CtrlK
BlogDocsLog inGet started
Tessl Logo

secops-investigate

Expert guidance for deep security investigations. Use this when the user asks to "investigate" a case, entity, or incident.

76

1.46x
Quality

65%

Does it follow best practices?

Impact

97%

1.46x

Average score across 3 eval scenarios

SecuritybySnyk

Passed

No known issues

Optimize this skill with Tessl

npx tessl skill review --optimize ./extensions/google-secops/skills/investigate/SKILL.md
SKILL.md
Quality
Evals
Security

Evaluation results

97%

46%

Malware Triage: Suspicious Endpoint Alert

Malware investigation triage workflow

Criteria
Without context
With context

Remote tool priority

75%

62%

Case context tool

37%

100%

SIEM Prevalence tool

0%

100%

Execution check UDM query

60%

100%

Network check UDM query

0%

100%

SIEM search tool

50%

100%

IOC enrichment two-step

20%

100%

Severity matrix applied

100%

100%

SOAR documentation tool

0%

100%

SIEM queries file

100%

100%

AFFECTED_HOSTS identified

100%

100%

NETWORK_IOCS identified

100%

100%

94%

21%

Post-Incident Report: Ransomware Precursor Activity

Investigation report generation and formatting

Criteria
Without context
With context

Executive Summary section

100%

100%

Timeline section

100%

100%

Findings section

100%

100%

Recommendations section

100%

100%

Mermaid sequence diagram

0%

100%

Report filename format

0%

50%

No SSN in report

100%

100%

No API key in report

100%

100%

No personal email in report

100%

100%

Markdown format

100%

100%

Tool call documented

100%

100%

100%

26%

Threat Hunt: Unauthorized Admin Tool Usage

Lateral movement detection and SIEM queries

Criteria
Without context
With context

MITRE T1021.002 reference

100%

100%

MITRE T1047 reference

100%

100%

PsExec service install query

40%

100%

PsExec execution query

75%

100%

WMI process creation query

100%

100%

WMI remote execution query

0%

100%

SMB port 445 correlation

20%

100%

udm_search for queries

100%

100%

Related cases procedure

100%

100%

SOAR documentation tool

100%

100%

Correlation step present

100%

100%

Both output files created

100%

100%

Repository
google/mcp-security
Commit

9774ce8

Evaluated
Agent
Claude Code
Model
Claude Sonnet 4.6

Table of Contents

Malware Triage: Suspicious Endpoint AlertPost-Incident Report: Ransomware Precursor ActivityThreat Hunt: Unauthorized Admin Tool Usage

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.

Claim skill