correlate-ioc
Check for existing SIEM alerts and case management entries related to IOCs. Use to understand if an indicator has triggered previous alerts or is part of ongoing investigations. Takes IOC list and returns related alerts and cases.
78
Does it follow best practices?
If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:
npx tessl skill review --optimize ./path/to/skillValidation for skill structure
Discovery
75%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a solid skill description that clearly communicates its purpose and when to use it. The main weakness is moderate specificity in capabilities and trigger terms - it could benefit from more concrete action verbs and additional natural language variations that security analysts might use when searching for this functionality.
Suggestions
Add more specific actions like 'correlate IOCs with historical alerts', 'search case databases', or 'identify related incidents'
Include additional trigger terms users might naturally say: 'security alerts', 'threat indicators', 'incident correlation', 'previous detections', or common SIEM platform names
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (SIEM alerts, case management) and describes actions (check for alerts, return related alerts and cases), but lacks comprehensive detail about specific operations like alert types, case statuses, or integration methods. | 2 / 3 |
Completeness | Clearly answers both what ('Check for existing SIEM alerts and case management entries related to IOCs') and when ('Use to understand if an indicator has triggered previous alerts or is part of ongoing investigations'), with explicit trigger guidance. | 3 / 3 |
Trigger Term Quality | Includes relevant terms like 'SIEM alerts', 'case management', 'IOCs', and 'investigations', but misses common variations users might say such as 'security alerts', 'threat indicators', 'incident tickets', or specific SIEM platform names. | 2 / 3 |
Distinctiveness Conflict Risk | Has a clear niche focused on SIEM/case management correlation with IOCs, which is distinct from general security skills or other alert-related tools. The specific combination of SIEM alerts + case management + IOC lookup creates a unique trigger profile. | 3 / 3 |
Total | 10 / 12 Passed |
Implementation
72%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is well-structured and appropriately concise for security operations context. However, it falls short on actionability by using placeholder query syntax instead of concrete examples, and lacks validation/error handling steps that would be important when correlating across multiple security systems.
Suggestions
Replace 'IOC_based_query' and 'IOC_based_filter' placeholders with concrete example queries showing actual syntax (e.g., `query="src_ip IN ('198.51.100.10') OR domain='evil-domain.com'"`)
Add validation step after each API call to handle empty results or API errors (e.g., 'If no alerts found, set CORRELATION_STATUS to "no_matches" and continue to Step 2')
Include an example of how to derive MALICIOUS_CONFIDENCE from the alert data (e.g., 'high if >5 alerts with severity critical/high, medium if 1-5 alerts, low if only informational alerts')
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is lean and efficient, avoiding unnecessary explanations of what SIEM, SOAR, or IOCs are. Every section serves a purpose and assumes Claude understands security operations concepts. | 3 / 3 |
Actionability | Provides function call patterns but uses placeholders like 'IOC_based_query' and 'IOC_based_filter' instead of concrete, executable examples. Claude would need to infer how to construct the actual queries. | 2 / 3 |
Workflow Clarity | Steps are clearly sequenced but lack validation checkpoints. No guidance on what to do if API calls fail, return empty results, or if IOC format is invalid. Missing error handling for a multi-step process. | 2 / 3 |
Progressive Disclosure | For a skill of this size (~60 lines), the structure is appropriate with clear sections for inputs, workflow, outputs, and use cases. No need for external file references given the scope. | 3 / 3 |
Total | 10 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.