Suggested New MCP Tools

Suggested New MCP Tools#

Based on the current toolsets for SecOps (SIEM), SOAR, GTI, and SCC, and considering the workflows outlined in the runbooks and personas, here are some potential new MCP tools that could significantly enhance the agent’s (and analysts’) capabilities:

1. SecOps MCP (secops-mcp - Chronicle SIEM Direct Interaction):

  • Rule Management Suite:

    • create_detection_rule: To programmatically create new detection rules (e.g., YARA-L) based on investigation findings or threat intelligence. (Supports Security Engineer/Tier 3 Analyst).

    • update_detection_rule: To modify existing rules (e.g., tuning logic, adjusting thresholds).

    • enable_detection_rule / disable_detection_rule: To manage the active state of rules.

    • get_rule_version_history: To track changes made to a specific rule.

  • Reference List Management Suite:

    • add_to_reference_list: Direct SIEM interaction to add items (IPs, domains, hashes) to a specified list (complementing the SOAR action).

    • remove_from_reference_list: Direct SIEM interaction to remove items.

    • get_reference_list_contents: To retrieve all items currently in a specific reference list for verification or analysis.

  • Retrohunt Management Suite:

    • start_retrohunt: To initiate a retrohunt based on a rule ID or YARA-L content over a specified time range.

    • get_retrohunt_status: To check the progress of an ongoing retrohunt.

    • get_retrohunt_results: To retrieve the findings of a completed retrohunt.

  • Enhanced Context Tools:

    • get_asset_details: Retrieve comprehensive asset information directly from Chronicle’s asset model (beyond basic lookup_entity).

    • get_user_details: Retrieve comprehensive user information directly from Chronicle’s user model.

  • UDM Query Helper:

    • validate_udm_query: Check the syntax and field validity of a UDM query before execution.

    • suggest_udm_fields: Based on keywords or event types, suggest relevant UDM fields for querying.

2. SOAR MCP (secops-soar - Chronicle SOAR Orchestration):

  • Playbook Management Suite:

    • list_playbooks: List available SOAR playbooks.

    • get_playbook_details: Retrieve the definition or steps of a specific playbook.

    • trigger_playbook: Manually trigger a specific playbook for a case or alert.

    • get_playbook_run_status: Check the status and step execution of an active playbook instance.

  • Integration Management:

    • list_soar_integrations: List configured integrations within the SOAR platform.

    • test_soar_integration: Run a connectivity test for a specific integration.

  • Enhanced Attachment Handling:

    • get_case_attachments: List or retrieve files attached to a SOAR case.

    • add_attachment_from_content: Allow attaching content directly (e.g., report text generated by the agent) without needing a pre-existing file path.

  • Advanced Case Linking:

    • find_related_cases: Search for other SOAR cases explicitly linked by shared entities (IP, hash, user), alerts, or IOCs beyond the standard similarity check.

3. GTI MCP (gti-mcp - Google Threat Intelligence):

  • Bulk Enrichment Suite:

    • bulk_get_ip_reports: Input a list of IP addresses, get back a list of corresponding reports.

    • bulk_get_domain_reports: Similar for domains.

    • bulk_get_file_reports: Similar for file hashes.

  • Rule Generation Helper:

    • generate_yara_from_hash: Suggest YARA rules based on analysis of a given file hash.

    • generate_yara_from_family: Suggest YARA rules based on a known malware family report/collection.

  • Threat Profile Management:

    • create_threat_profile: Programmatically create a new threat profile.

    • update_threat_profile: Modify settings (regions, industries) or followed items for a profile.

    • follow_collection_in_profile: Add a specific collection (actor, malware) to a threat profile.

  • Direct Submission:

    • submit_url_for_analysis: Submit a URL to GTI for scanning/analysis.

    • submit_hash_for_information: Request information on a hash even if a full report isn’t immediately available (check if seen/submitted).

4. SCC MCP (scc-mcp - Security Command Center):

  • Generic Finding Search:

    • search_scc_findings: A flexible tool to search findings with filters for category, severity, state, resource type, project ID, time range, etc.

  • Finding State Management:

    • mute_scc_finding: Mute a specific finding with a reason.

    • unmute_scc_finding: Unmute a finding.

    • update_finding_state: Change the state of a finding (e.g., to FIXED).

  • Asset Inventory:

    • list_scc_assets: Query SCC’s view of cloud assets, with filtering by type, project, labels, etc.

  • Security Marks Management:

    • add_security_marks: Add key-value marks to findings or assets.

    • update_security_marks: Modify existing marks.

  • Posture Details:

    • get_posture_details: Query the status or configuration of specific Security Health Analytics detectors or compliance standards.

These suggested tools aim to fill gaps in automation, provide deeper context, enable more direct management of security configurations (like rules and lists), and streamline common analyst workflows identified in the runbooks.