CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-office365-audit-logs-for-compromise

Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect email forwarding rule creation, inbox delegation, suspicious OAuth app grants, and other indicators of account compromise.

62

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Advisory

Suggest reviewing before use

SKILL.md
Quality
Evals
Security

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

A concise, well-sectioned overview that names the right tools and operations but stops short of executable guidance. It also fails to connect the reader to the provided agent.py and api-reference.md bundle files.

Suggestions

Add a concrete executable example or a pointer to the CLI, e.g. 'Run `python agent.py ... audit-logs --days 7`' or a minimal Graph API query snippet.

Signal the bundle files explicitly, e.g. 'Full CLI and function reference: see [references/api-reference.md](references/api-reference.md); implementation in [scripts/agent.py](scripts/agent.py).'

Insert a validation checkpoint into the workflow, such as confirming token acquisition succeeded and verifying audit-log results before reporting indicators.

DimensionReasoningScore

Conciseness

The body is lean with no concept padding, assuming Claude's competence and earning every token it spends.

3 / 3

Actionability

Steps name tools and operations ('MSAL client credentials flow', 'Set-Mailbox, New-InboxRule') but provide no executable code, commands, or Graph endpoints, so guidance is incomplete.

2 / 3

Workflow Clarity

Steps 1-7 are sequenced, but a batch compromise investigation has no validation/verification checkpoints, which caps workflow clarity at 2.

2 / 3

Progressive Disclosure

Bundle files (agent.py, references/api-reference.md) exist but the body never signals or links them, so navigation to detailed material is missing.

2 / 3

Total

9

/

12

Passed

Description

82%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A specific, well-targeted description with strong natural trigger terms and concrete capabilities. Its only real gap is the absence of an explicit 'Use when...' clause, which leaves the invocation context implicit.

Suggestions

Append a 'Use when...' clause naming concrete trigger scenarios, e.g. 'Use when investigating O365 email compromise, suspicious inbox/forwarding rules, or unwanted OAuth consent grants.'

DimensionReasoningScore

Specificity

Lists multiple concrete actions such as 'Parse Office 365 Unified Audit Logs via Microsoft Graph API' and 'detect email forwarding rule creation, inbox delegation, suspicious OAuth app grants'.

3 / 3

Completeness

Clearly states what the skill does but lacks an explicit 'Use when...' trigger clause, so the 'when' guidance is missing rather than stated.

2 / 3

Trigger Term Quality

Covers natural analyst-facing terms like 'Office 365 audit logs', 'email forwarding', 'OAuth app grants', and 'account compromise' that a user would actually say.

3 / 3

Distinctiveness Conflict Risk

Targets a clear niche (O365 audit-log compromise hunting) with distinct triggers that are unlikely to overlap with unrelated skills.

3 / 3

Total

11

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.