secops-investigate

Expert guidance for deep security investigations. Use this when the user asks to "investigate" a case, entity, or incident.

Install with Tessl CLI

npx tessl i github:google/mcp-security --skill secops-investigate

What are skills?

Review — 66%

Does it follow best practices?

If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:

npx tessl skill review --optimize ./path/to/skill

Learn more

Validation — 10 / 11 Passed

Validation for skill structure

SKILL.md

Review

Evals

Evaluation results

97%

46%

Malware Triage: Suspicious Endpoint Alert

Malware investigation triage workflow

Criteria

Without context

With context

Remote tool priority

75%

62%

Case context tool

37%

100%

SIEM Prevalence tool

100%

Execution check UDM query

60%

100%

Network check UDM query

100%

SIEM search tool

50%

100%

IOC enrichment two-step

20%

100%

Severity matrix applied

100%

SOAR documentation tool

100%

SIEM queries file

100%

AFFECTED_HOSTS identified

100%

NETWORK_IOCS identified

100%

Without context: $0.4243 · 2m 32s · 17 turns · 22 in / 9,040 out tokens

With context: $0.8012 · 3m 14s · 29 turns · 35 in / 12,681 out tokens

94%

21%

Post-Incident Report: Ransomware Precursor Activity

Investigation report generation and formatting

Criteria

Without context

With context

Executive Summary section

100%

Timeline section

100%

Findings section

100%

Recommendations section

100%

Mermaid sequence diagram

100%

Report filename format

50%

No SSN in report

100%

No API key in report

100%

No personal email in report

100%

Markdown format

100%

Tool call documented

100%

Without context: $0.1720 · 1m 7s · 8 turns · 13 in / 3,655 out tokens

With context: $0.3496 · 1m 28s · 16 turns · 269 in / 4,717 out tokens

100%

26%

Threat Hunt: Unauthorized Admin Tool Usage

Lateral movement detection and SIEM queries

Criteria

Without context

With context

MITRE T1021.002 reference

100%

MITRE T1047 reference

100%

PsExec service install query

40%

100%

PsExec execution query

75%

100%

WMI process creation query

100%

WMI remote execution query

100%

SMB port 445 correlation

20%

100%

udm_search for queries

100%

Related cases procedure

100%

SOAR documentation tool

100%

Correlation step present

100%

Both output files created

100%

Without context: $0.4453 · 2m 48s · 12 turns · 17 in / 10,073 out tokens

With context: $0.5708 · 3m 15s · 18 turns · 20 in / 11,223 out tokens

Evaluated: about 13 hours ago
Agent: Claude Code

Table of Contents

Malware Triage: Suspicious Endpoint Alert Post-Incident Report: Ransomware Precursor Activity Threat Hunt: Unauthorized Admin Tool Usage

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.