Skip to main content

Google Cloud Security MCP Servers in Gemini CLI

  • June 25, 2025
  • 3 replies
  • 702 views
DanDye
Staff
Forum|alt.badge.img+7

Gemini CLI was launched this morning and I'm excited to share ways to use it with the MCP Servers for Google Cloud Security.

Configuration

MCP Servers in Gemini CLI are configured using the same JSON that we describe in MCP Server Configuration Reference. The mcpServers key is at the top-level along with the theme and selectedAuthType keys:

❯ head ~/.gemini/settings.json { "selectedAuthType": "gemini-api-key", "theme": "Dracula", "mcpServers": { "secops-mcp": { "command": "/Users/dandye/homebrew/bin/uv", ...

But I think everyone’s first question is, “Why would you want to use the command line?”

Imagine running a complex task like "Execute the Malware Incident Response Plan for SOAR Case 17347" by piping that prompt into the Gemini CLI:

How does Gemini understand and act on a multi-step command like this? Actions are made possible by the MCP Servers, which use the APIs for Google SecOps, Google Threat Intelligence, and Security Command Center. The multi-step workflows, like incident response plans, are defined by runbooks stored in the .gemini directory, which are always in context.

These runbooks provide the context and instructions necessary for Gemini to interpret and act on more complicated, multi-step instructions. 

Gemini CLI + Google Cloud Security MCP Servers + Runbooks = an agentic command line that performs Security Operations tasks. You can pipe in, pipe out, cron, and even run continuous integration. CLI FTW!

    3 replies

    R
    Forum|alt.badge.img+1

    This is nice ​@DanDye !

    I have a couple of queries as I’m quite new to this.

    1. I have been exploring the Google SecOps MCP with Gemini CLI and Prebuilt ADK. Both works fine as chat agents which takes my prompts to do the case triage. However I’ wondering if this can be made as an autonomous workflow which basically start investigation when a new SOAR case is created and then take actions based on the predefined prompts/runbook. 
    2. What is the best way to handle the available tools in the MCP? For eg: I would like to have tools for create insights, close case etc. Also the current search_udm is limited to hours_back arg, but in real world scenario, custom start time, end time(eg: 1 minute around alert time) would be useful. 
    DanDye
    Staff
    Forum|alt.badge.img+7
    • DanDye
    • Author
    • Staff
    • December 22, 2025

    I find those autonomous workflows interesting too! They are described in the ADK docs at:

    https://google.github.io/adk-docs/agents/workflow-agents/

     

    You can invoke the agent on case creation with a SOAR Playbook. It is important to create a SOAR trigger that is initially VERY selective, so that you don’t have billing surprises from the tokens used by the agent.

     

    For your second question, I like to describe sets of MCP Tools being used together in various scenarios using “runbooks”. I’ve got a collection of them in https://github.com/dandye/ai-runbooks and a reference implementation in ADK at https://github.com/dandye/adk_runbooks

     

    That is good feedback on the search_udm MCP tool. The secops-wrapper SDK for the API does accept start/end time:
    https://github.com/google/secops-wrapper/blob/3af294c70fb7332d9e4badd4374ba0830a583d03/src/secops/chronicle/search.py#L25

     

    I think the challenge is with date formatting and that is sidestepped by using an integer like hours-back. We could most easily add a second param like search-window-hours that is also an integer and then convert both to Python datetime before calling the SDK. If you create an issue on http://github.com/google/mcp-security/, I will ensure that feature request gets prioritized in the backlog.

     

    If you are up for the challenge, you can also fork the repo and extend it with your own custom  MCP tool.

     

      R
      Forum|alt.badge.img+1

      Hi ​@DanDye , thanks for your response. Lemme go through the documentation you provided. Thanks a lot for adding the start and end time for the search tool. 

      Terms & ConditionsCookie settingsAccessibility statement
      Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

      © 2025 Google. All rights reserved.