correlate-ioc
Check for existing SIEM alerts and case management entries related to IOCs. Use to understand if an indicator has triggered previous alerts or is part of ongoing investigations. Takes IOC list and returns related alerts and cases.
78
73%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/correlate-ioc/SKILL.mdQuality
Discovery
75%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a solid skill description that clearly communicates its purpose and when to use it. The main weakness is moderate specificity in capabilities and trigger terms - it could benefit from more concrete action verbs and natural language variations that security analysts would use when searching for IOC-related alerts.
Suggestions
Add more specific actions like 'correlate IOCs with historical alerts', 'search case histories', or 'identify related incidents'
Include natural trigger term variations such as 'indicators of compromise', 'threat indicators', 'security alerts', 'incident lookup', or 'IOC enrichment'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (SIEM alerts, case management) and describes actions (check for alerts, return related alerts and cases), but lacks comprehensive detail about specific operations like alert types, case statuses, or integration methods. | 2 / 3 |
Completeness | Clearly answers both what ('Check for existing SIEM alerts and case management entries related to IOCs') and when ('Use to understand if an indicator has triggered previous alerts or is part of ongoing investigations'), with explicit trigger guidance. | 3 / 3 |
Trigger Term Quality | Includes relevant terms like 'SIEM alerts', 'case management', 'IOCs', and 'investigations', but misses common variations users might say such as 'security alerts', 'indicators of compromise', 'threat indicators', or specific SIEM platform names. | 2 / 3 |
Distinctiveness Conflict Risk | Has a clear niche focused on SIEM/case management correlation with IOCs, which is distinct from general security skills or other alert-related functionality. The specific combination of IOC lookup against SIEM and case management is unlikely to conflict with other skills. | 3 / 3 |
Total | 10 / 12 Passed |
Implementation
72%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is well-structured and appropriately concise for security operations context. Its main weakness is the use of placeholder pseudocode rather than concrete query examples, which reduces immediate actionability. Adding explicit error handling and concrete query construction examples would significantly improve the skill.
Suggestions
Replace 'IOC_based_query' and 'IOC_based_filter' placeholders with concrete example queries showing how to construct searches for different IOC types (IP, domain, hash)
Add error handling guidance for when SIEM or SOAR API calls fail or return empty results
Include a validation step to verify IOC format before querying (e.g., distinguish IP vs domain vs hash)
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is lean and efficient, avoiding unnecessary explanations of what SIEM, SOAR, or IOCs are. Every section serves a clear purpose and assumes Claude understands security operations concepts. | 3 / 3 |
Actionability | Provides function call patterns but uses placeholder pseudocode like 'IOC_based_query' and 'IOC_based_filter' rather than concrete, executable examples. Claude would need to infer how to construct the actual queries. | 2 / 3 |
Workflow Clarity | Steps are clearly sequenced (Step 1, Step 2) with defined outputs, but lacks validation checkpoints or error handling guidance. No feedback loop for handling API failures or empty results. | 2 / 3 |
Progressive Disclosure | For a skill of this size (~60 lines), the content is well-organized with clear sections (Inputs, Workflow, Outputs, Use Cases, Template). No need for external file references given the scope. | 3 / 3 |
Total | 10 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- dandye/ai-runbooks
- Commit
4d132c7
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.