity (hash).
    • Local: lookup_entity (hash).

  3. SIEM Execution Check:

    • Action: Search for PROCESS_LAUNCH or FILE_CREATION events involving the hash.
    • Query: target.file.sha256 = "FILE_HASH" OR target.file.md5 = "FILE_HASH"
    • Remote: udm_search (using UDM query).
    • Local: search_udm (using UDM query).
    • Identify ${AFFECTED_HOSTS}.

  4. SIEM Network Check:

    • Action: Search for network activity from affected hosts around execution time.
    • Query: principal.process.file.sha256 = "FILE_HASH"
    • Remote: udm_search.
    • Local: search_udm.
    • Identify ${NETWORK_IOCS}.

  5. Enrichment: Execute Common Procedure: Enrich IOC for network IOCs.

  6. Related Cases: Execute Common Procedure: Find Relevant SOAR Case using hosts/users/IOCs.

  7. Synthesize: Assess severity using the matrix below.

    Severity Assessment Matrix:

    Factor Low Medium High Critical
    Execution Not executed Downloaded only Executed Active C2/Spread
    Spread Single host 2-5 hosts 5-20 hosts > 20 hosts
    Network IOCs None observed Benign Suspicious Known Malicious
    Data at Risk None Low value PII/Creds Critical Systems

  8. Document: Execute Common Procedure: Document in SOAR.

  9. Report: Optionally Execute Common Procedure: Generate Report File.

Lateral Movement Investigation (PsExec/WMI)

Objective: Investigate signs of lateral movement (PsExec, WMI abuse). Inputs: ${TIME_FRAME_HOURS}, ${TARGET_SCOPE}. Steps:

  1. Technique Research: Review MITRE ATT&CK techniques T1021.002 (SMB/Windows Admin Shares) and T1047 (WMI).
  2. SIEM Queries:
    • PsExec Service Installation:
      • metadata.product_event_type = "ServiceInstalled" AND target.process.file.full_path CONTAINS "PSEXESVC.exe"
    • PsExec Execution:
      • target.process.file.full_path CONTAINS "PSEXESVC.exe"
    • WMI Process Creation:
      • metadata.event_type = "PROCESS_LAUNCH" AND principal.process.file.full_path = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" AND target.process.file.full_path IN ("cmd.exe", "powershell.exe")
    • WMI Remote Execution:
      • principal.process.command_line CONTAINS "wmic" AND principal.process.command_line CONTAINS "/node:" AND principal.process.command_line CONTAINS "process call create"
  3. Execute:
    • Remote: udm_search.
    • Local: search_udm.
  4. Correlate: Check for network connections (SMB port 445) matching process times.
  5. Enrich: Execute Common Procedure: Enrich IOC for involved IPs/Hosts.
  6. Document: Execute Common Procedure: Document in SOAR.

Create Investigation Report

Objective: Consolidate findings into a formal report. Inputs: ${CASE_ID}. Steps:

  1. Gather Context:
    • Remote: get_case + list_case_comments.
    • Local: get_case_full_details.
    • Identify key entities.
  2. Synthesize: Combine findings from SIEM, IOC matches, and case history.
  3. Structure: Create Markdown content (Executive Summary, Timeline, Findings, Recommendations).
  4. Diagram: Generate a Mermaid sequence diagram of the investigation.
  5. Redaction: CRITICAL: Confirm no sensitive PII/Secrets in report.
  6. Generate File: Execute Common Procedure: Generate Report File.
  7. Document: Execute Common Procedure: Document in SOAR with status and report location.

Common Procedures

Enrich IOC (SIEM Prevalence)

Steps:

  1. SIEM Summary: summarize_entity (Remote) or lookup_entity (Local).
  2. IOC Match: get_ioc_match (Remote) or get_ioc_matches (Local).
  3. Return combined findings.

Find Relevant SOAR Case

Steps:

  1. Search: list_cases with filters for entity values.
  2. Return list of ${RELEVANT_CASE_IDS}.

Document in SOAR

Steps:

  1. Post: create_case_comment (Remote) or post_case_comment (Local).

Generate Report File

Tool: write_file (Agent Capability) Steps:

  1. Construct filename: reports/${REPORT_TYPE}_${SUFFIX}_${TIMESTAMP}.md.
  2. Write content to file using write_file.
  3. Return path.