building-detection-rule-with-splunk-spl
Build effective detection rules using Splunk Search Processing Language (SPL) correlation searches to identify security threats in SOC environments.
61
52%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/building-detection-rule-with-splunk-spl/SKILL.mdQuality
Discovery
40%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description identifies a clear and distinctive niche (Splunk SPL correlation searches for SOC detection) but falls short on completeness by lacking any explicit 'Use when...' trigger guidance. It would benefit from listing more specific actions and including natural trigger terms users might use when requesting this type of help.
Suggestions
Add a 'Use when...' clause with explicit triggers, e.g., 'Use when the user asks about writing Splunk searches, creating correlation rules, building SIEM detections, or developing SPL queries for threat hunting.'
Include more natural trigger term variations such as 'SIEM', 'alert rules', 'notable events', 'threat hunting', 'tstats', 'datamodel', and '.conf files'.
List more specific concrete actions, e.g., 'Writes SPL correlation searches, tunes alert thresholds, creates lookup tables, builds datamodel-accelerated searches, and generates notable events for security monitoring.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (Splunk SPL correlation searches, SOC environments) and the general action (build detection rules to identify security threats), but doesn't list multiple specific concrete actions like creating alert thresholds, writing lookup tables, configuring notable events, etc. | 2 / 3 |
Completeness | Describes what the skill does (build detection rules using SPL correlation searches) but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. Per rubric guidelines, missing 'Use when' caps completeness at 2, and the 'when' is entirely absent, warranting a 1. | 1 / 3 |
Trigger Term Quality | Includes good domain-specific terms like 'Splunk', 'SPL', 'correlation searches', 'SOC', and 'detection rules', but misses common user variations like 'SIEM', 'alert', 'notable event', 'threat detection', 'security monitoring', or 'tstats'. | 2 / 3 |
Distinctiveness Conflict Risk | The combination of Splunk SPL, correlation searches, and SOC detection rules creates a very specific niche that is unlikely to conflict with other skills. This is clearly distinguishable from general coding, security analysis, or other SIEM tools. | 3 / 3 |
Total | 8 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong, highly actionable skill with excellent executable SPL examples covering diverse detection scenarios. Its main weaknesses are verbosity in framing sections (boilerplate 'When to Use', prerequisites, overview), a monolithic structure that could benefit from progressive disclosure into separate files, and a workflow that lacks explicit validation checkpoints and feedback loops for iterating on detection rule quality.
Suggestions
Remove or drastically trim the 'When to Use', 'Prerequisites', and 'Overview' sections — Claude already knows what SPL is and when detection rules are needed.
Integrate validation steps directly into the build workflow: after step 5 (Apply Thresholds), add an explicit 'Run against 24h of historical data and verify precision > 80% before deploying' checkpoint with a feedback loop.
Split the MITRE ATT&CK mapping table and the detailed detection patterns into separate referenced files (e.g., PATTERNS.md, MITRE_MAP.md) to keep the main skill as a concise overview with navigation links.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill contains some unnecessary sections like 'When to Use' with generic boilerplate bullets, 'Prerequisites' listing things Claude already knows, and the overview paragraph explaining what SPL is. The core SPL patterns themselves are efficient, but the surrounding content adds token bloat. | 2 / 3 |
Actionability | The skill provides fully executable SPL queries across six distinct detection patterns, a correlation search configuration template, enrichment examples, performance optimization queries, and testing/validation searches. All code is copy-paste ready with realistic field names and thresholds. | 3 / 3 |
Workflow Clarity | The 8-step correlation search building process is clearly listed but lacks explicit validation checkpoints and feedback loops. There's no 'if detection fires incorrectly, adjust thresholds and re-test' loop, and the testing section is separate from the build workflow rather than integrated as a validation gate. | 2 / 3 |
Progressive Disclosure | The content is well-structured with clear headers and a logical progression from patterns to building to optimization to testing. However, it's a long monolithic document (~200+ lines of substantive content) that could benefit from splitting detailed pattern libraries, enrichment references, and the MITRE mapping table into separate files with clear navigation links. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.