Review target
skills/secops/log-analysis/SKILL.md
Gap
The log-analysis skill covers source taxonomy, event IDs, baselines, and correlation, but it does not require timeline-integrity and evidence-handling checks before making high-confidence incident conclusions.
That leaves several practical gaps:
- event timestamps can be confused with SIEM ingestion timestamps;
- local time, UTC, daylight-saving offsets, and clock skew can be mixed without documentation;
- log pipeline gaps can overlap the incident window while the report still makes definitive negative claims;
- parser normalization can drop raw fields or duplicate events;
- findings can omit query text, raw export references, hashes, or chain-of-custody notes.
Why this matters
Security log analysis often supports incident response, legal review, customer notification, and executive decisions. A timeline that looks precise but lacks timezone normalization, log-gap review, and raw evidence preservation can produce false sequence ordering or overconfident conclusions.
Proposed improvement
Add a "Timeline Integrity and Evidence Handling" step that requires:
- timezone / UTC offset / daylight-saving context;
- clock-skew tolerance before cross-source ordering;
- event timestamp vs. ingestion timestamp distinction;
- log gap and dropped-event review for the incident window;
- raw-event spot checks when using normalized SIEM fields;
- query text, filters, time bounds, export path, hash, and immutable evidence reference.
Also add output fields and edge-case fixtures for mixed timezones, pipeline gaps, and normalized fields without raw evidence.
Bounty category
Review issue + moderate skill improvement.
Review target
skills/secops/log-analysis/SKILL.mdGap
The log-analysis skill covers source taxonomy, event IDs, baselines, and correlation, but it does not require timeline-integrity and evidence-handling checks before making high-confidence incident conclusions.
That leaves several practical gaps:
Why this matters
Security log analysis often supports incident response, legal review, customer notification, and executive decisions. A timeline that looks precise but lacks timezone normalization, log-gap review, and raw evidence preservation can produce false sequence ordering or overconfident conclusions.
Proposed improvement
Add a "Timeline Integrity and Evidence Handling" step that requires:
Also add output fields and edge-case fixtures for mixed timezones, pipeline gaps, and normalized fields without raw evidence.
Bounty category
Review issue + moderate skill improvement.