Gemini CLI /gti, /scc, /secops, /secops:soar, /secops:soar:marketplace:crowdstrike, etc. MCP tools #141
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Added 13 slash commands covering all SecOps MCP tools: * entity-lookup: Entity enrichment and lookup * ioc-matches: IoC matches from threat intelligence * search-events: Natural language security event search * get-alerts, get-alert, update-alert: Alert management * list-rules, search-rules, get-detections, list-errors: Rule management * create-rule, test-rule, validate-rule: Rule development * threat-intel: Gemini-powered threat intelligence queries - Enhanced ioc-matches with detailed help functionality using Jinja2 templating - All commands include proper parameter validation and descriptions - Enables usage information
dandye
changed the title
Enhanced entity-lookup command with comprehensive help using Jinja2 templating: - Added detailed usage information and examples - Shows entity types supported (IP, domain, hash, username, hostname) - Explains output format including entity details, related entities, alerts - Includes practical examples for different entity types - Maintains backward compatibility with existing functionality
…tools - Implement /scc top-vuln-findings: Lists top ACTIVE HIGH/CRITICAL vulnerability findings sorted by Attack Exposure Score - Implement /scc get-remediation: Gets detailed remediation steps for specific findings with resource details from CAI - Follow established conventions from secops.toml with comprehensive help documentation, examples, and use cases - Enable Gemini CLI integration with Security Command Center for vulnerability management and remediation workflows
- Complete integration of 23 SecOps MCP tools as Gemini CLI subcommands - Includes Chronicle SIEM tools: alerts, rules, entity lookup, event search - Includes SOAR case management: cases, alerts, entities, comments - Features Jinja2 templating with conditional help documentation - Consistent parameter mapping and comprehensive tool descriptions - Enables natural language security operations through Gemini CLI
…CP tools Implements 14 slash commands covering all major GTI MCP capabilities: - Threat search: search-threats, search-campaigns, search-actors, search-malware, search-vulns - Analysis: file-report, domain-report, ip-report, url-report - Collections: get-collection, collection-timeline, collection-mitre - Intelligence: search-iocs, search-darkweb - Profiles: list-profiles, get-profile Each command includes comprehensive help text, usage examples, supported parameters, and next-step recommendations following established conventions.
- Integration of 10 SOAR case management MCP tools as Gemini CLI subcommands - Includes case listing, commenting, alert management, and entity operations - Features comprehensive case investigation and triage capabilities - Supports case priority management and entity enrichment workflows - Enables natural language SOAR case management through Gemini CLI interface
dandye
changed the title
…tegration - Add 20 detailed slash commands organized into 8 functional categories - Cover host management, incident response, detection/alert management - Include IOC management, file analysis, incident management capabilities - Add identity protection and system commands - Provide comprehensive help documentation with examples and use cases - Include security considerations for high-risk operations - Map to 20 out of 28 available CrowdStrike Falcon MCP tools (71% coverage) - Validate TOML syntax and ensure proper escaping
- Add main 'help' subcommand showing all available commands organized by category - Include security warnings for high-risk operations (containment, scripts, file downloads) - Provide usage examples and command reference structure - Maintain TOML syntax validation
- Add comprehensive Chronicle TOML configuration following CrowdStrike Falcon conventions - Implement 16 slash commands covering all Chronicle MCP tools - Include detailed help text, usage examples, and security context - Add proper subCommands structure with required/optional args definitions - Support rule details, detection analysis, UDM queries, IoC management, and connectivity testing
- Include help subCommand at top of Chronicle TOML configuration - Provide overview of available Chronicle commands and their purposes - Add security context and usage guidance for Chronicle integration
dandye
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Gemini CLI Slash Commands for /secops, /scc, /gti, /secops:soar, and a few /secops:soar:marketplace MCP Tools
This PR adds Gemini CLI slash commands to call MCP Tools.
