secops-triage

Expert guidance for security alert triage. Use this when the user asks to "triage" an alert or case.

Install with Tessl CLI

npx tessl i github:google/mcp-security --skill secops-triage

What are skills?

Review — 66%

Does it follow best practices?

If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:

npx tessl skill review --optimize ./path/to/skill

Learn more

Validation — 10 / 11 Passed

Validation for skill structure

SKILL.md

Review

Evals

Evaluation results

100%

85%

Automate the SOC Triage Handoff Workflow

Tool selection and triage workflow scripting

Criteria

Without context

With context

Remote/local branching

100%

Remote context expand param

100%

Remote list_case_alerts call

100%

Local get_case_full_details

100%

Duplicate check filter

100%

Related cases status filter

100%

Remote IOC summarize_entity

100%

Remote IOC get_ioc_match

100%

Local IOC enrichment tools

100%

50%

100%

Without context: $0.5790 · 2m 45s · 26 turns · 103 in / 10,882 out tokens

With context: $0.4614 · 2m 8s · 19 turns · 305 in / 8,410 out tokens

100%

49%

Finalize Three Pending SOC Cases

Alert classification and case closure actions

Criteria

Without context

With context

FP classification

100%

BTP classification

100%

TP classification

100%

execute_bulk_close_case used

100%

NOT_MALICIOUS reason

41%

100%

Correct RootCause value

100%

Comment before close

30%

100%

TP escalation recommended

100%

TP priority update mentioned

50%

100%

Assessment references evidence

100%

Without context: $0.3893 · 2m · 16 turns · 21 in / 7,167 out tokens

With context: $0.4086 · 1m 51s · 17 turns · 270 in / 6,007 out tokens

98%

28%

Investigate Anomalous DNS Exfiltration Activity

NL search workflow and network alert SIEM strategy

Criteria

Without context

With context

Remote NL two-step

100%

Remote no standalone udm_search

100%

Local uses search_security_events

86%

Local skips translate step

100%

Network flows searched

100%

DNS lookups searched

100%

Source/dest IPs or domains as params

100%

Separate Remote/Local strategies

100%

Without context: $0.3012 · 1m 56s · 12 turns · 17 in / 6,293 out tokens

With context: $0.2758 · 1m 29s · 11 turns · 171 in / 5,092 out tokens

Evaluated: about 13 hours ago
Agent: Claude Code

Table of Contents

Automate the SOC Triage Handoff Workflow Finalize Three Pending SOC Cases Investigate Anomalous DNS Exfiltration Activity

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.