analyzing-azure-activity-logs-for-threats
Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to detect suspicious administrative operations, impossible travel, privilege escalation, and resource modifications. Builds KQL queries for threat hunting in Azure environments. Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.
71
64%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-azure-activity-logs-for-threats/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly articulates specific capabilities (querying Azure Monitor logs, detecting multiple threat types, building KQL queries), includes rich natural trigger terms spanning security and Azure domains, and provides explicit 'Use when' guidance. The description is concise yet comprehensive, with a distinct niche that minimizes conflict risk with other skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: querying activity logs and sign-in logs, detecting suspicious administrative operations, impossible travel, privilege escalation, resource modifications, and building KQL queries for threat hunting. | 3 / 3 |
Completeness | Clearly answers both 'what' (queries Azure Monitor logs, detects suspicious operations, builds KQL queries) and 'when' (explicitly states 'Use when investigating suspicious Azure tenant activity or building cloud SIEM detections'). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'Azure Monitor', 'activity logs', 'sign-in logs', 'suspicious', 'impossible travel', 'privilege escalation', 'KQL queries', 'threat hunting', 'SIEM', 'Azure tenant'. Good coverage of both technical and natural terms. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: Azure Monitor security analysis with specific tooling (azure-monitor-query, KQL). Unlikely to conflict with general security or general Azure skills due to the specific focus on threat hunting and log analysis. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
29%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides a reasonable starting point with one executable code example for Azure log querying, but falls short on delivering the breadth of detections promised in its description. The workflow is essentially absent—there's no investigation sequence, no triage guidance, and no validation steps. Generic boilerplate sections waste tokens that could have been used for the missing detection queries.
Suggestions
Add concrete, executable KQL queries for each of the 5 listed detection categories instead of just naming them as bullet points.
Define a clear investigation workflow: e.g., 1) Run broad detection query, 2) Filter results by severity indicators, 3) Correlate with sign-in logs, 4) Validate findings against known-good baselines, 5) Document and escalate.
Remove the generic 'When to Use' and 'Prerequisites' boilerplate and replace with Azure-specific prerequisites (e.g., required RBAC roles, Log Analytics workspace setup, required pip packages).
Split detailed KQL query libraries into a referenced file (e.g., DETECTION_QUERIES.md) and keep SKILL.md as a concise overview with the workflow and one representative example per category.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The 'When to Use' and 'Prerequisites' sections contain generic boilerplate that doesn't add value (e.g., 'Familiarity with security operations concepts and tools', 'Access to a test or lab environment'). The core content is reasonably lean but padded with unnecessary filler sections. | 2 / 3 |
Actionability | The initial code example is executable and concrete, but the 'Key detection queries' section lists 5 detection categories as vague bullet points without actual KQL queries. Only one example query is provided (Global Admin detection), while the other 4 categories lack concrete code. The workspace_id placeholder is fine but there's no guidance on obtaining it. | 2 / 3 |
Workflow Clarity | There is no clear workflow sequence for threat investigation. The skill lists queries but doesn't describe how to triage results, what constitutes a true positive vs false positive, how to escalate findings, or any validation/verification steps. For a threat hunting skill involving potentially destructive response actions, this lack of structure is a significant gap. | 1 / 3 |
Progressive Disclosure | All content is in a single flat file with no references to additional resources for the 4 detection categories that lack queries. The skill promises coverage of impossible travel, privilege escalation, and resource modifications in its description but only delivers one concrete example. No links to query libraries, detection rule files, or advanced hunting guides. | 1 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.