CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-windows-event-logs-in-splunk

Analyzes Windows Security, System, and Sysmon event logs in Splunk to detect authentication attacks, privilege escalation, persistence mechanisms, and lateral movement using SPL queries mapped to MITRE ATT&CK techniques. Use when SOC analysts need to investigate Windows-based threats, build detection queries, or perform forensic timeline analysis of Windows endpoints and domain controllers.

68

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

Highly actionable with executable SPL throughout and a clear six-step sequence, but it is monolithic with some redundancy and unlinked bundle references, and lacks verification checkpoints.

Suggestions

Trim the 'Tools & Systems' and 'Key Concepts' sections to only non-obvious details, since Splunk/Sysmon basics and common event IDs are already known.

Link the existing references/api-reference.md from the body (e.g., 'See [api-reference.md](references/api-reference.md) for full event-ID and logon-type tables') and remove the duplicated tables.

Add lightweight validation checkpoints between steps (e.g., confirm WinEventLog/Sysmon data is present and CIM acceleration is enabled before running detection queries).

DimensionReasoningScore

Conciseness

Mostly efficient and query-dense, but the 'Tools & Systems' and 'Key Concepts' sections re-explain Splunk/Sysmon and common event IDs that a capable model largely already knows.

2 / 3

Actionability

Every step provides fully executable, copy-paste-ready SPL with concrete fields, thresholds, and a CSV lookup table — no pseudocode or vague direction.

3 / 3

Workflow Clarity

Six well-sequenced steps, but no validation/verification checkpoints or feedback loops (e.g., confirm data is ingested, sanity-check query results) — sequence present but checkpoints missing.

2 / 3

Progressive Disclosure

A monolithic ~265-line body holds all detail inline; the bundled references/api-reference.md exists but is never referenced or signaled from the body, and event-ID tables are duplicated across both files.

2 / 3

Total

9

/

12

Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A strong, specific description that covers concrete capabilities, natural trigger terms, both what-and-when, and a clearly distinct niche. No meaningful weaknesses.

DimensionReasoningScore

Specificity

Lists multiple concrete actions — 'detect authentication attacks, privilege escalation, persistence mechanisms, and lateral movement', 'build detection queries', 'perform forensic timeline analysis' — all tied to SPL queries mapped to MITRE ATT&CK.

3 / 3

Completeness

Clearly answers both what ('Analyzes Windows... logs in Splunk to detect... using SPL queries mapped to MITRE ATT&CK techniques') and when via an explicit 'Use when SOC analysts need to...' clause.

3 / 3

Trigger Term Quality

Natural trigger phrases a SOC analyst would say — 'SOC analysts', 'investigate Windows-based threats', 'build detection queries', 'forensic timeline analysis', 'Windows endpoints and domain controllers'.

3 / 3

Distinctiveness Conflict Risk

Narrow niche (Windows event logs in Splunk for SOC detection) with distinctive triggers unlikely to fire for unrelated skills.

3 / 3

Total

12

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.