SecOps Commands ()
13 SecOps Slash Commands
Most SecOps MCP tools are now accessible via slash commands:
NOTE: add
--helpto any command to see required/optional params (e.g./secops entity-lookup --help).Entity & Threat Intelligence:
/secops entity-lookup- Entity enrichment and lookup/secops ioc-matches- IoC matches from threat intelligence/secops threat-intel- Gemini-powered threat intelligence queriesEvent & Alert Management:
/secops search-events- Natural language security event search/secops get-alerts- List recent security alerts/secops get-alert- Get specific alert by ID/secops update-alert- Update alert status, priority, verdictRule Management & Development:
/secops list-rules- List all detection rules/secops search-rules- Search rules using regex/secops get-detections- Get historical detections for a rule/secops list-errors- List rule execution errors/secops create-rule- Create new detection rules/secops test-rule- Test rules against historical data/secops validate-rule- Validate rule syntaxGTI Commands (
/gti)15 GTI Slash Commands
Coverage of Google Threat Intelligence capabilities:
Threat Search Commands:
/gti search-threats- Unified search across all threat types with collection filtering/gti search-campaigns- Search attack campaigns and coordinated operations/gti search-actors- Search threat actors and APT groups/gti search-malware- Search malware families and variants/gti search-vulns- Search vulnerabilities and CVEsIOC Analysis Commands:
/gti file-report- Analyze files by hash (MD5/SHA-1/SHA-256)/gti domain-report- Domain reputation and threat analysis/gti ip-report- IP address analysis (IPv4/IPv6)/gti url-report- URL safety and content analysis/gti search-iocs- Search indicators of compromise with advanced filteringCollection Management:
/gti get-collection- Get detailed threat collection information/gti collection-timeline- Get curated analyst timeline events/gti collection-mitre- Get MITRE ATT&CK technique mappingsThreat Intelligence:
/gti list-profiles- List organization-specific threat profiles/gti get-profile- Get detailed threat profile configuration/gti search-darkweb- Search Digital Threat Monitoring for underground activitySOAR Commands (
/secops:soar)10 SOAR Case Management Commands
Complete case management and investigation capabilities through hierarchical commands:
Case Operations:
/secops:soar list-cases- List all security cases with priority indicators/secops:soar get-case-details- Get comprehensive case information, alerts, and comments/secops:soar post-comment- Add investigation notes and findings to cases/secops:soar change-priority- Update case priority based on threat assessmentAlert Management:
/secops:soar list-alerts- List alerts associated with specific cases/secops:soar list-events- Get underlying security events from alert sources/secops:soar list-alert-groups- List alert group identifiers for targeted actionsEntity Operations:
/secops:soar get-entities- Retrieve entities involved in specific alert groups/secops:soar get-entity-details- Get detailed entity information with enrichment data/secops:soar search-entity- Search entities by type, suspicion status, or environmentUsage Examples
SecOps Examples
List subcommands:
/secops helpBasic entity lookup:
/secops entity-lookup --help /secops entity-lookup --entity-value="WIN-HELIUM"Search for security events with natural language:
/secops search-events --query="Show network connections involving IP 10.0.0.5"GTI Examples
Search for threat actors:
/gti search-actors --query="APT28" --limit=5Analyze suspicious file:
/gti file-report --hash="e4d909c290d0fb1ca068ffaddf22cbd0"Monitor dark web for organization mentions:
SOAR Usage Examples
List recent cases for triage:
Get full investigation context for a case:
/secops:soar get-case-details --case-id="523"Document investigation findings:
Features
--helpflag/secops:soar)Configuration Files
.gemini/commands/secops.toml- SecOps slash commands (13 commands).gemini/commands/secops/soar.toml- SOAR case management commands (10 commands) NEW.gemini/commands/gti.toml- GTI slash commands (15 commands)All files use Jinja2 templating for dual help/execution modes and follow consistent naming conventions.
This enables security analysts to interact with Chronicle SIEM, Google Threat Intelligence, and SOAR case management through natural, discoverable slash commands directly in Gemini CLI.