analyzing-azure-activity-logs-for-threats
Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to detect suspicious administrative operations, impossible travel, privilege escalation, and resource modifications. Builds KQL queries for threat hunting in Azure environments. Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.
59
68%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-azure-activity-logs-for-threats/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly articulates specific capabilities (querying Azure Monitor logs, detecting multiple threat types, building KQL queries), includes rich natural trigger terms spanning security and Azure domains, and provides explicit 'Use when' guidance. The description is concise yet comprehensive, with a well-defined niche that minimizes conflict risk with other skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: querying activity logs and sign-in logs, detecting suspicious administrative operations, impossible travel, privilege escalation, resource modifications, and building KQL queries for threat hunting. | 3 / 3 |
Completeness | Clearly answers both 'what' (queries Azure Monitor logs, detects suspicious operations, builds KQL queries) and 'when' (explicit 'Use when investigating suspicious Azure tenant activity or building cloud SIEM detections'). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'Azure Monitor', 'activity logs', 'sign-in logs', 'suspicious', 'impossible travel', 'privilege escalation', 'KQL queries', 'threat hunting', 'SIEM', 'Azure tenant'. Good coverage of both technical and natural terms. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: Azure Monitor security analysis with specific tools (azure-monitor-query, KQL) and specific threat types. Unlikely to conflict with general security or general Azure skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
37%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides a reasonable starting point with executable Python/KQL code for Azure threat detection, but it is incomplete—promising five detection categories while only delivering two with actual queries. The workflow is essentially absent, with no investigation sequence, triage guidance, or validation checkpoints, which is critical for a security operations skill. Generic boilerplate in the prerequisites and 'When to Use' sections wastes tokens without adding value.
Suggestions
Add actual KQL queries for all five listed detection categories (items 2-5 are currently just descriptions with no code).
Define a clear investigation workflow: e.g., 1) Run broad detection queries, 2) Triage results by severity indicators, 3) Correlate across log types, 4) Validate findings against known-good baselines, 5) Document and escalate.
Remove generic prerequisites ('Familiarity with security operations concepts,' 'Access to a test or lab environment') and replace with Azure-specific requirements (e.g., required RBAC roles, Log Analytics workspace reader permissions, specific SDK versions).
Add guidance on interpreting query results—what constitutes suspicious vs. benign activity for each detection category, and what the next investigation step should be.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The 'When to Use' and 'Prerequisites' sections are padded with generic boilerplate (e.g., 'Familiarity with security operations concepts,' 'Access to a test or lab environment') that Claude already knows or that adds no Azure-specific value. The core content is reasonably lean but surrounded by filler. | 2 / 3 |
Actionability | The initial code example is executable and concrete, and the Global Admin detection query is useful. However, items 2-5 in the 'Key detection queries' list are vague descriptions with no actual KQL queries provided, making them abstract rather than actionable. The skill promises five detection categories but only delivers executable code for two. | 2 / 3 |
Workflow Clarity | There is no defined workflow or sequence for threat hunting. The skill lists queries but provides no guidance on how to triage results, what constitutes a true positive, how to escalate findings, or any validation/verification steps. For a security investigation skill involving potentially destructive or high-stakes decisions, this lack of structure is a significant gap. | 1 / 3 |
Progressive Disclosure | The content is organized into sections (When to Use, Prerequisites, Instructions, Examples) which provides some structure. However, there are no references to external files for advanced queries, detection rule libraries, or response playbooks, and the incomplete query list suggests content that should either be fully inline or split into referenced files. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0f429d0
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.