building-detection-rule-with-splunk-spl
Build effective detection rules using Splunk Search Processing Language (SPL) correlation searches to identify security threats in SOC environments.
46
48%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/building-detection-rule-with-splunk-spl/SKILL.mdQuality
Discovery
32%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description identifies a clear domain (Splunk SPL correlation searches for SOC) but lacks the depth needed for effective skill selection. It is missing an explicit 'Use when...' clause, doesn't enumerate specific concrete actions beyond 'build detection rules,' and could benefit from more natural trigger terms that users would actually say.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about writing Splunk correlation searches, creating SPL detection rules, building SIEM alerts, or developing threat detection logic.'
List more specific concrete actions, e.g., 'Write SPL correlation searches, define risk-based alerting rules, create notable event configurations, tune false positives, and build lookup-based enrichment queries.'
Include additional natural trigger terms users might say, such as 'SIEM rules', 'Splunk alerts', 'threat hunting queries', 'notable events', 'Enterprise Security', or 'ES correlation'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (Splunk SPL correlation searches, SOC environments) and the general action (build detection rules to identify security threats), but doesn't list multiple specific concrete actions like creating alert thresholds, writing lookup tables, configuring notable events, etc. | 2 / 3 |
Completeness | Describes what the skill does (build detection rules using SPL correlation searches) but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. Per rubric guidelines, missing 'Use when' caps completeness at 2, and the 'what' is also only moderately detailed, warranting a 1. | 1 / 3 |
Trigger Term Quality | Includes relevant keywords like 'Splunk', 'SPL', 'correlation searches', 'detection rules', and 'SOC', but misses common user variations like 'SIEM', 'alert', 'notable event', 'threat detection', 'security monitoring', or '.conf files'. | 2 / 3 |
Distinctiveness Conflict Risk | The mention of Splunk SPL and correlation searches provides some specificity, but 'detection rules' and 'security threats' are broad enough to overlap with other security-related skills covering SIEM tools, threat hunting, or general security analysis. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides strong, actionable SPL detection rule examples that are immediately executable, which is its greatest strength. However, it suffers from some boilerplate sections (When to Use, Prerequisites) that waste tokens, a monolithic structure that could benefit from splitting into referenced files, and a workflow that lacks explicit validation checkpoints and feedback loops for iterating on detection accuracy.
Suggestions
Remove the generic 'When to Use' and 'Prerequisites' sections — Claude doesn't need to be told when to use a skill it's been given, and it already understands Splunk ES prerequisites.
Add explicit validation checkpoints to the workflow: after step 5 (Apply Thresholds), include a mandatory step to run the search against historical data and check false positive rate before proceeding to scheduling.
Split the six detection patterns into a separate PATTERNS.md reference file, keeping only 1-2 representative examples in the main SKILL.md with a pointer to the full catalog.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill contains some unnecessary padding — the 'When to Use' section is generic boilerplate, the overview includes a statistic about MITRE ATT&CK coverage that doesn't help Claude write SPL, and the Prerequisites section explains things Claude already knows. However, the core SPL examples are reasonably lean and the content is mostly useful. | 2 / 3 |
Actionability | The skill provides fully executable SPL queries across six distinct detection patterns, a correlation search configuration template, enrichment examples, performance optimization queries, and testing/validation searches. All code is copy-paste ready with realistic field names and thresholds. | 3 / 3 |
Workflow Clarity | The 8-step correlation search building process is listed but lacks explicit validation checkpoints and feedback loops. There's no 'if the search returns too many false positives, adjust thresholds and re-test' loop. The testing section exists but isn't integrated into the workflow as a mandatory checkpoint before deployment. | 2 / 3 |
Progressive Disclosure | The content is a long monolithic document (~200+ lines of substantive content) with no bundle files to offload detail into. The MITRE ATT&CK mapping table, all six detection patterns, enrichment practices, and performance optimization could be split into separate referenced files. However, the sections are well-organized with clear headers. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0445030
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.