analyzing-azure-activity-logs-for-threats
Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to detect suspicious administrative operations, impossible travel, privilege escalation, and resource modifications. Builds KQL queries for threat hunting in Azure environments. Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.
59
68%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-azure-activity-logs-for-threats/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly communicates specific capabilities (querying Azure Monitor logs, detecting multiple threat types, building KQL queries), includes rich natural trigger terms that security professionals would use, and provides explicit 'Use when' guidance. The description is concise yet comprehensive, with a distinct niche that minimizes conflict risk with other skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: querying activity logs and sign-in logs, detecting suspicious administrative operations, impossible travel, privilege escalation, resource modifications, and building KQL queries for threat hunting. | 3 / 3 |
Completeness | Clearly answers both what (queries Azure Monitor logs, detects suspicious operations, builds KQL queries) and when ('Use when investigating suspicious Azure tenant activity or building cloud SIEM detections') with explicit trigger guidance. | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'Azure Monitor', 'activity logs', 'sign-in logs', 'suspicious', 'privilege escalation', 'impossible travel', 'KQL', 'threat hunting', 'SIEM', 'Azure tenant'. Good coverage of terms a security analyst would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: Azure Monitor security analysis with specific tools (azure-monitor-query, KQL) and specific threat types. Unlikely to conflict with general Azure skills or generic security skills due to the precise domain focus. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
37%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides a reasonable starting point with one executable code example and one detection query, but falls short on completeness: 4 of 5 listed detection categories lack actual KQL queries, there is no investigation workflow or sequencing, and the boilerplate sections add little value. It reads more like a sketch than a production-ready skill.
Suggestions
Add complete, executable KQL queries for each of the 5 listed detection categories instead of just naming them as bullet points.
Define a clear multi-step investigation workflow (e.g., 1. Authenticate → 2. Run broad triage query → 3. Narrow with specific detections → 4. Validate findings → 5. Document/escalate) with explicit validation checkpoints.
Remove or drastically shorten the generic 'When to Use' and 'Prerequisites' sections—replace with Azure-specific prerequisites like required RBAC roles and workspace configuration.
Move detailed detection queries into a referenced bundle file (e.g., DETECTIONS.md) and keep SKILL.md as a concise overview with one representative example.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The 'When to Use' and 'Prerequisites' sections are padded with generic boilerplate (e.g., 'Familiarity with security operations concepts,' 'Access to a test or lab environment') that Claude already knows or doesn't need. The core content is reasonably lean but these sections waste tokens. | 2 / 3 |
Actionability | The initial code example is executable and concrete, but the 'Key detection queries' section lists 5 detection categories as vague bullet points without actual KQL queries. Only one example query is provided (Global Admin role assignments); the other 4 are described rather than instructed. | 2 / 3 |
Workflow Clarity | There is no clear multi-step workflow for threat investigation. The skill presents disconnected code snippets without sequencing (e.g., authenticate → query → triage results → escalate). There are no validation checkpoints, no guidance on interpreting results, and no error handling or feedback loops for failed queries or ambiguous findings. | 1 / 3 |
Progressive Disclosure | The content is organized into sections (When to Use, Prerequisites, Instructions, Examples) which provides some structure, but all content is inline with no references to supporting files. For a skill covering 5+ detection categories, the detailed KQL queries for each category should be in a referenced file rather than listed as bare bullet points. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0445030
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.