detection-engineering-coverage-evaluation

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

SecOps Detection Coverage Skill

SecOps检测覆盖技能

This skill guides the agent through an end-to-end detection engineering lifecycle using Google SecOps MCP tools. It handles multiple Threat Detection Opportunities (TDOs) and ensures exhaustive coverage evaluation for all generated synthetic events.
本技能指导Agent借助Google SecOps MCP工具完成端到端的检测工程生命周期。它可处理多个威胁检测机会(TDOs),并确保对所有生成的合成事件进行全面的覆盖评估。

Workflow Execution Checklist

工作流执行检查清单

Copy this checklist and track progress for each iteration:
  • Step 1: Extract raw text content from a source (for example, blog URL).
  • Step 2: Generate Threat Detection Opportunities (TDOs).
  • Step 3: Loop through ALL TDOs to generate synthetic events.
  • Step 4: Loop through ALL UDM events to evaluate rule coverage.
  • Step 5: For identified rules, check enablement and alerting status.
  • Step 6: Generate new rules for identified gaps.
  • Step 7: Provide a structured summary of findings and gaps.
复制此清单并跟踪每次迭代的进度:
  • 步骤1:从来源(例如博客URL)提取原始文本内容。
  • 步骤2:生成威胁检测机会(TDOs)。
  • 步骤3:遍历所有TDOs以生成合成事件。
  • 步骤4:遍历所有UDM事件以评估规则覆盖范围。
  • 步骤5:针对识别出的规则,检查其启用状态和告警状态。
  • 步骤6:针对识别出的缺口生成新规则。
  • 步骤7:提供结构化的发现结果与缺口总结。

Detailed Steps

详细步骤

1. Extract Threat Intelligence

1. 提取威胁情报

  • Use the following prompt to extract all text content from a URL: - "Fetch the blog text from {url}. You need to extract and output the entire text content of the page, exactly as it appears in the HTML, without any summarization, modification, or omission."
  • Summary of Step: Report only that the text was successfully extracted from the provided URL. Do not output the full raw text.
  • Next Step: The extracted text will be used to generate Threat Detection Opportunities (TDOs).
  • 使用以下提示从URL提取所有文本内容:- "从{url}获取博客文本。你需要提取并输出页面的全部文本内容,与HTML中的显示完全一致,不得进行任何总结、修改或遗漏。"
  • 步骤总结: 仅报告已成功从提供的URL提取文本,不要输出完整的原始文本。
  • 下一步: 提取的文本将用于生成威胁检测机会(TDOs)。

2. Generate TDOs

2. 生成TDOs

  • Call
    generate_threat_detection_opportunity
    with the extracted full blog threat raw text. You must not summarize. This tool returns one or more TDOs.
  • Summary of Step: Report the number of TDOs generated and provide a brief, high-level summary for each TDO (for example, the key threat or attacker technique identified). Do not output the full TDO JSON.
  • Next Step: The process will now loop through each generated TDO to create synthetic events.
  • 调用
    generate_threat_detection_opportunity
    工具,传入提取的完整博客威胁原始文本。不得进行总结。该工具会返回一个或多个TDOs。
  • 步骤总结: 报告生成的TDOs数量,并为每个TDO提供简短的高层级总结(例如,识别出的关键威胁或攻击者技术)。不要输出完整的TDO JSON数据。
  • 下一步: 流程将遍历每个生成的TDO以创建合成事件。

3. Generate Synthetic Events (For ALL TDOs)

3. 生成合成事件(针对所有TDOs)

For every TDO:
  • Call
    generate_synthetic_events
    using the TDO.
  • Summary of Step: Report the total number of synthetic UDM events generated for this TDO. Briefly describe the types of attacker behaviors simulated (for example, "Generated events simulating initial access and privilege escalation"). Don't output the full response.
  • Next Step: The generated UDM events will be used to evaluate rule coverage.
针对每个TDO:
  • 使用该TDO调用
    generate_synthetic_events
    工具。
  • 步骤总结: 报告此TDO生成的合成UDM事件总数。简要描述模拟的攻击者行为类型(例如,“生成模拟初始访问和权限提升的事件”)。不要输出完整的响应内容。
  • 下一步: 生成的UDM事件将用于评估规则覆盖范围。

