### Initialize gcloud CLI Source: https://docs.cloud.google.com/chronicle/docs/secops/use-google-secops-mcp?hl=es-419 Initializes the Google Cloud CLI for use. This command guides you through setting up your project and default configurations. Ensure you have the gcloud CLI installed and updated before running this. ```bash gcloud init ``` -------------------------------- ### List Tools via HTTP Request Source: https://docs.cloud.google.com/chronicle/docs/secops/use-google-secops-mcp?hl=ko Lists available MCP tools by sending a 'tools/list' HTTP request directly to the Google Security Operations remote MCP server. This method does not require authentication. ```APIDOC ## List Tools ### Description Retrieves a list of available MCP tools and their descriptions for the Google SecOps MCP server. This operation does not require authentication. ### Method POST ### Endpoint `/mcp` ### Parameters #### Path Parameters N/A #### Query Parameters N/A #### Request Body - **jsonrpc** (string) - Required - Specifies the JSON-RPC version, should be "2.0". - **method** (string) - Required - The method to call, which is "tools/list" for this operation. ### Request Example ```http POST /mcp HTTP/1.1 Host: https://chronicle.europe-west2.rep.googleapis.com Content-Type: application/json { "jsonrpc": "2.0", "method": "tools/list" } ``` ### Response #### Success Response (200) - **result** (object) - Contains the list of tools and their descriptions. - **tools** (array) - A list of available tools. - **name** (string) - The name of the tool. - **description** (string) - A description of the tool's functionality. #### Response Example ```json { "jsonrpc": "2.0", "id": "some-id", "result": { "tools": [ { "name": "example_tool_1", "description": "This is an example tool." }, { "name": "example_tool_2", "description": "Another example tool." } ] } } ``` ``` -------------------------------- ### UDM Search Query Example Source: https://docs.cloud.google.com/chronicle/docs/secops/google-secops-siem-toc An example of a UDM search query used for investigating security events. This query demonstrates filtering events based on specific network connection details. ```UDM Search metadata.event_type = "NETWORK_CONNECTION" and network.connection.protocol = "TCP" and network.connection.target_port = 443 ``` -------------------------------- ### YARA-L 2.0 Reference List Syntax Example Source: https://docs.cloud.google.com/chronicle/docs/secops/google-secops-siem-toc Shows how to use reference list syntax in YARA-L 2.0. This allows for matching against predefined lists of values, such as IP addresses or domain names. ```YARA-L 2.0 rule reference_list_example { meta: author = "Example" events: $e.metadata.event_type = "NETWORK_CONNECTION" match: $e.network.target.ip in $suspicious_ips vars: $suspicious_ips = {"1.2.3.4", "5.6.7.8"} } ``` -------------------------------- ### Create Detection Rule using Google SecOps MCP Source: https://docs.cloud.google.com/chronicle/docs/secops/use-google-secops-mcp?hl=pt-br This snippet demonstrates how to create a new detection rule within the Google SecOps MCP server. It requires a rule definition in YARA-L format, including metadata, event conditions, and outcome variables. The response confirms the successful creation of the rule and provides its unique identifier, revision ID, and other associated details. ```yara-l successful_user_logins_from_outside_us_test { meta: author = "Google SecOps Gemini" description = "Detect successful user logins originating from outside the United States." severity = "Medium" events: $e.metadata.event_type = "USER_LOGIN" $e.security_result.action = "ALLOW" $e.principal.ip_geo_artifact.location.country_or_region != "United States" outcome: $user = array($e.principal.user.userid) $source_ip = array($e.principal.ip) $country = array($e.principal.ip_geo_artifact.location.country_or_region) $city = array($e.principal.ip_geo_artifact.location.city) condition: $e } ``` -------------------------------- ### YARA-L 2.0 OR Syntax Example Source: https://docs.cloud.google.com/chronicle/docs/secops/google-secops-siem-toc Illustrates the use of the OR syntax within the conditions section of a YARA-L 2.0 rule. This allows for matching events that satisfy one of multiple conditions. ```YARA-L 2.0 rule or_syntax_example { meta: author = "Example" events: $e.metadata.event_type = "FILE_MODIFIED" match: true conditions: $e.file.path = "/etc/passwd" or $e.file.path = "/etc/shadow" } ``` -------------------------------- ### YARA-L 2.0 N OF Syntax Example Source: https://docs.cloud.google.com/chronicle/docs/secops/google-secops-siem-toc Illustrates the use of the 'N OF' syntax with event variables in YARA-L 2.0. This is useful for detecting patterns where a certain number of events must match specific criteria. ```YARA-L 2.0 rule n_of_example { meta: author = "Example" events: $e.metadata.event_type = "PROCESS_TERMINATED" match: $e.process.executable.name = "malware.exe" conditions: 2 OF ($e.process.executable.name = "malware.exe") } ``` -------------------------------- ### Enable Model Armor API Endpoint Override Source: https://docs.cloud.google.com/chronicle/docs/secops/use-google-secops-mcp?hl=es-419 Sets the API endpoint for the Model Armor service using the gcloud CLI. This is a prerequisite for using Model Armor features. Replace LOCATION with the desired region. ```bash gcloud config set api_endpoint_overrides/modelarmor "https://modelarmor.LOCATION.rep.googleapis.com/" ``` -------------------------------- ### Disable Google SecOps MCP Server Source: https://docs.cloud.google.com/chronicle/docs/secops/use-google-secops-mcp?hl=ko Command to disable the Google SecOps MCP server in a specific Google Cloud project. ```APIDOC ## Disable Google SecOps MCP Server ### Description Disables the Google SecOps MCP server for use within your Google Cloud project. ### Method `gcloud` command ### Endpoint N/A (gcloud command) ### Parameters #### Path Parameters N/A #### Query Parameters - **SERVICE** (string) - Required - The service name for the MCP server. - **PROJECT_ID** (string) - Required - The ID of the Google Cloud project. ### Request Example ```bash gcloud beta services mcp disable SERVICE \ --project=PROJECT_ID ``` ### Response #### Success Response (200) Indicates the Google SecOps MCP server has been successfully disabled for the project. #### Response Example N/A (gcloud command output) ``` -------------------------------- ### Get Model Armor Content Security Status for MCP Source: https://docs.cloud.google.com/chronicle/docs/secops/use-google-secops-mcp?hl=es-419 Retrieves the current Model Armor content security configuration for MCP traffic within a Google Cloud project. This command helps verify if Model Armor is actively sanitizing MCP traffic. Replace PROJECT_ID with your Google Cloud project ID. ```bash gcloud beta services mcp content-security get --project=PROJECT_ID ``` -------------------------------- ### List Tools via MCP Inspector or HTTP Request Source: https://docs.cloud.google.com/chronicle/docs/secops/use-google-secops-mcp?hl=ja Instructions for listing available MCP tools using the MCP inspector or by sending a direct HTTP request to the Google Security Operations remote MCP server. ```APIDOC ## List tools ### Description Use the MCP inspector to list tools, or send a `tools/list` HTTP request directly to the Google Security Operations remote MCP server. The `tools/list` method doesn't require authentication. ### Method POST ### Endpoint `/mcp` ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body - **jsonrpc** (string) - Required - Specifies the JSON-RPC version, should be "2.0". - **method** (string) - Required - The method to call, should be "tools/list". ### Request Example ```json { "jsonrpc": "2.0", "method": "tools/list" } ``` ### Response #### Success Response (200) Returns a list of available MCP tools and their descriptions. #### Response Example ```json { "jsonrpc": "2.0", "id": "some-id", "result": [ { "name": "tool_name", "description": "Tool description" } ] } ``` ``` -------------------------------- ### YARA-L 2.0 Repeated Fields Example Source: https://docs.cloud.google.com/chronicle/docs/secops/google-secops-siem-toc Shows how to work with repeated fields in YARA-L 2.0. This is common when dealing with event data that can contain multiple values for a single field. ```YARA-L 2.0 rule repeated_fields_example { meta: author = "Example" events: $e.metadata.event_type = "NETWORK_CONNECTION" match: "192.168.1.1" in $e.network.connection.ip } ``` -------------------------------- ### List Tools via HTTP Request Source: https://docs.cloud.google.com/chronicle/docs/secops/use-google-secops-mcp?hl=fr Lists available MCP tools by sending a `tools/list` HTTP request directly to the Google Security Operations remote MCP server. This method does not require authentication. ```APIDOC ## List Tools ### Description Lists available MCP tools and their descriptions for the Google SecOps MCP server using an HTTP POST request. ### Method POST ### Endpoint `/mcp` ### Parameters #### Query Parameters None #### Request Body - **jsonrpc** (string) - Required - Specifies the JSON-RPC version, typically "2.0". - **method** (string) - Required - The method to call, which is "tools/list" for this operation. ### Request Example ```http POST /mcp HTTP/1.1 Host: https://chronicle.europe-west2.rep.googleapis.com Content-Type: application/json { "jsonrpc": "2.0", "method": "tools/list" } ``` ### Response #### Success Response (200) - **result** (object) - Contains the list of tools and their descriptions. - **tools** (array) - A list of available tools. - **name** (string) - The name of the tool. - **description** (string) - A description of the tool's functionality. #### Response Example ```json { "jsonrpc": "2.0", "id": "some-id", "result": { "tools": [ { "name": "example_tool", "description": "An example tool for demonstration." } ] } } ``` ``` -------------------------------- ### Configure Model Armor Floor Setting for MCP Servers Source: https://docs.cloud.google.com/chronicle/docs/secops/use-google-secops-mcp?hl=zh-cn Updates the Model Armor floor setting to enable MCP content security. This command configures sanitization, inspection, and blocking for Google MCP server traffic, along with enabling logging and setting a confidence level for malicious URI filters. ```bash gcloud model-armor floorsettings update \ --full-uri='projects/PROJECT_ID/locations/global/floorSetting' \ --enable-floor-setting-enforcement=TRUE \ --add-integrated-services=GOOGLE_MCP_SERVER \ --google-mcp-server-enforcement-type=INSPECT_AND_BLOCK \ --enable-google-mcp-server-cloud-logging \ --malicious-uri-filter-settings-enforcement=ENABLED \ --add-rai-settings-filters='[{"confidenceLevel": "MEDIUM_AND_ABOVE", "filterType": "DANGEROUS"}]' ```