analyzing-azure-activity-logs-for-threats
Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to detect suspicious administrative operations, impossible travel, privilege escalation, and resource modifications. Builds KQL queries for threat hunting in Azure environments. Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.
74
68%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-azure-activity-logs-for-threats/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly articulates specific capabilities (querying Azure Monitor logs, detecting multiple threat types, building KQL queries), includes rich natural trigger terms spanning security and Azure domains, and provides explicit 'Use when' guidance. It is highly distinctive and would be easy for Claude to correctly select from a large pool of skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: querying activity logs and sign-in logs, detecting suspicious administrative operations, impossible travel, privilege escalation, resource modifications, and building KQL queries for threat hunting. | 3 / 3 |
Completeness | Clearly answers both 'what' (queries Azure Monitor logs, detects suspicious operations, builds KQL queries) and 'when' (explicit 'Use when investigating suspicious Azure tenant activity or building cloud SIEM detections'). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'Azure Monitor', 'activity logs', 'sign-in logs', 'suspicious', 'privilege escalation', 'impossible travel', 'KQL queries', 'threat hunting', 'cloud SIEM', 'Azure tenant'. Good coverage of both technical and natural terms. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: Azure Monitor security analysis with specific tools (azure-monitor-query, KQL) and specific threat types. Unlikely to conflict with general security or general Azure skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
37%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides a reasonable starting point with one executable code example and one detection query, but falls short on actionability by listing 4 out of 5 detection categories without concrete KQL queries. The workflow is essentially absent—there's no investigation sequence, no triage steps, and no validation guidance, which is critical for a security investigation skill. The boilerplate sections waste tokens without adding value.
Suggestions
Add concrete KQL queries for all 5 listed detection categories instead of just listing them as bullet points
Define a clear investigation workflow with sequenced steps: e.g., 1) Query role changes, 2) Correlate with sign-in logs, 3) Check for impossible travel, 4) Validate findings against known-good baselines, 5) Escalate or document
Remove generic boilerplate from 'When to Use' and 'Prerequisites' sections—replace with Azure-specific prerequisites like required RBAC roles, Log Analytics workspace setup, and required pip packages
Add validation checkpoints such as verifying query results are non-empty, cross-referencing suspicious findings with a second data source, or checking timestamps for consistency
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The 'When to Use' and 'Prerequisites' sections contain generic boilerplate that doesn't add value (e.g., 'Familiarity with security operations concepts and tools', 'Access to a test or lab environment'). The core content is reasonably lean but padded with unnecessary filler sections. | 2 / 3 |
Actionability | The initial code example is executable and concrete, but the 'Key detection queries' section lists 5 detection categories as vague bullet points without actual KQL queries. Only one example query is provided (Global Admin detection), while the other 4 categories lack concrete code. The WORKSPACE_ID placeholder is fine but there's no guidance on obtaining it. | 2 / 3 |
Workflow Clarity | There is no clear workflow for threat investigation—no sequencing of steps, no validation checkpoints, no guidance on what to do when suspicious activity is found, and no feedback loops. For a security investigation skill involving potentially destructive or high-stakes operations, the lack of any structured process is a significant gap. | 1 / 3 |
Progressive Disclosure | The content has some structure with sections (When to Use, Prerequisites, Instructions, Examples), but all content is inline with no references to external files for the detailed KQL queries or advanced detection scenarios. The 5 detection categories listed as bullets would benefit from being fleshed out either inline or in referenced files. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.