4. Evaluate Rule Coverage (For ALL UDM Events)

4. 评估规则覆盖范围(针对所有UDM事件)

For every UDM event generated for a TDO:
  • Call
    evaluate_rule_coverage
    by providing the UDM event in valid JSON format. Provide only the UDM event as a single, valid JSON object. You MUST Provide each UDM event as a standard stringified JSON object within the udmsJson list. Do not apply an additional layer of escaping to the JSON string. Provide a standard JSON stringification with no extra backslashes.
  • Summary of Step: Report which
    rule_id
    s matched for this event, if any. If no rules matched, clearly state "No rules matched." Provide counts of events evaluated. Don't output the full coverage evaluation JSON.
  • Next Step: The identified matched rules will be audited for their enablement and alerting status.
针对每个TDO生成的每一个UDM事件:
  • 调用
    evaluate_rule_coverage
    工具,传入格式有效的UDM事件JSON数据。仅提供单个有效的JSON对象形式的UDM事件。你必须将每个UDM事件作为标准字符串化的JSON对象放入udmsJson列表中。不得对JSON字符串添加额外的转义层。提供标准的JSON字符串化结果,不得包含额外的反斜杠。
  • 步骤总结: 报告此事件匹配的
    rule_id
    (如果有)。如果没有匹配规则,需明确说明“无匹配规则”。提供已评估事件的数量。不要输出完整的覆盖评估JSON数据。
  • 下一步: 将对识别出的匹配规则进行启用状态和告警状态审核。

5. Audit Rule Status

5. 审核规则状态

For every distinct
rule_id
identified:
  • Call
    get_rule
    to check the rule configuration with CONFIG_ONLY view.
  • Summary of Step: For each
    rule_id
    , state its enablement status (for example, "Enabled", "Disabled") and alerting status (for example, "Alerting Enabled", "Alerting Disabled").
  • Next Step: Review coverage gaps and potentially generate new rules.
针对每个识别出的唯一
rule_id
  • 调用
    get_rule
    工具,以CONFIG_ONLY视图检查规则配置。
  • 步骤总结: 针对每个
    rule_id
    ,说明其启用状态(例如,“已启用”、“已禁用”)和告警状态(例如,“告警已启用”、“告警已禁用”)。
  • 下一步: 审查覆盖缺口并可能生成新规则。

6. Gap Mitigation

6. 缺口缓解

If gaps are found:
  • Call
    generate_rules
    for the relevant TDOs.
  • Summary of Step: For each gap, describe what coverage was missing and confirm if a new rule was generated. Provide a brief summary of what the newly generated rule aims to detect.
  • Next Step: Provide a final structured summary of all findings and gaps.
如果发现缺口:
  • 针对相关TDOs调用
    generate_rules
    工具。
  • 步骤总结: 针对每个缺口,描述缺失的覆盖内容,并确认是否已生成新规则。简要说明新生成规则旨在检测的内容。
  • 下一步: 提供所有发现结果与缺口的最终结构化总结。

Output Format

输出格式

Provide a summary for each TDO processed:
TDO: {tdo summary}
Coverage Eval: [{rule_id, enablement status, alerting status}, ...]
Missing Coverage: [{summary, generated rule}] // Only if gaps exist
Errors: [{if any any errors encountered, specify the tool}]

为每个处理的TDO提供总结:
TDO: {tdo总结}
覆盖评估: [{rule_id, 启用状态, 告警状态}, ...]
缺失覆盖: [{总结, 生成的规则}] // 仅当存在缺口时显示
错误: [{如果遇到任何错误,请指定涉及的工具}]

Tool Reference

工具参考

  • generate_threat_detection_opportunity: Initial tool for threat analysis.
  • generate_synthetic_events: Generates logs simulating the TDO.
  • evaluate_rule_coverage: Checks if existing rules detect the synthetic UDMs.
  • get_rule: Use to check
    alerting_enabled
    and
    enabled
    status of SIEM rules.
  • generate_rules: Codifies detection logic for gaps.
  • generate_threat_detection_opportunity:威胁分析的初始工具。
  • generate_synthetic_events:生成模拟TDO的日志。
  • evaluate_rule_coverage:检查现有规则是否能检测到合成UDM事件。
  • get_rule:用于检查SIEM规则的
    alerting_enabled
    enabled
    状态。
  • generate_rules:为缺口编写检测逻辑代码。