Agent Skillsgoogle/skills › detection-engineering-coverage-evaluation

detection-engineering-coverage-evaluation

GitHub

自动化Google SecOps检测工程流程,包括提取威胁情报、生成TDO、模拟攻击事件、评估规则覆盖率及生成YARA-L规则以填补漏洞。

skills/cloud/detection-engineering-coverage-evaluation/SKILL.md google/skills

Trigger Scenarios

需要从博客或URL提取威胁情报并转化为检测机会 需要评估现有检测规则对特定攻击行为的覆盖情况 发现检测规则存在缺口并需要自动生成新的YARA-L 2.0规则

Install

npx skills add google/skills --skill detection-engineering-coverage-evaluation -g -y
More Options

Non-standard path

npx skills add https://github.com/google/skills/tree/main/skills/cloud/detection-engineering-coverage-evaluation -g -y

Use without installing

npx skills use google/skills@detection-engineering-coverage-evaluation

指定 Agent (Claude Code)

npx skills add google/skills --skill detection-engineering-coverage-evaluation -a claude-code -g -y

安装 repo 全部 skill

npx skills add google/skills --all -g -y

预览 repo 内 skill

npx skills add google/skills --list

SKILL.md

Frontmatter
{
    "name": "detection-engineering-coverage-evaluation",
    "description": "Automates the end-to-end detection engineering workflow in Google SecOps using MCP tools. Use when fetching threat intelligence from blogs, generating Threat Detection Opportunities (TDOs), simulating attacker behavior with synthetic UDM events, evaluating rule coverage, and generating new YARA-L 2.0 rules to close coverage gaps. Don't use when asked to perform threat hunting actions, and SOC investigative actions."
}

SecOps Detection Coverage Skill

This skill guides the agent through an end-to-end detection engineering lifecycle using Google SecOps MCP tools. It handles multiple Threat Detection Opportunities (TDOs) and ensures exhaustive coverage evaluation for all generated synthetic events.

Workflow Execution Checklist

Copy this checklist and track progress for each iteration:

  • Step 1: Extract raw text content from a source (for example, blog URL).
  • Step 2: Generate Threat Detection Opportunities (TDOs).
  • Step 3: Loop through ALL TDOs to generate synthetic events.
  • Step 4: Loop through ALL UDM events to evaluate rule coverage.
  • Step 5: For identified rules, check enablement and alerting status.
  • Step 6: Generate new rules for identified gaps.
  • Step 7: Provide a structured summary of findings and gaps.

Detailed Steps

1. Extract Threat Intelligence

  • Use the following prompt to extract all text content from a URL: - "Fetch the blog text from {url}. You need to extract and output the entire text content of the page, exactly as it appears in the HTML, without any summarization, modification, or omission."

  • Summary of Step: Report only that the text was successfully extracted from the provided URL. Do not output the full raw text.

  • Next Step: The extracted text will be used to generate Threat Detection Opportunities (TDOs).

2. Generate TDOs

  • Call generate_threat_detection_opportunity with the extracted full blog threat raw text. You must not summarize. This tool returns one or more TDOs.

  • Summary of Step: Report the number of TDOs generated and provide a brief, high-level summary for each TDO (for example, the key threat or attacker technique identified). Do not output the full TDO JSON.

  • Next Step: The process will now loop through each generated TDO to create synthetic events.

3. Generate Synthetic Events (For ALL TDOs)

For every TDO:

  • Call generate_synthetic_events using the TDO.

  • Summary of Step: Report the total number of synthetic UDM events generated for this TDO. Briefly describe the types of attacker behaviors simulated (for example, "Generated events simulating initial access and privilege escalation"). Don't output the full response.

  • Next Step: The generated UDM events will be used to evaluate rule coverage.

4. Evaluate Rule Coverage (For ALL UDM Events)

For every UDM event generated for a TDO:

  • Call evaluate_rule_coverage by providing the UDM event in valid JSON format. Provide only the UDM event as a single, valid JSON object. You MUST Provide each UDM event as a standard stringified JSON object within the udmsJson list. Do not apply an additional layer of escaping to the JSON string. Provide a standard JSON stringification with no extra backslashes.

  • Summary of Step: Report which rule_ids matched for this event, if any. If no rules matched, clearly state "No rules matched." Provide counts of events evaluated. Don't output the full coverage evaluation JSON.

  • Next Step: The identified matched rules will be audited for their enablement and alerting status.

5. Audit Rule Status

For every distinct rule_id identified:

  • Call get_rule to check the rule configuration with CONFIG_ONLY view.

  • Summary of Step: For each rule_id, state its enablement status (for example, "Enabled", "Disabled") and alerting status (for example, "Alerting Enabled", "Alerting Disabled").

  • Next Step: Review coverage gaps and potentially generate new rules.

6. Gap Mitigation

If gaps are found:

  • Call generate_rules for the relevant TDOs.

  • Summary of Step: For each gap, describe what coverage was missing and confirm if a new rule was generated. Provide a brief summary of what the newly generated rule aims to detect.

  • Next Step: Provide a final structured summary of all findings and gaps.

Output Format

Provide a summary for each TDO processed:

TDO: {tdo summary}

Coverage Eval: [{rule_id, enablement status, alerting status}, ...]

