ADK Runbooks

This site serves as the central hub for documentation related to the Agent Development Kit (ADK) runbooks, a collection of automated procedures, security content, and operational guides designed to streamline cybersecurity operations. Here you’ll find information on setting up the project, configuring its components, understanding the multi-agent architecture, and leveraging the extensive Rules Bank for detection and response. Whether you’re a SOC analyst, detection engineer, or incident responder, this documentation aims to provide the necessary resources to effectively utilize and contribute to the ADK Runbooks ecosystem.

Project Documentation Contents

This site contains detailed information about various components of the ADK Runbooks project. Explore the sections below to find specific documentation.

ADK Multi-Agent System Overview

Details on the multi-agent architecture, project structure, configuration system, and how to run the example.

ADK Multi-Agent System

• Multi-Agent Systems in ADK
  • What is a Multi-Agent System?
  • Project Structure Requirements
  • Multi-Agent Architecture Options
  • Limitations When Using Multi-Agents
  • Our Multi-Agent Example
  • Getting Started
  • Running the Example
  • Additional Resources
• Multi-Agent Configuration System
  • Overview
  • Files
  • Key Features
  • Quick Start
  • Configuration Structure
  • Agent Types Supported
  • Benefits
  • Integration
• Configuration-Based Delegation System
  • Overview
  • Key Benefits
  • System Architecture
  • Configuration Files Explained
  • How Delegation Works
  • Usage Examples
  • Adding New Agents
  • Testing the Configuration
  • Best Practices
  • Configuration Maintenance
  • Troubleshooting
  • Integration with A2A System
  • Future Enhancements
  • Summary
• Configuration System Quick Reference
  • File Locations
  • Agent Configuration Template
  • Common Delegation Patterns
  • Testing Commands
  • Adding a New Agent
  • Debugging Delegation
  • Key Configuration Files
• Agent Workflow References
  • References
  • Agent Design Patterns
  • Visualization Approaches by Pattern Type
  • Iterative Refinement Pattern
  • Additional Agent Workflow Patterns
  • Custom Agents
  • Workflow Agents
  • RAG Agent
• Project: ADK Bidirectional Streaming Application

Setup & Configuration

Instructions for setting up the project environment and configuring necessary components.

Note

The setup and configuration details below primarily pertain to the example multi-agent system provided in this repository.

Setup

Warning

Do NOT use uv to run adk with a pyproject.toml file. (It causes intractable dependency resolution issues.)

Instead, do this:

git clone --recurse-submodules https://github.com/dandye/adk_runbooks.git
cd adk_runbooks/multi-agent
python -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
adk run manager

Or with uv as pip replacement:

git clone --recurse-submodules https://github.com/dandye/adk_runbooks.git
cd adk_runbooks/multi-agent
python -m venv .venv
source .venv/bin/activate
uv pip sync requirements.txt
adk run manager

If you already cloned without submodules:

cd adk_runbooks
git submodule update --init --recursive

Configuration

There are two places to configure for your environment:

1. ADK Environment Variables

   • Copy ./multi-agent/manager/.env.example to ./multi-agent/manager/.env

   • Add your GOOGLE_API_KEY to the .env file

2. MCP Security Tools

   • The MCP Security tools are included as a git submodule in external/mcp-security/

   • Copy ./external/mcp-security/.env.example to ./external/mcp-security/.env

   • Configure your security tool API keys (Chronicle, SOAR, VirusTotal)

Core Documents

These documents outline the foundational strategies, protocols, and plans for the ADK Runbooks project and the Rules Bank. They provide high-level guidance and operational frameworks.

Core Documents:

• Indicator Handling Protocols
  • Indicator Classification (based on “Blueprint for AI Agents in Cybersecurity”)
  • Protocols by Indicator Type
  • General Principles for AI Agent Usage:
  • References and Inspiration
• Detection Strategy Overview
  • Purpose
  • Core Detection Philosophy
  • Key Detection Platforms
  • Detection Focus Areas & Prioritization
  • Detection Engineering Lifecycle & AI Integration
  • Target Detection Metrics & AI Contribution (PICERL - Preparation & Learning)
  • Key Detection Thresholds / Sensitivity
  • References and Inspiration
• Project Plan: Enhance LLM Agent Context
• MCP Tool Best Practices & Usage Guide
  • General MCP Tool Usage Principles
  • secops-mcp (Chronicle SIEM Interaction)
  • Google Threat Intelligence MCP (GTI Interaction)
  • secops-soar (SOAR Platform Interaction)
  • References and Inspiration
• Analytical Query Patterns for AI Agents
  • Objective
  • Query Pattern Format
  • Chronicle SIEM Query Patterns (secops-mcp - search_security_events)
  • General Notes for AI Agent Querying:
  • References and Inspiration
• Automated Response Playbook Criteria
  • Guiding Principles for Automated Response
  • Automated Response Criteria Examples
  • Maintenance and Review
  • References and Inspiration
• Coding Conventions
• Data Normalization Map
  • Purpose
  • Mappings
  • Usage by AI Agents
  • Maintenance
  • References and Inspiration
• Detection Improvement Process for AI Agents
  • Objective
  • Criteria for Identifying a Potential Detection Gap by an AI Agent
  • Information Required When Reporting a Detection Gap
  • Designated Channel/Tool for Reporting
  • Follow-up Process (by Detection Engineering Team)
  • References and Inspiration
• Log Source Overview
  • Purpose
  • Critical Log Sources
  • AI-Monitored Log Source Health & Coverage
  • Maintenance
  • References and Inspiration
• SOP & Automation Effectiveness Review Process
  • Purpose
  • Scope of Review
  • Review Frequency
  • Review Process & Participants
  • AI Agent Role in the Review Process
  • Documentation
  • References and Inspiration

AI Documentation

This section covers documents related to the design, operation, and review of AI systems within the security context.

