Update extension configuration and prepare for release

Author: dandye

.gitignore

@@ -138,6 +138,7 @@ env.bak/
 venv.bak/
 .gemini
 extensions/google-secops/skills/setup-antigravity/.env
+extensions/google-secops-staging/.env
 
 # Spyder project settings
 .spyderproject

extensions/google-secops-staging/.env.example

@@ -0,0 +1,4 @@
+PROJECT_ID=your-project-id-string
+CUSTOMER_ID=12345678-abcd-4321-8765-1234567890ab
+REGION=us
+SERVER_URL=https://chronicle.us.rep.googleapis.com/mcp

extensions/google-secops-staging/.env.secops-lab

@@ -0,0 +1,4 @@
+PROJECT_ID=secops-demo-env
+CUSTOMER_ID=a13f6726-efed-452e-9008-8fe0d3cb0f75
+REGION=us
+SERVER_URL=https://chronicle.us.rep.googleapis.com/mcp

extensions/google-secops-staging/.env.staging

@@ -0,0 +1,4 @@
+PROJECT_ID=secops-ai-staging
+CUSTOMER_ID=eb3b937b-3ab6-47e5-8185-24837b826691
+REGION=us
+SERVER_URL=https://staging-chronicle.sandbox.googleapis.com/mcp

extensions/google-secops-staging/GEMINI.md

@@ -0,0 +1,141 @@
+# Google SecOps Extension
+
+This folder contains the **Google SecOps Extension**, providing specialized skills for security operations.
+
+## Overview
+
+The extension `extensions/google-secops-staging` packages setup and key security workflows into [skills](https://agentskills.io/specification). 
+
+These skills are **Adaptive**, designed to work seamlessly with:
+ *   [Google SecOps Remote MCP Server](https://google.github.io/mcp-security/docs/remote_server.html) (Preferred)
+ *   **Local Python Tools** (Fallback)
+
+This allows the skills to function in diverse environments, automatically selecting the best available tool for the job.
+    
+The (`.agent`) symlink makes them available as [Antigravity Agent Skills](https://antigravity.google/docs/skills) at the workspace level. You could also install/copy/symlink the skills to `~/.gemini/antigravity/skills/` to make them available globally to all workspaces.
+
+
+## Prerequisites
+
+1.  **Install Gemini CLI (Preview)**:
+    ```bash
+    npm install -g @google/gemini-cli@preview
+    ```
+
+
+2.  **GUI Login Requirement**: You MUST have logged into the Google SecOps GUI at least once before using the API/MCP server.
+
+3.  **Enable Skills**: Ensure your `~/.gemini/settings.json` has `experimental.skills` enabled:
+    ```json
+    {
+      "security": {
+        "auth": {
+          "selectedType": "gemini-api-key"
+        }
+      },
+      "general": {
+        "previewFeatures": true
+      },
+      "experimental": {
+        "skills": true,
+        "extensionConfig": true
+      }
+    }
+    ```
+
+Verify skills are enabled from the Gemini CLI prompt:
+```
+/skills list
+```
+
+## Installation
+
+To install this extension in your Gemini CLI environment:
+
+1.  **Navigate** to the project root.
+2.  **Run**:
+    ```bash
+    gemini extensions install ./extensions/google-secops
+    ```
+
+You will be prompted for environment variables for the MCP configuration:
+
+1. `PROJECT_ID` (GCP Project ID on your SecOps tenant's /settings/profile page)
+2. `CUSTOMER_ID` (Your Chronicle Customer UUID)
+3. `REGION` (Your Chronicle Region, e.g., `us`, `europe-west1`)
+4. `SERVER_URL` (e.g. https://chronicle.northamerica-northeast2.rep.googleapis.com/mcp, https://chronicle.us.rep.googleapis.com/mcp, etc.)
+
+> **Note**: These values are persisted in `~/.gemini/extensions/google-secops/.env` and can be referenced by skills. Also, you can change the values in this file if needed.
+
+When using the secops-hosted-mcp MCP Server, use these parameters from the `.env` file (located at `~/.gemini/extensions/google-secops/.env`) for EVERY request:
+Customer ID: ${CUSTOMER_ID}
+Region: ${REGION}
+Project ID: ${PROJECT_ID}
+
+## Available Skills
