analyzing-windows-event-logs-in-splunk
Analyzes Windows Security, System, and Sysmon event logs in Splunk to detect authentication attacks, privilege escalation, persistence mechanisms, and lateral movement using SPL queries mapped to MITRE ATT&CK techniques. Use when SOC analysts need to investigate Windows-based threats, build detection queries, or perform forensic timeline analysis of Windows endpoints and domain controllers.
65
78%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-windows-event-logs-in-splunk/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines its domain (Windows event log analysis in Splunk), lists specific capabilities (detecting authentication attacks, privilege escalation, persistence, lateral movement), and provides explicit trigger guidance for when to use it. The description is rich in natural trigger terms that SOC analysts would use and occupies a very distinct niche that minimizes conflict risk with other skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: analyzes Windows Security/System/Sysmon event logs, detects authentication attacks/privilege escalation/persistence mechanisms/lateral movement, uses SPL queries mapped to MITRE ATT&CK techniques, builds detection queries, performs forensic timeline analysis. | 3 / 3 |
Completeness | Clearly answers both 'what' (analyzes Windows event logs in Splunk to detect various attack types using SPL queries mapped to MITRE ATT&CK) and 'when' (explicit 'Use when SOC analysts need to investigate Windows-based threats, build detection queries, or perform forensic timeline analysis'). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms a SOC analyst would use: 'Windows Security', 'Sysmon', 'Splunk', 'SPL queries', 'MITRE ATT&CK', 'authentication attacks', 'privilege escalation', 'lateral movement', 'persistence', 'forensic timeline', 'domain controllers', 'detection queries'. These are highly specific and natural terms for the target audience. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche combining Windows event logs + Splunk + MITRE ATT&CK + SOC analysis. The specificity of the platform (Splunk), data sources (Windows Security/System/Sysmon logs), and methodology (MITRE ATT&CK mapping) makes it very unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
57%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill excels at actionability with production-ready SPL queries covering a comprehensive range of Windows threat detection scenarios mapped to MITRE ATT&CK. However, it suffers from being a monolithic document (~300 lines) with no progressive disclosure or external references, and lacks validation checkpoints in its investigative workflow. Some sections explain concepts Claude already knows (what Splunk is, what Sysmon is, basic event code definitions already demonstrated in the queries).
Suggestions
Split detailed SPL queries into separate referenced files (e.g., AUTH_ATTACKS.md, PRIV_ESC.md, LATERAL_MOVEMENT.md) and keep SKILL.md as a concise overview with navigation links.
Add validation checkpoints to the workflow — e.g., 'Verify data exists: run `index=wineventlog | stats count by sourcetype` before proceeding' and 'Review results for known false positives (service accounts, scheduled tasks) before escalating findings.'
Remove the 'Tools & Systems' section and trim the 'Key Concepts' table — Claude already knows what Splunk and Sysmon are, and the event codes are already explained contextually in the query comments.
Move the CSV lookup data and output format template to separate bundle files (e.g., windows_eventcode_lookup.csv, OUTPUT_TEMPLATE.md) referenced from the main skill.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is quite long (~250+ lines) with some sections that could be trimmed. The 'Tools & Systems' section explains what Splunk and Sysmon are (Claude knows this), and the 'Key Concepts' table explains basic event codes that are already demonstrated in the queries above. However, the SPL queries themselves are dense and earn their tokens. The 'When to Use' and 'Prerequisites' sections add moderate value but could be leaner. | 2 / 3 |
Actionability | Excellent actionability — every detection category includes fully executable SPL queries that are copy-paste ready with specific field names, event codes, thresholds, and filtering logic. The queries include practical enrichment (eval statements for status meanings, attack types) and are immediately usable in a Splunk environment. The CSV lookup table is also directly usable. | 3 / 3 |
Workflow Clarity | The steps are clearly sequenced from authentication attack detection through forensic timeline building, which is logical. However, there are no validation checkpoints — no guidance on verifying query results, checking for false positives, confirming data availability before running queries, or iterating when results are unexpected. For an investigative workflow involving potentially high-stakes security decisions, feedback loops (e.g., 'verify the source IP isn't a known service account before escalating') would be important. | 2 / 3 |
Progressive Disclosure | This is a monolithic wall of content with no references to external files and no bundle files to support it. The entire skill is inline — the Common Scenarios section lists additional ATT&CK techniques with one-line descriptions that could each warrant their own detailed query sections in separate files. The lookup CSV, output format template, and detailed query libraries would all benefit from being split into referenced files. | 1 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0f429d0
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.