CtrlK
BlogDocsLog inGet started
Tessl Logo

building-cloud-siem-with-sentinel

This skill covers deploying Microsoft Sentinel as a cloud-native SIEM and SOAR platform for centralized security operations. It details configuring data connectors for multi-cloud log ingestion, writing KQL detection queries, building automated response playbooks with Logic Apps, and leveraging the Sentinel data lake for petabyte-scale threat hunting across AWS, Azure, and GCP security telemetry.

57

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The content is highly actionable with complete executable examples and a clear step sequence, but it lacks validation feedback loops for its destructive automated actions and does not surface the existing bundle files from the body. Signaling the references/scripts and adding verification checkpoints would resolve both weak spots.

Suggestions

Add explicit validation/feedback checkpoints to destructive steps — e.g. after the Logic Apps playbook, verify the account was disabled and confirm before/after counts; after mass-deletion detection, validate thresholds against allowlists.

Surface the bundle files from the body with one-level-deep links, e.g. 'API usage and KQL patterns: see [references/api-reference.md](references/api-reference.md)' and 'Automated hunting agent: see [scripts/agent.py](scripts/agent.py)'.

Trim the inline 'Key Concepts' definitions that restate concepts Claude already knows (e.g. what a SIEM, Workbook, or Watchlist is) to reduce token load.

DimensionReasoningScore

Conciseness

The body is mostly efficient with concrete code instead of prose, but it carries a large volume of inline code blocks and a full multi-paragraph 'Output Format' report plus a 'Key Concepts' table whose definitions (e.g. what a SIEM/Workbook is) partly restate things Claude already knows, so it could be tightened.

2 / 3

Actionability

It provides fully executable, copy-paste-ready guidance across PowerShell AZ CLI commands, complete KQL detection queries, a concrete Logic Apps JSON definition, and threat-intel matching queries, matching the anchor for specific executable examples.

3 / 3

Workflow Clarity

The five-step workflow is clearly sequenced, but steps involving destructive/batch operations — the SOAR playbook disabling Azure AD users and mass-deletion detection — have no validation checkpoints or validate→fix→retry feedback loops, which caps workflow clarity at 2 per the guidelines.

2 / 3

Progressive Disclosure

Bundle files exist (references/api-reference.md, scripts/agent.py), but the body never signals or links to them, and substantial content (full API usage, the Python agent) lives in bundles with no navigation pointer from SKILL.md; structure is present but references are not clearly signaled from the overview.

2 / 3

Total

9

/

12

Passed

Description

67%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is specific and well-scoped to a distinct Sentinel SIEM/SOAR niche, but it omits explicit 'when to use' trigger guidance, which caps completeness and limits trigger-term quality. Adding a natural 'Use when...' clause would lift the two middle dimensions.

Suggestions

Add an explicit 'Use when...' clause, e.g. 'Use when deploying Microsoft Sentinel as a cloud SIEM/SOAR, migrating from Splunk/QRadar, or writing KQL detections across multi-cloud logs'.

Include natural user-facing trigger terms ('SIEM', 'detection rules', 'incident response automation', 'Sentinel') that a user would actually say when needing this skill.

Trim the trailing whitespace and tighten the multi-cloud clause so the description reads as a concise single sentence plus trigger clause.

DimensionReasoningScore

Specificity

The description lists multiple concrete actions — 'deploying Microsoft Sentinel', 'configuring data connectors', 'writing KQL detection queries', 'building automated response playbooks with Logic Apps', and 'threat hunting' — matching the anchor for listing several specific concrete actions.

3 / 3

Completeness

It clearly answers 'what does this do' with detailed capabilities, but there is no explicit 'Use when...' clause or equivalent trigger guidance, which per the guidelines caps completeness at 2 rather than 3.

2 / 3

Trigger Term Quality

It includes relevant terms a user might say (Microsoft Sentinel, KQL, Logic Apps, threat hunting) but lacks natural trigger phrasing and misses common variations a user would actually utter, so it is not a level-3 coverage of natural terms.

2 / 3

Distinctiveness Conflict Risk

The niche is clearly defined around Microsoft Sentinel as a cloud SIEM/SOAR platform with specific multi-cloud (AWS/Azure/GCP) telemetry, making it unlikely to trigger for the wrong skill.

3 / 3

Total

10

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.