CtrlK
BlogDocsLog inGet started
Tessl Logo

building-detection-rule-with-splunk-spl

Build effective detection rules using Splunk Search Processing Language (SPL) correlation searches to identify security threats in SOC environments.

59

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The skill is highly actionable — packed with executable, copy-paste SPL across detection, enrichment, performance, and testing — but it is weighed down by generic boilerplate sections, lacks an explicit validation feedback loop in its workflow, and entirely ignores its own bundle files. Wiring the existing references/scripts/assets into the body and tightening the templated sections would lift the lower dimensions.

Suggestions

Replace the generic 'When to Use' / 'Prerequisites' boilerplate with skill-specific guidance, or move it into a reference file if it must stay.

Add an explicit feedback loop to the build process, e.g. after Step 8 'if precision/FPR is unacceptable, adjust thresholds in Step 5 and re-run the validation queries'.

Link the existing bundle files from the body — point to references/workflows.md for end-to-end flows, references/api-reference.md and references/standards.md for detail, and assets/template.md for the correlation-search template — so SKILL.md becomes a true overview with one-level-deep navigation.

DimensionReasoningScore

Conciseness

The bulk is lean executable SPL, but the templated 'When to Use' bullets ('When establishing security controls aligned to compliance requirements', 'When building or improving security architecture for this domain') are generic boilerplate, and the overview's '21% of MITRE ATT&CK' stat is mild filler that could be tightened.

2 / 3

Actionability

Six full detection patterns plus correlation-search, enrichment, performance, and testing SPL blocks are concrete, executable, and copy-paste ready — every section instructs with runnable code.

3 / 3

Workflow Clarity

The 8-step 'Step-by-Step Process' is clearly sequenced and a Testing and Validation section provides metrics (precision, FPR), but there is no explicit validate→fix→re-validate feedback loop or 'only proceed when valid' checkpoint tying testing back into the workflow.

2 / 3

Progressive Disclosure

The body is well-sectioned, but bundle files exist in references/ (api-reference.md, standards.md, workflows.md), scripts/ (agent.py, process.py), and assets/ (template.md) and are never referenced or linked from SKILL.md, so content that should be split out stays inline and the bundle is undiscoverable.

2 / 3

Total

9

/

12

Passed

Description

72%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is specific to a clear, distinctive niche with strong natural trigger terms, but it lacks an explicit 'Use when...' clause and lists only a couple of concrete actions rather than a comprehensive set. Adding trigger guidance and a fuller action list would raise the weaker dimensions.

Suggestions

Append a 'Use when...' clause naming concrete triggers, e.g. 'Use when writing or tuning Splunk ES correlation searches, mapping detections to MITRE ATT&CK, or reducing SIEM alert noise.'

Expand the action list beyond 'build' and 'identify' to include tune/test, enrich, and schedule detection rules for a more comprehensive specificity score.

Keep the third-person action voice (it currently uses 'Build...') — just ensure added triggers stay in third person.

DimensionReasoningScore

Specificity

Names the domain (Splunk SPL correlation searches, SOC) and two concrete actions ('Build effective detection rules', 'identify security threats'), but is not comprehensive — it omits tuning, enrichment, and testing rather than listing multiple distinct actions like the score-3 anchor.

2 / 3

Completeness

It clearly answers 'what' (build SPL correlation searches to detect threats) but has no 'Use when...' clause or equivalent explicit trigger guidance, which caps completeness at 2 per the judging guidelines.

2 / 3

Trigger Term Quality

Covers natural terms a SOC analyst would actually say — 'Splunk', 'SPL', 'correlation searches', 'detection rules', 'security threats', and 'SOC' — giving good trigger coverage.

3 / 3

Distinctiveness Conflict Risk

The niche is sharp and specific — Splunk SPL correlation searches for SOC threat detection — with distinct triggers unlikely to overlap with other skills.

3 / 3

Total

10

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.