jpskill.com
🛠️ 開発・MCP コミュニティ

soar

Implements Security Orchestration, Automation, and Response for blue-team incident handling.

⚡ おすすめ: コマンド1行でインストール(60秒)

下記のコマンドをコピーしてターミナル(Mac/Linux)または PowerShell(Windows)に貼り付けてください。 ダウンロード → 解凍 → 配置まで全自動。

🍎 Mac / 🐧 Linux 
mkdir -p ~/.claude/skills && cd ~/.claude/skills && curl -L -o soar.zip https://jpskill.com/download/22047.zip && unzip -o soar.zip && rm soar.zip
🪟 Windows (PowerShell) 
$d = "$env:USERPROFILE\.claude\skills"; ni -Force -ItemType Directory $d | Out-Null; iwr https://jpskill.com/download/22047.zip -OutFile "$d\soar.zip"; Expand-Archive "$d\soar.zip" -DestinationPath $d -Force; ri "$d\soar.zip"

完了後、Claude Code を再起動 → 普通に「動画プロンプト作って」のように話しかけるだけで自動発動します。

💾 手動でダウンロードしたい(コマンドが難しい人向け)
  1. 1. 下の青いボタンを押して soar.zip をダウンロード
  2. 2. ZIPファイルをダブルクリックで解凍 → soar フォルダができる
  3. 3. そのフォルダを C:\Users\あなたの名前\.claude\skills\(Win)または ~/.claude/skills/(Mac)へ移動
  4. 4. Claude Code を再起動
⬇ .zip でダウンロード(推奨) ⬇ .skill 形式(上級者用) 元のソース ↗

⚠️ ダウンロード・利用は自己責任でお願いします。当サイトは内容・動作・安全性について責任を負いません。

🎯 このSkillでできること

下記の説明文を読むと、このSkillがあなたに何をしてくれるかが分かります。Claudeにこの分野の依頼をすると、自動で発動します。

📦 インストール方法 (3ステップ)

  1. 1. 上の「ダウンロード」ボタンを押して .skill ファイルを取得
  2. 2. ファイル名の拡張子を .skill から .zip に変えて展開(macは自動展開可)
  3. 3. 展開してできたフォルダを、ホームフォルダの .claude/skills/ に置く
    • · macOS / Linux: ~/.claude/skills/
    • · Windows: %USERPROFILE%\.claude\skills\

Claude Code を再起動すれば完了。「このSkillを使って…」と話しかけなくても、関連する依頼で自動的に呼び出されます。

詳しい使い方ガイドを見る →
最終更新
2026-05-18
取得日時
2026-05-18
同梱ファイル
1
📖 Claude が読む原文 SKILL.md(中身を展開)

この本文は AI(Claude)が読むための原文(英語または中国語)です。日本語訳は順次追加中。

soar

Purpose

This skill automates security incident response by orchestrating workflows, integrating tools, and executing actions for blue-team operations. It handles tasks like alerting, enrichment, and remediation to streamline incident handling.

When to Use

Use this skill during active security incidents for rapid response, such as when detecting anomalies in logs, escalating threats, or automating containment. It's ideal for environments with high alert volumes where manual intervention is inefficient.

Key Capabilities

  • Orchestrate playbooks: Define and run multi-step workflows using YAML config files, e.g., a playbook for isolating compromised hosts.
  • Integrate with tools: Connect to SIEMs, firewalls, and threat intel via APIs, supporting protocols like REST and WebSockets.
  • Incident enrichment: Automatically fetch data from sources like VirusTotal or internal databases using predefined connectors.
  • Automation rules: Set up triggers based on conditions, e.g., if an alert matches a signature, execute a response.
  • Reporting: Generate summaries of executed actions and outcomes via JSON outputs.

Usage Patterns

To use this skill, first configure authentication via environment variables like $SOAR_API_KEY. Then, load playbooks from files or APIs and trigger them based on events. For example, integrate with a monitoring tool to call SOAR endpoints on alerts. Always test playbooks in a staging environment before production. Common pattern: Poll for incidents, evaluate conditions, and run actions sequentially.

Common Commands/API

Use the CLI for quick tasks or the API for programmatic access. Authentication requires $SOAR_API_KEY in requests.

  • CLI Command: Run a playbook
    soar run --playbook-id 123 --params '{"ip": "192.168.1.1"}'
    This executes playbook ID 123 with custom parameters; output is JSON with status and results.

  • API Endpoint: Trigger playbook
    POST https://api.openclaw.com/soar/playbooks/{id}/run
    Headers: Authorization: Bearer $SOAR_API_KEY
    Body: {"params": {"action": "isolate", "target": "host-01"}}
    Response: 200 OK with JSON like {"status": "success", "details": {...}}.

  • CLI Command: Query incidents
    soar list-incidents --filter "status=active" --limit 10
    Filters incidents by status; use --output json for structured data.

  • API Endpoint: Get incidents
    GET https://api.openclaw.com/soar/incidents?status=active&limit=10
    Headers: Authorization: Bearer $SOAR_API_KEY
    Response: Array of incident objects in JSON.

Config formats: Playbooks are defined in YAML, e.g.: 

name: Isolate Host
steps:
  - action: block-ip
    params:
      ip: "{{params.ip}}"

Keep snippets under 4 lines; reference full docs for more.

Integration Notes

Integrate SOAR by setting up webhooks or API calls. For example, export $SOAR_API_KEY and use it in scripts: 

export SOAR_API_KEY=your_api_key_here
curl -X POST https://api.openclaw.com/soar/webhooks -H "Authorization: Bearer $SOAR_API_KEY" -d '{"event": "alert", "data": {...}}'

Common integrations: Link with SIEM tools like Splunk via HTTP endpoints, or databases for enrichment. Ensure TLS is enabled for all connections. For custom connectors, provide a JSON config file, e.g., {"type": "rest", "endpoint": "https://example.com/api"}.

Error Handling

Handle errors by checking HTTP status codes or CLI exit codes. Common errors: 401 Unauthorized (fix by verifying $SOAR_API_KEY), 404 Not Found (check playbook ID), or invalid YAML (validate with soar validate --file playbook.yaml). In code, wrap API calls in try-catch blocks: 

import requests
try:
    response = requests.post('https://api.openclaw.com/soar/playbooks/123/run', headers={'Authorization': f'Bearer {os.environ["SOAR_API_KEY"]}'})
    response.raise_for_status()
except requests.exceptions.HTTPError as e:
    print(f"Error: {e.response.status_code} - {e.response.text}")

Log errors with timestamps and retry transient failures up to 3 times.

Concrete Usage Examples

  1. Automate Incident Response for a Suspicious Login:
    First, set $SOAR_API_KEY. Then, run:
    soar run --playbook-id 456 --params '{"user": "admin", "ip": "10.0.0.1"}'
    This triggers a playbook to block the IP and notify the team via email. Monitor output for success.

  2. Enrich and Escalate an Alert:
    Use API to query and act: 

    curl -H "Authorization: Bearer $SOAR_API_KEY" https://api.openclaw.com/soar/incidents?severity=high
# Parse response, then POST to run enrichment: curl -X POST https://api.openclaw.com/soar/playbooks/789/run -d '{"params": {"incident_id": "12345"}}'

    This fetches high-severity incidents and enriches them, e.g., checking against threat feeds.

Graph Relationships

  • Related to: blue-team cluster (e.g., skills like 'threat-detection' for input data, 'incident-response' for follow-up actions).
  • Depends on: authentication services for API keys.
  • Integrates with: external tools via APIs, such as SIEM systems for event triggers.