Skill UI

A structured guide for SOC Tier 1 analysts to triage security alerts within Splunk Enterprise Security (ES). It provides a systematic workflow for classifying severity, investigating notable events, correlating evidence across diverse data sources (proxy, firewall, logs), and making clear disposition decisions (True Positive, False Positive) required for escalation or closure.

This skill facilitates a rigorous, documentation-anchored design review session. It challenges a proposed plan by cross-referencing it against the project's established domain glossary (CONTEXT.md), historical architectural decisions (ADRs), and the current codebase. It forces the user to resolve ambiguities, define precise terminology, and validate design trade-offs using concrete scenarios, ensuring all decisions are captured and documented inline.