CtrlK
BlogDocsLog inGet started
Tessl Logo

siem-rule-generator

Siem Rule Generator - Auto-activating skill for Security Advanced. Triggers on: siem rule generator, siem rule generator Part of the Security Advanced skill category.

Install with Tessl CLI

npx tessl i github:jeremylongshore/claude-code-plugins-plus-skills --skill siem-rule-generator
What are skills?

Overall
score

19%

Review4%

Does it follow best practices?

Validation11 / 16 Passed

Validation for skill structure

SKILL.md
Review
Evals

Activation

7%

This description is essentially a placeholder that provides almost no useful information for skill selection. It lacks concrete actions, natural trigger terms, and explicit usage guidance. The only distinguishing element is the 'SIEM' domain reference, but this alone is insufficient for Claude to make informed skill selection decisions.

Suggestions

Add specific capabilities: 'Generates SIEM detection rules, creates correlation queries, formats alerts for platforms like Splunk, Sentinel, and QRadar'

Include a 'Use when...' clause with natural trigger terms: 'Use when the user asks about detection rules, security alerts, threat hunting queries, or mentions specific SIEM platforms'

Add common user language variations: 'detection logic', 'alert rules', 'security monitoring', 'threat detection', 'log correlation'

DimensionReasoningScore

Specificity

The description only names the skill ('Siem Rule Generator') without describing any concrete actions. There are no specific capabilities listed like 'generates detection rules', 'creates correlation logic', or 'formats for Splunk/Sentinel'.

1 / 3

Completeness

The description fails to answer 'what does this do' beyond the name, and the 'when' guidance is just the skill name repeated. There is no explicit 'Use when...' clause or meaningful trigger guidance.

1 / 3

Trigger Term Quality

The only trigger terms listed are 'siem rule generator' repeated twice, which is the skill name itself rather than natural user language. Missing terms users would actually say like 'detection rule', 'alert rule', 'Splunk query', 'security monitoring', or specific SIEM platform names.

1 / 3

Distinctiveness Conflict Risk

The term 'SIEM' provides some domain specificity that distinguishes it from general coding or document skills, but without concrete actions or platform names, it could still conflict with other security-related skills.

2 / 3

Total

5

/

12

Passed

Implementation

0%

This skill content is essentially a placeholder with no actual instructional value. It describes what a SIEM rule generator skill might do in abstract terms but provides zero concrete guidance on rule syntax (Sigma, Splunk SPL, KQL, etc.), detection patterns, log source mappings, or validation approaches. The content would not help Claude generate any actual SIEM rules.

Suggestions

Add concrete SIEM rule examples in at least one common format (e.g., Sigma rules with YAML syntax, Splunk SPL queries, or Elastic KQL)

Include a workflow for rule creation: identify threat -> select log sources -> write detection logic -> validate against sample logs -> tune for false positives

Provide specific detection patterns for common attack techniques (e.g., brute force, lateral movement, data exfiltration) with executable rule code

Add references to platform-specific documentation or separate files for different SIEM platforms (Splunk, Elastic, Microsoft Sentinel)

DimensionReasoningScore

Conciseness

The content is padded with generic boilerplate that explains nothing Claude doesn't already know. Phrases like 'provides automated assistance' and 'follows industry best practices' are meaningless filler with no actual SIEM rule content.

1 / 3

Actionability

There is zero concrete guidance on how to actually generate SIEM rules. No code examples, no rule syntax, no detection logic patterns, no specific commands - just vague descriptions of what the skill supposedly does.

1 / 3

Workflow Clarity

No workflow is defined at all. There are no steps for creating SIEM rules, no validation checkpoints, no process for testing rules against log data or tuning false positives.

1 / 3

Progressive Disclosure

The content is a monolithic block of generic text with no structure pointing to detailed materials. No references to rule syntax guides, detection examples, or platform-specific documentation.

1 / 3

Total

4

/

12

Passed

Validation

69%

Validation11 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

description_trigger_hint

Description may be missing an explicit 'when to use' trigger hint (e.g., 'Use when...')

Warning

allowed_tools_field

'allowed-tools' contains unusual tool name(s)

Warning

metadata_version

'metadata' field is not a dictionary

Warning

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

body_steps

No step-by-step structure detected (no ordered list); consider adding a simple workflow

Warning

Total

11

/

16

Passed

Reviewed

Table of Contents

ActivationImplementationValidation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.

Claim skill