AgentSkillsCN

document-in-soar

为 SOAR 案例添加备注,记录调查发现、行动措施或改进建议。在调查过程中,可用于维护审计追踪。需提供 CASE_ID 与备注文本。

SKILL.md
--- frontmatter
name: document-in-soar
description: "Add a comment to a SOAR case to document findings, actions, or recommendations. Use to maintain audit trail during investigations. Requires CASE_ID and comment text."
required_roles:
  soar: roles/chronicle.editor
personas: [tier1-analyst, tier2-analyst, tier3-analyst, threat-hunter, incident-responder]

Document in SOAR Skill

Add a standardized comment to a SOAR case to document findings, actions taken, or recommendations.

Inputs

  • CASE_ID - The SOAR case ID to add the comment to
  • COMMENT_TEXT - The full text of the comment to be added
  • (Optional) ALERT_GROUP_IDENTIFIERS - Alert group identifiers if required

Workflow

Step 1: Post Comment

code
secops-soar.post_case_comment(
    case_id=CASE_ID,
    comment=COMMENT_TEXT,
    alert_group_identifiers=ALERT_GROUP_IDENTIFIERS  // if provided
)

Step 2: Verify Status

Check the API response to confirm the comment was posted successfully.

Outputs

OutputDescription
COMMENT_POST_STATUSSuccess/failure status of the comment posting

Comment Templates

Enrichment Summary:

code
IOC Enrichment for [IOC_VALUE] ([IOC_TYPE]):
- GTI Reputation: [score/classification]
- SIEM Activity: [first/last seen, alert count]
- IOC Match: [Yes/No]
- Assessment: [Low/Medium/High risk]
- Recommendation: [next steps]

Triage Decision:

code
Alert Triage Complete:
- Classification: [FP/BTP/TP/Suspicious]
- Key Findings: [summary]
- Rationale: [why this classification]
- Action Taken: [closed/escalated]

Investigation Update:

code
Investigation Update [timestamp]:
- Actions Completed: [list]
- Findings: [summary]
- Next Steps: [planned actions]