analyzing-office365-audit-logs-for-compromise
Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect email forwarding rule creation, inbox delegation, suspicious OAuth app grants, and other indicators of account compromise.
48
52%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-office365-audit-logs-for-compromise/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, technically specific description that clearly identifies the data source (O365 Unified Audit Logs via Graph API) and concrete detection capabilities (forwarding rules, delegation, OAuth grants, account compromise). Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. The domain-specific terminology is well-chosen and would naturally match security analyst queries.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when investigating O365 account compromise, reviewing audit logs, or analyzing suspicious mailbox activity.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'detect email forwarding rule creation, inbox delegation, suspicious OAuth app grants, and other indicators of account compromise' along with the specific data source 'Office 365 Unified Audit Logs via Microsoft Graph API'. | 3 / 3 |
Completeness | Clearly answers 'what does this do' with specific parsing and detection capabilities, but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this dimension at 2 per the rubric guidelines. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'Office 365', 'Unified Audit Logs', 'Microsoft Graph API', 'email forwarding rule', 'inbox delegation', 'OAuth app grants', 'account compromise'. These are terms a security analyst would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: Office 365 audit log analysis for specific security indicators. The combination of Microsoft Graph API, O365 audit logs, and specific compromise indicators makes it very unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
22%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads as a high-level outline or table of contents rather than an actionable skill. It describes what should be done at each step but provides zero executable code, no API endpoints, no example queries, and no concrete guidance that Claude couldn't already infer from the title alone. The lack of any code examples for a Python-based API integration skill is a critical gap.
Suggestions
Add complete, executable Python code for MSAL authentication and at least one Graph API query (e.g., fetching inbox rules or querying the Unified Audit Log endpoint).
Include specific Graph API endpoint URLs and example request/response JSON payloads for each detection category (forwarding rules, delegation changes, OAuth grants).
Add validation checkpoints to the workflow, such as verifying authentication succeeded, checking that audit log results are non-empty, and validating the output report schema.
Remove the 'When to Use' section entirely—it adds no information beyond what the title and overview already convey—and replace it with concrete detection logic or example KQL/filter queries.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The 'When to Use' section is largely filler that Claude doesn't need (e.g., 'When investigating security incidents that require analyzing office365 audit logs for compromise' is tautological). The overview also restates what the title already conveys. However, the prerequisites and steps sections are reasonably tight. | 2 / 3 |
Actionability | There is no executable code, no API endpoint URLs, no example Graph API queries, no Python snippets, no example JSON payloads, and no concrete commands. The steps are entirely descriptive ('Query Unified Audit Log for suspicious operations') without showing how to actually do any of them. This is a description of a workflow, not an actionable skill. | 1 / 3 |
Workflow Clarity | While steps are numbered, they lack any validation checkpoints, error handling, or feedback loops. There's no guidance on what to do if authentication fails, if the audit log returns no results, or how to verify that the query is correct. For a multi-step investigation workflow involving API calls and security-critical analysis, this is insufficient. | 1 / 3 |
Progressive Disclosure | The content is organized into clear sections (Overview, Prerequisites, Steps, Expected Output), which provides some structure. However, there are no references to supporting files, no linked examples, and no bundle files. The content that exists is thin enough that it doesn't need splitting, but it also doesn't provide the depth that would warrant references. | 2 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0445030
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.