Missing Coverage: [{summary, generated rule}] // Only if gaps exist

Errors: [{if any any errors encountered, specify the tool}]


Tool Reference

  • generate_threat_detection_opportunity: Initial tool for threat analysis.
  • generate_synthetic_events: Generates logs simulating the TDO.
  • evaluate_rule_coverage: Checks if existing rules detect the synthetic UDMs.
  • get_rule: Use to check alerting_enabled and enabled status of SIEM rules.
  • generate_rules: Codifies detection logic for gaps.

Version History

  • aabe37a Current 2026-07-05 15:28

Same Skill Collection

skills/ads/data-manager-api/data-manager-api-audience-ingestion/SKILL.md
skills/ads/data-manager-api/data-manager-api-event-ingestion/SKILL.md
skills/ads/data-manager-api/data-manager-api-setup/SKILL.md
skills/ads/google-ads-api/google-ads-api-mcp-setup/SKILL.md
skills/ads/google-mobile-ads/google-mobile-ads-android-migrate-to-next-gen/SKILL.md
skills/ads/google-mobile-ads/google-mobile-ads-banner/SKILL.md
skills/ads/google-mobile-ads/google-mobile-ads-get-started/SKILL.md
skills/ads/google-mobile-ads/google-mobile-ads-interstitial/SKILL.md
skills/ads/google-mobile-ads/google-mobile-ads-rewarded/SKILL.md
skills/ads/interactive-media-ads/ima-sdk-basics/SKILL.md
skills/analytics/google-analytics-admin-api-basics/SKILL.md
skills/analytics/google-analytics-data-api-basics/SKILL.md
skills/cloud/agent-platform-endpoint-management/SKILL.md
skills/cloud/agent-platform-migrate-from-ai-studio/SKILL.md
skills/cloud/agent-platform-model-registry/SKILL.md
skills/cloud/agent-platform-prompt-management/SKILL.md
skills/cloud/agent-platform-rag-engine-management/SKILL.md
skills/cloud/agent-platform-skill-registry/SKILL.md
skills/cloud/agent-platform-tuning-management/SKILL.md
skills/cloud/agent-platform-tuning/SKILL.md
skills/cloud/alloydb-basics/SKILL.md
skills/cloud/bigquery-ai-ml/SKILL.md
skills/cloud/bigquery-basics/SKILL.md
skills/cloud/bigquery-bigframes/SKILL.md
skills/cloud/bigtable-basics/SKILL.md
skills/cloud/cloud-run-basics/SKILL.md
skills/cloud/firebase-basics/SKILL.md
skills/cloud/gcloud/SKILL.md
skills/cloud/gemini-agents-api/SKILL.md
skills/cloud/gemini-api/SKILL.md
skills/cloud/gemini-interactions-api/SKILL.md
skills/cloud/gke-app-onboarding/SKILL.md
skills/cloud/gke-backup-dr/SKILL.md
skills/cloud/gke-basics/SKILL.md
skills/cloud/gke-batch-hpc/SKILL.md
skills/cloud/gke-cluster-creation/SKILL.md
skills/cloud/gke-compute-classes/SKILL.md
skills/cloud/gke-cost/SKILL.md
skills/cloud/gke-golden-path/SKILL.md
skills/cloud/gke-inference/SKILL.md
skills/cloud/gke-multitenancy/SKILL.md
skills/cloud/gke-networking/SKILL.md
skills/cloud/gke-observability/SKILL.md
skills/cloud/gke-reliability/SKILL.md
skills/cloud/gke-scaling/SKILL.md
skills/cloud/gke-security/SKILL.md
skills/cloud/gke-storage/SKILL.md
skills/cloud/google-cloud-networking-observability/SKILL.md
skills/cloud/google-cloud-recipe-auth/SKILL.md
skills/cloud/google-cloud-recipe-onboarding/SKILL.md
skills/cloud/google-cloud-waf-cost-optimization/SKILL.md
skills/cloud/google-cloud-waf-operational-excellence/SKILL.md
skills/cloud/google-cloud-waf-performance-optimization/SKILL.md
skills/cloud/google-cloud-waf-reliability/SKILL.md
skills/cloud/google-cloud-waf-security/SKILL.md
skills/cloud/google-cloud-waf-sustainability/SKILL.md
skills/cloud/iam-recommendations-fetcher/SKILL.md
skills/ads/google-ads-api/google-ads-api-quickstart/SKILL.md
skills/cloud/agent-platform-alert-configuration/SKILL.md
skills/cloud/agent-platform-deploy/SKILL.md
skills/cloud/agent-platform-eval-flywheel/SKILL.md
skills/cloud/agent-platform-inference/SKILL.md
skills/cloud/cloud-sql-basics/SKILL.md
skills/cloud/datalineage-bigquery-asset-impact-analysis/SKILL.md
skills/cloud/gke-upgrades/SKILL.md
skills/cloud/google-agents-cli-onboarding/SKILL.md
skills/cloud/google-cloud-recipe-foundation-builder/SKILL.md
skills/cloud/workload-manager-basics/SKILL.md

Metadata

Files
0
Version
aabe37a
Hash
9910cee6
Indexed
2026-07-05 15:28

Главная - Вики-сайт
Copyright © 2011-2026 iteam. Current version is 2.155.2. UTC+08:00, 2026-07-11 13:22
浙ICP备14020137号-1 $Гость$