+
+
+### 1. Setup Assistant (Antigravity) (`secops-setup-antigravity`)
+*   **Trigger**: "Help me set up Antigravity", "Configure Antigravity for SecOps".
+*   **Function**: checks for Google Cloud authentication and environment variables, then merges the correct `remote-secops-investigate` and `remote-secops-admin` configuration into your Antigravity settings (`~/.gemini/antigravity/mcp_config.json`).
+
+### 2. Alert Triage (`secops-triage`)
+*   **Trigger**: "Triage alert [ID]", "Analyze case [ID]".
+*   **Function**: Orchestrates a Tier 1 triage workflow by following the `triage_alerts.md` runbook. It checks for duplicates, enriches entities, and provides a classification recommendation (FP/TP).
+
+### 3. Investigation (`secops-investigate`)
+*   **Trigger**: "Investigate case [ID]", "Deep dive on [Entity]".
+*   **Function**: Guides deep-dive investigations using specialized runbooks (e.g., Lateral Movement, Malware).
+
+### 4. Threat Hunting (`secops-hunt`)
+*   **Trigger**: "Hunt for [Threat]", "Search for TTP [ID]".
+*   **Function**: Assists in proactive threat hunting by generating hypotheses and constructing complex UDM queries for Chronicle.
+
+### 5. Cases (`secops-cases`)
+*   **Trigger**: "List cases", "Show recent cases", "/secops:cases".
+*   **Function**: Lists recent SOAR cases to verify connectivity and view case status.
+
+## Custom Commands
+
+You can use the following slash commands as shortcuts for common tasks:
+
+*   `/secops:triage <ALERT_ID>`: Quickly start triaging an alert.
+*   `/secops:investigate <CASE_ID>`: Start an investigation.
+*   `/secops:hunt <THREAT>`: Start a threat hunt.
+*   `/secops:cases`: List recent cases.
+
+## How it Works
+
+These skills act as **Driver Agents** that:
+1.  **Read** the standardized Runbooks in `rules_bank/run_books/`.
+2.  **Execute** the steps using the available MCP tools.
+3.  **Standardize** the output according to SOC best practices.
+
+### Tool Selection
+
+The skills employ an **Adaptive Execution** strategy to ensure robustness:
+
+1.  **Check Environment**: The skill first identifies which tools are available in the current workspace.
+2.  **Prioritize Remote**: If the **Remote MCP Server** is connected, the skill uses remote tools (e.g., `list_cases`, `udm_search`) for maximum capability.
+3.  **Fallback to Local**: If remote tools are unavailable, the skill attempts to use **Local Python Tools**.
+    > **Note**: Local tools are not included in this extension release. To use them, you must clone the [Google SecOps MCP Repository](https://github.com/google/mcp-security) and configure the local server separately.
+
+For a detailed mapping of Remote vs. Local capabilities, see [`TOOL_MAPPING.md`](https://github.com/google/mcp-security/blob/main/extensions/google-secops/TOOL_MAPPING.md).
+
+
+## Cross-Compatibility
+
+These skills are designed to be compatible with **Claude Code** and other AI agents. The `slash_command` and `personas` metadata in the YAML frontmatter allow other tools to index and trigger these skills effectively.
+
+*   `slash_command`: Defines the equivalent command pattern (e.g., `/security:triage`).
+*   `personas`: detailed which security personas (e.g., `threat_hunter`) are best suited for the task.
+
+
+## Known Issues
+* If the `SERVER_URL` requires regionalization (i.e. LEP vs REP vs MREP), it can be very difficult for the user to know what value to use.
+
+## References
+* [Agent Skills Specification](https://agentskills.io/specification)
+* [Gemini CLI Documentation](https://geminicli.com)
+* [Gemini CLI Preview Features](https://geminicli.com/docs/settings/general#previewfeatures)
+* [Antigravity Skills](https://antigravity.google/docs/skills)

