CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-azure-activity-logs-for-threats

Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to detect suspicious administrative operations, impossible travel, privilege escalation, and resource modifications. Builds KQL queries for threat hunting in Azure environments. Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.

63

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Advisory

Suggest reviewing before use

SKILL.md
Quality
Evals
Security

Quality

Content

50%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The body is reasonably organized and leads with an executable example, but it under-delivers on the five promised detection queries, omits result-validation steps, and fails to point at the bundled api-reference.md and agent.py files that already exist.

Suggestions

Provide actual KQL for each of the five 'Key detection queries' instead of one-line descriptions, or link to references/api-reference.md where the patterns live.

Add a result-handling/validation step (e.g. check LogsQueryStatus.SUCCESS and iterate tables) so the workflow has an explicit checkpoint.

Link the bundle files in the body (e.g. 'See references/api-reference.md for the KQL pattern catalog' and 'scripts/agent.py for a runnable agent') and trim the templated 'When to Use'/'Prerequisites' bullets.

DimensionReasoningScore

Conciseness

The code blocks are lean, but the four near-identical 'When to Use' bullets and generic 'Prerequisites' entries are templated boilerplate that could be tightened; it is mostly efficient yet carries unnecessary padding, so it sits below the 'every token earns its place' level.

2 / 3

Actionability

The Instructions snippet is executable and copy-paste ready, but the five advertised 'Key detection queries' are given only as descriptions (e.g. 'Role assignment changes (privilege escalation)') with actual KQL shown for just one, leaving key details incomplete.

2 / 3

Workflow Clarity

A single query action is shown, but the detection categories are not sequenced into a workflow and there is no validation of query results (the body's code skips the LogsQueryStatus check), so checkpoints are missing despite the loose multi-detection framing.

2 / 3

Progressive Disclosure

Sections are well organized, but the existing bundle files references/api-reference.md and scripts/agent.py are never linked from the body, and detection-query content that overlaps the reference file is inlined instead of being signaled — the skill has external references, so the no-reference exception does not apply.

2 / 3

Total

8

/

12

Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A strong, third-person description that names concrete actions, supplies an explicit 'Use when' trigger, and carves out a distinct Azure threat-hunting niche. No vague fluff or over-claims are present.

DimensionReasoningScore

Specificity

Lists multiple concrete actions — 'Queries Azure Monitor activity logs and sign-in logs', 'detect suspicious administrative operations, impossible travel, privilege escalation, and resource modifications', and 'Builds KQL queries' — matching the multiple-specific-actions anchor rather than the partial 'names domain and some actions' level.

3 / 3

Completeness

Clearly states what it does and provides an explicit 'Use when investigating suspicious Azure tenant activity or building cloud SIEM detections' trigger, satisfying both the what and the when; not level 2 because the when clause is explicit rather than implied.

3 / 3

Trigger Term Quality

Natural analyst-facing terms appear throughout ('Azure Monitor activity logs', 'sign-in logs', 'impossible travel', 'privilege escalation', 'KQL', 'threat hunting', 'Azure tenant activity', 'cloud SIEM detections'), giving good coverage of phrases a user would say when reaching for this skill.

3 / 3

Distinctiveness Conflict Risk

The Azure Monitor / Log Analytics KQL threat-hunting niche with its specific triggers is clearly distinguishable and unlikely to fire for unrelated skills; it is well above the 'somewhat specific but could overlap' anchor.

3 / 3

Total

12

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.