AI Documents:

• AI Documentation
  • AI Decision Review Guidelines
  • AI Explainability Standards
  • AI Performance Framework: PICERL Index
  • References
  • AI Performance Logging Requirements

Atomic Runbooks

This section contains a collection of atomic runbooks, which are focused, reusable procedures for specific security tasks. These are typically categorized by the primary entity type they address (e.g., IP Address, Domain, Hash).

Atomic Runbooks:

• Atomic Runbooks
  • Domain-Specific Atomic Runbooks
  • File Hash-Specific Atomic Runbooks
  • IP Address-Specific Atomic Runbooks
  • URL-Specific Atomic Runbooks
  • User-Specific Atomic Runbooks

General Security Runbooks

This area houses a broader collection of runbooks for various security operations, including comprehensive investigation guides, triage procedures, specific incident response plans, and detection engineering workflows.

General Security Runbooks:

• General Security Runbooks
  • Advanced Threat Hunting (Hypothesis-Driven) Runbook
  • Alert Investigation Summary Report Runbook
  • Runbook: APT Threat Hunt
  • Basic Endpoint Triage & Isolation Runbook
  • Basic IOC Enrichment Runbook
  • Case Event Timeline & Process Analysis Workflow
  • Runbook: Generate Case Investigation Report
  • Close duplicate/similar Cases Workflow
  • Cloud Vulnerability Triage & Contextualization
  • Common Investigation Steps
  • Compare GTI Collection to IoCs, Events in SecOps
  • Runbook: Create Investigation Report
  • Runbook: Data Lake Queries
  • Deep Dive IOC Analysis Runbook
  • SOC Analyst Tier 2 Demo Runbook (SOAR Focus)
  • Runbook: Detection-as-Code Workflow (Placeholder)
  • Runbook: Generate Detection Report
  • Detection Rule Validation & Tuning Runbook
  • Group Cases Workflow
  • Graphviz Dotfile
  • Runbook: Group Cases v2
  • Guided TTP Hunt Runbook (Example: Credential Access)
  • Guidelines and Workflows
  • Investigate a Case + external tools
  • Investigate Google Threat Intelligence Collection ID (Enhanced)
  • IOC Containment Runbook
  • Runbook: IOC Threat Hunt
  • Incident Response Plans (IRPs)
  • Lateral Movement Detection Hunt (Example: PsExec/WMI)
  • Malware Triage Runbook
  • Runbook: Meta-Analysis (Placeholder)
  • Post-Incident Review (PIR) Runbook
  • Prioritize and Investigate a Case
  • Proactive Threat Hunting based on GTI Campaign/Actor
  • Suspicious Login Alert Triage Runbook
  • Runbook: Alert Triage
  • Runbook: UEBA Report Analysis
• Detection-as-Code Rule Tuning Workflow
  • Overview
  • Architecture
  • Prerequisites
  • Automated Workflow
  • Manual Review Process
  • Monitoring and Metrics
  • Example Use Cases
  • Best Practices
  • Troubleshooting
  • Advanced Automation
  • References

Templates and Use Cases

Here you’ll find templates to help standardize the creation of new runbooks and documentation detailing specific detection use cases.

Templates & Use Cases:

• Detection Use-Case Package: [USE_CASE_NAME_Placeholder]
  • 1. Use-Case Overview
  • 2. Threat Alignment & Context
  • 3. Technical Details & Detection Logic
  • 4. Incident Response & Automation Planning
  • 5. Testing & Validation Plan
  • 6. Delivery & Deployment Notes
  • 7. Optimization & Metrics (Post-Deployment)
  • References and Inspiration
• Atomic Runbook: [Clear, Verb-Oriented Title - e.g., Get_IP_Reputation_From_GTI]
  • Inputs Required
  • Execution Steps
  • Outputs Expected
  • Decision Logic / Next Steps (If Applicable)
  • AI Agent Execution Notes
  • Metrics Collection Points
  • References
• Reporting Templates & Guidelines
  • General Report Metadata Requirements
  • Common Report Types
  • Risk Assessment
  • Remediation Analysis
  • Prioritization Recommendation
  • Detection and Monitoring
  • Communication Plan
  • Workflow Diagram

Security Personas

Understanding the roles and responsibilities of different security team members is crucial for effective collaboration and tailored procedures. This section describes various security personas.

Security Personas:

• Security Personas

Agent Workflow References

Comprehensive collection of agent workflow patterns and operational procedures.

Agent Workflow References:

• Agent Workflow References
  • References
• ToDo
  • Agent Design Patterns
  • Visualization Approaches by Pattern Type
  • Iterative Refinement Pattern
  • Additional Agent Workflow Patterns
  • Custom Agents
  • Workflow Agents
  • RAG Agent
• Project: ADK Bidirectional Streaming Application

MCP Tools Integration

Documentation for the Model Control Protocol (MCP) tools integration and reference guides for various security platforms.

MCP Tools Integration:

• Suggested New MCP Tools
• SOAR MCP Tools Reference
  • Available Tools
• SecOps MCP Tools Reference
  • Available Tools
• SCC MCP Tools Reference
  • Available Tools

Development and Planning

This section includes documents related to ongoing development, future planning, and suggestions for the ADK Runbooks project.

Development & Planning:

• Project Plan: Enhance LLM Agent Context