soar

This skill automates security incident response by orchestrating workflows, integrating tools, and executing actions for blue-team operations. It handles tasks like alerting, enrichment, and remediation to streamline incident handling.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "soar" with this command: npx skills add alphaonedev/openclaw-graph/alphaonedev-openclaw-graph-soar

soar

Purpose

This skill automates security incident response by orchestrating workflows, integrating tools, and executing actions for blue-team operations. It handles tasks like alerting, enrichment, and remediation to streamline incident handling.

When to Use

Use this skill during active security incidents for rapid response, such as when detecting anomalies in logs, escalating threats, or automating containment. It's ideal for environments with high alert volumes where manual intervention is inefficient.

Key Capabilities

  • Orchestrate playbooks: Define and run multi-step workflows using YAML config files, e.g., a playbook for isolating compromised hosts.

  • Integrate with tools: Connect to SIEMs, firewalls, and threat intel via APIs, supporting protocols like REST and WebSockets.

  • Incident enrichment: Automatically fetch data from sources like VirusTotal or internal databases using predefined connectors.

  • Automation rules: Set up triggers based on conditions, e.g., if an alert matches a signature, execute a response.

  • Reporting: Generate summaries of executed actions and outcomes via JSON outputs.

Usage Patterns

To use this skill, first configure authentication via environment variables like $SOAR_API_KEY . Then, load playbooks from files or APIs and trigger them based on events. For example, integrate with a monitoring tool to call SOAR endpoints on alerts. Always test playbooks in a staging environment before production. Common pattern: Poll for incidents, evaluate conditions, and run actions sequentially.

Common Commands/API

Use the CLI for quick tasks or the API for programmatic access. Authentication requires $SOAR_API_KEY in requests.

CLI Command: Run a playbook

soar run --playbook-id 123 --params '{"ip": "192.168.1.1"}'

This executes playbook ID 123 with custom parameters; output is JSON with status and results.

API Endpoint: Trigger playbook

POST https://api.openclaw.com/soar/playbooks/{id}/run

Headers: Authorization: Bearer $SOAR_API_KEY

Body: {"params": {"action": "isolate", "target": "host-01"}}

Response: 200 OK with JSON like {"status": "success", "details": {...}} .

CLI Command: Query incidents

soar list-incidents --filter "status=active" --limit 10

Filters incidents by status; use --output json for structured data.

API Endpoint: Get incidents

GET https://api.openclaw.com/soar/incidents?status=active&limit=10

Headers: Authorization: Bearer $SOAR_API_KEY

Response: Array of incident objects in JSON.

Config formats: Playbooks are defined in YAML, e.g.:

name: Isolate Host steps:

  • action: block-ip params: ip: "{{params.ip}}"

Keep snippets under 4 lines; reference full docs for more.

Integration Notes

Integrate SOAR by setting up webhooks or API calls. For example, export $SOAR_API_KEY and use it in scripts:

export SOAR_API_KEY=your_api_key_here curl -X POST https://api.openclaw.com/soar/webhooks -H "Authorization: Bearer $SOAR_API_KEY" -d '{"event": "alert", "data": {...}}'

Common integrations: Link with SIEM tools like Splunk via HTTP endpoints, or databases for enrichment. Ensure TLS is enabled for all connections. For custom connectors, provide a JSON config file, e.g., {"type": "rest", "endpoint": "https://example.com/api"} .

Error Handling

Handle errors by checking HTTP status codes or CLI exit codes. Common errors: 401 Unauthorized (fix by verifying $SOAR_API_KEY ), 404 Not Found (check playbook ID), or invalid YAML (validate with soar validate --file playbook.yaml ). In code, wrap API calls in try-catch blocks:

import requests try: response = requests.post('https://api.openclaw.com/soar/playbooks/123/run', headers={'Authorization': f'Bearer {os.environ["SOAR_API_KEY"]}'}) response.raise_for_status() except requests.exceptions.HTTPError as e: print(f"Error: {e.response.status_code} - {e.response.text}")

Log errors with timestamps and retry transient failures up to 3 times.

Concrete Usage Examples

Automate Incident Response for a Suspicious Login:

First, set $SOAR_API_KEY . Then, run:

soar run --playbook-id 456 --params '{"user": "admin", "ip": "10.0.0.1"}'

This triggers a playbook to block the IP and notify the team via email. Monitor output for success.

Enrich and Escalate an Alert:

Use API to query and act:

curl -H "Authorization: Bearer $SOAR_API_KEY" https://api.openclaw.com/soar/incidents?severity=high

Parse response, then POST to run enrichment: curl -X POST https://api.openclaw.com/soar/playbooks/789/run -d '{"params": {"incident_id": "12345"}}'

This fetches high-severity incidents and enriches them, e.g., checking against threat feeds.

Graph Relationships

  • Related to: blue-team cluster (e.g., skills like 'threat-detection' for input data, 'incident-response' for follow-up actions).

  • Depends on: authentication services for API keys.

  • Integrates with: external tools via APIs, such as SIEM systems for event triggers.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

iot-security

No summary provided by upstream source.

Repository SourceNeeds Review
-6
alphaonedev
Security

macos-security

No summary provided by upstream source.

Repository SourceNeeds Review
-5
alphaonedev
Security

testing-security

No summary provided by upstream source.

Repository SourceNeeds Review
-4
alphaonedev