SkillRepo
Sign InSign Up
Catalog
google/detection-engineering-coverage-evaluation

google

detection-engineering-coverage-evaluation

Automates the end-to-end detection engineering workflow in Google SecOps using MCP tools. Use when fetching threat intelligence from blogs, generating Threat Detection Opportunities (TDOs), simulating attacker behavior with synthetic UDM events, evaluating rule coverage, and generating new YARA-L 2.0 rules to close coverage gaps. Don't use when asked to perform threat hunting actions, and SOC investigative actions.

global
New~1.3k
v1.0Saved Jun 27, 2026

SecOps Detection Coverage Skill

This skill guides the agent through an end-to-end detection engineering lifecycle using Google SecOps MCP tools. It handles multiple Threat Detection Opportunities (TDOs) and ensures exhaustive coverage evaluation for all generated synthetic events.

Workflow Execution Checklist

Copy this checklist and track progress for each iteration:

  • Step 1: Extract raw text content from a source (for example, blog URL).
  • Step 2: Generate Threat Detection Opportunities (TDOs).
  • Step 3: Loop through ALL TDOs to generate synthetic events.
  • Step 4: Loop through ALL UDM events to evaluate rule coverage.
  • Step 5: For identified rules, check enablement and alerting status.
  • Step 6: Generate new rules for identified gaps.
  • Step 7: Provide a structured summary of findings and gaps.

Detailed Steps

1. Extract Threat Intelligence

  • Use the following prompt to extract all text content from a URL: - "Fetch the blog text from {url}. You need to extract and output the entire text content of the page, exactly as it appears in the HTML, without any summarization, modification, or omission."

  • Summary of Step: Report only that the text was successfully extracted from the provided URL. Do not output the full raw text.

  • Next Step: The extracted text will be used to generate Threat Detection Opportunities (TDOs).

2. Generate TDOs

  • Call generate_threat_detection_opportunity with the extracted full blog threat raw text. You must not summarize. This tool returns one or more TDOs.

  • Summary of Step: Report the number of TDOs generated and provide a brief, high-level summary for each TDO (for example, the key threat or attacker technique identified). Do not output the full TDO JSON.

  • Next Step: The process will now loop through each generated TDO to create synthetic events.

3. Generate Synthetic Events (For ALL TDOs)

For every TDO:

  • Call generate_synthetic_events using the TDO.

  • Summary of Step: Report the total number of synthetic UDM events generated for this TDO. Briefly describe the types of attacker behaviors simulated (for example, "Generated events simulating initial access and privilege escalation"). Don't output the full response.

  • Next Step: The generated UDM events will be used to evaluate rule coverage.

4. Evaluate Rule Coverage (For ALL UDM Events)

For every UDM event generated for a TDO:

  • Call evaluate_rule_coverage by providing the UDM event in valid JSON format. Provide only the UDM event as a single, valid JSON object. You MUST Provide each UDM event as a standard stringified JSON object within the udmsJson list. Do not apply an additional layer of escaping to the JSON string. Provide a standard JSON stringification with no extra backslashes.

  • Summary of Step: Report which rule_ids matched for this event, if any. If no rules matched, clearly state "No rules matched." Provide counts of events evaluated. Don't output the full coverage evaluation JSON.

  • Next Step: The identified matched rules will be audited for their enablement and alerting status.

5. Audit Rule Status

For every distinct rule_id identified:

  • Call get_rule to check the rule configuration with CONFIG_ONLY view.

  • Summary of Step: For each rule_id, state its enablement status (for example, "Enabled", "Disabled") and alerting status (for example, "Alerting Enabled", "Alerting Disabled").

  • Next Step: Review coverage gaps and potentially generate new rules.

6. Gap Mitigation

If gaps are found:

  • Call generate_rules for the relevant TDOs.

  • Summary of Step: For each gap, describe what coverage was missing and confirm if a new rule was generated. Provide a brief summary of what the newly generated rule aims to detect.

  • Next Step: Provide a final structured summary of all findings and gaps.

