correlate-ioc
Check for existing SIEM alerts and case management entries related to IOCs. Use to understand if an indicator has triggered previous alerts or is part of ongoing investigations. Takes IOC list and returns related alerts and cases.
82
78%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/correlate-ioc/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly defines its purpose, actions, and trigger conditions within the security operations domain. It uses domain-appropriate terminology that security analysts would naturally use, and its scope is well-bounded to SIEM alert and case management correlation for IOCs. The description is concise yet comprehensive.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: checking for SIEM alerts, checking case management entries, taking IOC lists, and returning related alerts and cases. These are concrete, well-defined operations. | 3 / 3 |
Completeness | Clearly answers both what ('Check for existing SIEM alerts and case management entries related to IOCs', 'Takes IOC list and returns related alerts and cases') and when ('Use to understand if an indicator has triggered previous alerts or is part of ongoing investigations'). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords that security analysts would use: 'SIEM alerts', 'case management', 'IOCs', 'indicator', 'alerts', 'investigations'. These are terms professionals in this domain would naturally use when requesting this capability. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche in SIEM alert correlation and case management lookup for IOCs. The combination of SIEM, case management, and IOC correlation is specific enough to avoid conflicts with other security or general data skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
57%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill has good structure and clear output definitions, but falls short on actionability due to pseudocode-style tool calls with placeholder parameters instead of concrete query examples. The workflow lacks error handling and validation steps for API calls, and the 'Use Cases' section adds tokens without adding value for Claude.
Suggestions
Replace placeholder parameters like `IOC_based_query` with concrete examples showing actual query syntax (e.g., `query='src_ip="198.51.100.10" OR dst_ip="198.51.100.10"'`)
Add error handling guidance: what to do when API calls fail, return empty results, or time out
Remove the 'Use Cases' section—it explains when to use the skill rather than how, which Claude can infer from context
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Mostly efficient but the 'Use Cases' section is unnecessary padding—Claude doesn't need to be told when to use the skill. The template at the end is useful but slightly verbose. | 2 / 3 |
Actionability | The MCP tool calls are shown but are pseudocode-like with placeholder parameters (e.g., `IOC_based_query`, `IOC_based_filter`) rather than concrete, executable examples showing actual query syntax. Key details about how to construct the query from IOCs are missing. | 2 / 3 |
Workflow Clarity | Steps are clearly sequenced and outputs are well-defined in a table. However, there are no validation checkpoints or error handling—no guidance on what to do if the SIEM query fails, returns no results, or if the SOAR API is unavailable. Missing feedback loops for these API operations. | 2 / 3 |
Progressive Disclosure | For a skill of this size (~60 lines), the content is well-organized with clear sections (Inputs, Workflow steps, Outputs, Template). No unnecessary nesting or external references needed. | 3 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- dandye/ai-runbooks
- Commit
086cbf6
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.