secops-triage
Expert guidance for security alert triage. Use this when the user asks to "triage" an alert or case.
72
58%
Does it follow best practices?
Impact
99%
2.20xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./extensions/google-secops/skills/triage/SKILL.mdEvaluation results
100%
85%Automate the SOC Triage Handoff Workflow
Tool selection and triage workflow scripting
Remote/local branching
100%
100%
Remote context expand param
0%
100%
Remote list_case_alerts call
0%
100%
Local get_case_full_details
0%
100%
Duplicate check filter
0%
100%
Related cases status filter
0%
100%
Remote IOC summarize_entity
0%
100%
Remote IOC get_ioc_match
0%
100%
Local IOC enrichment tools
0%
100%
Login-specific SIEM search scope
50%
100%
100%
49%Finalize Three Pending SOC Cases
Alert classification and case closure actions
FP classification
100%
100%
BTP classification
0%
100%
TP classification
100%
100%
execute_bulk_close_case used
0%
100%
NOT_MALICIOUS reason
41%
100%
Correct RootCause value
0%
100%
Comment before close
30%
100%
TP escalation recommended
100%
100%
TP priority update mentioned
50%
100%
Assessment references evidence
100%
100%
98%
28%Investigate Anomalous DNS Exfiltration Activity
NL search workflow and network alert SIEM strategy
Remote NL two-step
0%
100%
Remote no standalone udm_search
100%
100%
Local uses search_security_events
0%
86%
Local skips translate step
100%
100%
Network flows searched
100%
100%
DNS lookups searched
100%
100%
Source/dest IPs or domains as params
100%
100%
Separate Remote/Local strategies
100%
100%
- Repository
- google/mcp-security
- Commit
9774ce8
- Evaluated
- Agent
- Claude Code
- Model
- Claude Sonnet 4.6
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.