extensions/google-secops-staging/TOOL_MAPPING.md

@@ -0,0 +1,36 @@
+# Tool Mapping: Local vs. Remote
+
+This document maps the tools defined in the local MCP server implementation (`server/secops` and `server/secops-soar`) to the tools available in the remote Google SecOps MCP server.
+
+**Configuration & Selection Strategy:**
+When executing a skill, the agent should first check which tools are available in the current environment.
+1.  **Prioritize Remote Tools**: If a remote tool is available, use it.
+2.  **Fallback to Local Tools**: If the remote tool is unavailable, use the corresponding local tool.
+3.  **Adapt Workflow**: Some operations (like Natural Language Search) require a multi-step workflow in Remote (Translate -> Search) but a single step in Local.
+
+| Category | Capability | Remote Tool (MCP Server) | Local Tool (Python) | Notes |
+| :--- | :--- | :--- | :--- | :--- |
+| **Case Management** | List Cases | `list_cases` | `list_cases` | |
+| | Get Case Details | `get_case` | `get_case_full_details` | Local `get_case_full_details` aggregates alerts/comments. Remote `get_case` fetches the case object; use `expand='tasks,tags,products'` or call `list_case_alerts`/`list_case_comments` for full context. |
+| | Comment on Case | `create_case_comment` | `post_case_comment` | |
+| | Update Case | `update_case` | `change_case_priority` | Remote tool is general (priority, status, assignee). Local tool is specific to priority. |
+| | Close Case | `execute_bulk_close_case` | *(No local tool)* | Only remote tool can close cases. |
+| **Alerts (SOAR)** | List Alerts for Case | `list_case_alerts` | `list_alerts_by_case` | |
+| | List Events for Alert | `list_connector_events` | `list_events_by_alert` | Remote tool lists "connector events". |
+| | List Alert Groups | *(No direct equivalent)* | `list_alert_group_identifiers_by_case` | Remote `list_case_alerts` returns alert objects which may contain grouping info. |
+| **Entities (SOAR)** | Search Entities | `search_entity` | `search_entity` | |
+| | Get Involved Entities | `list_involved_entities` | `get_entities_by_alert_group_identifiers` | Remote tool lists involved entities for a specific case alert. |
+| | Get Entity Details | *(No direct equivalent)* | `get_entity_details` | |
+| **SIEM / UDM** | UDM Search (Query) | `udm_search` | `search_udm` | |
+| | UDM Search (Nat. Lang.) | `translate_udm_query` -> `udm_search` | `search_security_events` | **Critical:** Remote requires 2 steps (Translate then Search). Local does both in one call. |
+| | Entity Summary | `summarize_entity` | `lookup_entity` | Both provide a summary of entity activity in SIEM. |
+| | IoC Matching | `get_ioc_match` | `get_ioc_matches` | |
+| | Export Results | *(No direct equivalent)* | `export_udm_search_csv` | |
+| **Alerts (SIEM)** | List SIEM Alerts | `list_security_alerts` | `list_security_alerts` | Lists alerts directly from SIEM (not SOAR cases). |
+| | Get SIEM Alert | `get_security_alert` | `get_security_alert` | |
+| | Update SIEM Alert | `update_security_alert` | `update_security_alert` | |
+| **Rules** | List Rules | `list_rules` | `list_rules` | |
+| | Get Rule | `get_rule` | `get_rule` | |
+| | Create Rule | `create_rule` | `create_rule` | |
+| | Validate Rule | `validate_rule` | `validate_rule` | |
+| | Test/Run Rule | `list_rule_detections` | `list_rule_detections` | Use to see historical detections. |

extensions/google-secops-staging/commands/secops/cases.toml

@@ -0,0 +1 @@
+prompt = """Run the secops-cases skill."""

extensions/google-secops-staging/commands/secops/hunt.toml

@@ -0,0 +1 @@
+prompt = """Run the secops-hunt skill for `{{args}}`."""

extensions/google-secops-staging/commands/secops/investigate.toml

@@ -0,0 +1 @@
+prompt = """Run the secops-investigate skill on case `{{args}}`."""

extensions/google-secops-staging/commands/secops/triage.toml

@@ -0,0 +1 @@
+prompt = """Run the secops-triage skill on alert `{{args}}`."""