building-detection-rule-with-splunk-spl
Build effective detection rules using Splunk Search Processing Language (SPL) correlation searches to identify security threats in SOC environments.
67
59%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/building-detection-rule-with-splunk-spl/SKILL.mdQuality
Discovery
54%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description identifies a clear and distinctive niche in Splunk SPL detection rule creation for SOC environments, with good trigger terms that security analysts would naturally use. However, it lacks an explicit 'Use when...' clause and could benefit from listing more specific concrete actions beyond the general 'build detection rules' and 'identify security threats'.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user needs to write, review, or tune Splunk SPL correlation searches, detection rules, or security alerts.'
List more specific concrete actions such as 'write SPL queries, create correlation searches, tune false positives, map detections to MITRE ATT&CK, configure notable event generation.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (Splunk SPL correlation searches, SOC environments) and the general action (build detection rules, identify security threats), but doesn't list multiple specific concrete actions like creating specific rule types, testing rules, tuning false positives, etc. | 2 / 3 |
Completeness | Describes what the skill does (build detection rules using SPL) but has no explicit 'Use when...' clause or equivalent trigger guidance. Per the rubric, a missing 'Use when...' clause caps completeness at 2, and the 'what' portion is also only moderately detailed, placing this at 1-2. Given the complete absence of when-guidance, scoring at 1. | 1 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'detection rules', 'Splunk', 'SPL', 'correlation searches', 'security threats', 'SOC'. These are terms a security analyst would naturally use when requesting this kind of help. | 3 / 3 |
Distinctiveness Conflict Risk | The combination of Splunk SPL, correlation searches, detection rules, and SOC environments creates a very clear niche that is unlikely to conflict with other skills. This is highly specific to security operations detection engineering. | 3 / 3 |
Total | 9 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a comprehensive and highly actionable skill with excellent executable SPL examples covering multiple detection patterns. Its main weaknesses are verbosity from boilerplate sections (When to Use, Prerequisites, Overview) that don't add value for Claude, and a monolithic structure that could benefit from splitting into focused sub-files. The workflow could be strengthened with explicit validation gates and feedback loops for tuning detection rules.
Suggestions
Remove or drastically trim the 'When to Use', 'Prerequisites', and 'Overview' sections — Claude doesn't need to be told what SPL is or when to use detection rules.
Integrate validation steps directly into the build workflow: after step 5 (Apply Thresholds), add an explicit 'Run against 24h historical data and verify true positive rate > X% before scheduling' checkpoint with a feedback loop.
Split the MITRE ATT&CK mapping table, enrichment best practices, and performance optimization into separate referenced files to improve progressive disclosure and reduce the main file's token footprint.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill contains some unnecessary sections like 'When to Use' with generic boilerplate bullets, 'Prerequisites' listing things Claude already knows, and the overview paragraph explaining what SPL is. The core SPL patterns themselves are efficient, but the surrounding scaffolding adds token bloat. | 2 / 3 |
Actionability | The skill provides fully executable SPL queries across six distinct detection patterns, a correlation search configuration template, enrichment examples, performance optimization queries, and testing/validation searches. All code is copy-paste ready with realistic field names and thresholds. | 3 / 3 |
Workflow Clarity | The 8-step correlation search building process is clearly listed but lacks explicit validation checkpoints and feedback loops. There's no 'if detection fires incorrectly, tune thresholds and re-test' loop, and the testing section is separate from the build workflow rather than integrated as a validation gate before deployment. | 2 / 3 |
Progressive Disclosure | The content is a long monolithic document (~200+ lines) that could benefit from splitting detailed pattern libraries, enrichment references, and the MITRE mapping table into separate files. The external references at the bottom are helpful, but the internal content lacks any cross-file organization or navigation structure. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.