Output Format

Provide a summary for each TDO processed:

TDO: {tdo summary}

Coverage Eval: [{rule_id, enablement status, alerting status}, ...]

Missing Coverage: [{summary, generated rule}] // Only if gaps exist

Errors: [{if any any errors encountered, specify the tool}]

Tool Reference

  • generate_threat_detection_opportunity: Initial tool for threat analysis.
  • generate_synthetic_events: Generates logs simulating the TDO.
  • evaluate_rule_coverage: Checks if existing rules detect the synthetic UDMs.
  • get_rule: Use to check alerting_enabled and enabled status of SIEM rules.
  • generate_rules: Codifies detection logic for gaps.
Files1
1 files · 11.1 KB

Select a file to preview

Overall Score

78/100

Grade

B

Good

Safety

82

Quality

74

Clarity

81

Completeness

68

Summary

This skill automates the detection engineering lifecycle in Google SecOps by guiding an agent through threat intelligence extraction, TDO (Threat Detection Opportunities) generation, synthetic event creation, rule coverage evaluation, and gap remediation. It provides a structured 7-step workflow for evaluating detection coverage against attacker behaviors and generating new YARA-L 2.0 rules to close gaps.

Detected Capabilities

MCP tool invocation (generate_threat_detection_opportunity, generate_synthetic_events, evaluate_rule_coverage, get_rule, generate_rules)Threat intelligence processing and extraction from URLsSynthetic event generation and JSON handlingRule configuration audit and status checkingDetection rule generation (YARA-L 2.0)Structured output summarization and reporting

Trigger Keywords

Phrases that MCP clients use to match this skill to user intent.

detection coverage evaluationthreat detection opportunitiesSIEM rule auditgenerate detection rulessynthetic event simulationcoverage gap analysis

Risk Signals

INFO

Tool invocation for cloud-based security infrastructure (Google SecOps MCP tools)

Throughout skill
INFO

URL extraction and text fetching from external sources

Section 1: Extract Threat Intelligence
INFO

JSON handling and UDM event processing

Section 4: Evaluate Rule Coverage
INFO

No local file system modifications or destructive operations

Entire skill

Referenced Domains

External domains referenced in skill content, detected by static analysis.

www.apache.org

Use Cases

  • Evaluate detection coverage for threat intelligence from security blogs or research
  • Generate synthetic UDM events to simulate attacker behavior and test detection capabilities
  • Audit existing SIEM rule enablement and alerting status against generated threats
  • Identify and generate new YARA-L 2.0 detection rules for coverage gaps
  • Validate detection engineering effectiveness across multiple threat scenarios
  • Automate end-to-end coverage assessment for newly discovered attack techniques

Quality Notes

  • Strengths: Well-structured workflow with clear step-by-step instructions and explicit loop requirements for handling multiple TDOs
  • Strengths: Clear summary format guidance prevents information overload and focuses reporting on actionable results
  • Strengths: Detailed instructions on JSON formatting for UDM events and output structure reduce ambiguity
  • Strengths: Tool reference section provides concise mapping of capabilities to required MCP calls
  • Strengths: Explicit scope boundaries (threats only, not threat hunting or SOC investigative actions)
  • Weakness: No error handling guidance—what if a tool call fails or returns no results? Should the agent retry, skip, or escalate?
  • Weakness: No guidance on handling large numbers of TDOs (e.g., timeout, rate limiting, pagination)
  • Weakness: Assumes user has access to Google SecOps and valid MCP tool configuration; no prerequisites or setup guidance
  • Weakness: Output format section shows template but lacks guidance on handling partial failures or incomplete coverage results
  • Weakness: No edge case coverage (empty TDO lists, duplicate rule IDs, conflicting enablement statuses)
Model: claude-haiku-4-5-20251001Analyzed: Jun 27, 2026

Reviews

Add this skill to your library to leave a review.

No reviews yet

Be the first to share your experience.

Add google/detection-engineering-coverage-evaluation to your library

Get Started Free

Command Palette

Search for a command to run...