CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-security-logs-with-splunk

Leverages Splunk Enterprise Security and SPL (Search Processing Language) to investigate security incidents through log correlation, timeline reconstruction, and anomaly detection. Covers Windows event logs, firewall logs, proxy logs, and authentication data analysis. Activates for requests involving Splunk investigation, SPL queries, SIEM log analysis, security event correlation, or log-based incident investigation.

63

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Advisory

Suggest reviewing before use

SKILL.md
Quality
Evals
Security

Quality

Content

50%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The content delivers concrete, domain-specific SPL examples in a clear six-step workflow, but it conflates multiple searches per code block in a way that hurts executability, omits verification checkpoints, and fails to link its existing bundle files. Tightening the query blocks and signaling the api-reference/script bundles would lift the weaker dimensions.

Suggestions

Split each code block so every distinct SPL search is its own separately fenced and individually executable query, replacing the '|' comment separators that currently merge multiple searches into one invalid pipeline.

Add validation checkpoints between workflow steps (e.g., verify index/sourcetype coverage after scoping, confirm CIM field normalization before interpreting results) to strengthen the investigation feedback loop.

Reference the existing bundle from the body — point to references/api-reference.md for SDK automation and scripts/agent.py for programmatic investigation so the overview correctly signals its one-level-deep detail material.

DimensionReasoningScore

Conciseness

The body is mostly efficient with concrete SPL and minimal preamble, but the 'Key Concepts' table redefines terms Claude already knows (SPL, CIM, Sourcetype) and the output template adds length that could be tightened, fitting the 'mostly efficient but could be tightened' anchor.

2 / 3

Actionability

Queries use real Splunk syntax with specific indexes and EventCodes, but multiple distinct searches are concatenated inside single code blocks separated by '|' comment lines that would not run as separate executable searches, leaving the guidance incomplete rather than copy-paste ready.

2 / 3

Workflow Clarity

A clear six-step sequence is present, but there are no validation or verification checkpoints (e.g., confirming data coverage or CIM field normalization before interpreting results), so it sits at the 'sequence present but checkpoints missing' anchor.

2 / 3

Progressive Disclosure

Bundle files (references/api-reference.md and scripts/agent.py) exist but are never referenced or signaled from the body, so overview-to-detail navigation is incomplete; structure exists but externalized content is not clearly linked.

2 / 3

Total

8

/

12

Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is concise, uses third person, names concrete capabilities, and provides explicit natural trigger terms for when it activates. It clearly answers both 'what' and 'when' without padding or over-claims.

DimensionReasoningScore

Specificity

Names multiple concrete actions ('log correlation, timeline reconstruction, and anomaly detection') and specific log types (Windows event, firewall, proxy, authentication), matching the 'lists multiple specific concrete actions' anchor.

3 / 3

Completeness

Explicitly answers both what (correlate/reconstruct/detect across named log sources) and when ('Activates for requests involving...'), satisfying the explicit-trigger requirement rather than capping at 2.

3 / 3

Trigger Term Quality

Includes natural terms users would say ('Splunk investigation, SPL queries, SIEM log analysis, security event correlation, or log-based incident investigation') with good coverage, matching the top anchor.

3 / 3

Distinctiveness Conflict Risk

The Splunk/SIEM security-log niche with domain-specific triggers is clearly distinguishable and unlikely to fire for unrelated skills, matching the 'clear niche with distinct triggers' anchor.

3 / 3

Total

12

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.