security-investigator
security-investigator is a Python-based security investigation automation framework that uses VS Code Copilot/Agent Skills and Microsoft MCP servers to run natural-language driven investigations across Microsoft Sentinel and Defender XDR/Entra (Graph API), enrich indicators with threat-intel sources, generate KQL-based analyses and HTML/SVG reports, and supports multiple specialized “agent skills” (e.g., incident/user/device/IoC investigations, posture audits, drift detection, visualization, custom detection authoring).
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Security posture inferred from README: configuration via .env suggests secrets are externalized rather than hard-coded, and the README recommends hash-verified requirements.lock. However, the excerpt does not show explicit TLS enforcement, scope-granular access control, secrets logging/redaction behavior, or explicit mitigations for supply-chain/credential leakage. The tool also depends on third-party threat-intel providers, which may introduce data-sharing considerations for sensitive telemetry/identifiers.
⚡ Reliability
Best When
You have Microsoft Sentinel/Defender/Entra telemetry available and want repeatable, agent-driven investigation workflows with templated KQL and automated reporting.
Avoid When
You cannot grant or safely manage the required API credentials for Graph/Sentinel/Defender and third-party enrichment providers, or you need strict no-exfiltration guarantees for sensitive telemetry.
Use Cases
- • Investigate Microsoft Sentinel/Defender XDR incidents, users, devices, and IoCs with automated entity extraction and recursive follow-ups
- • Enrich and score IP/domain/URL/hash indicators using external threat-intel services
- • Generate analyst-ready HTML and SVG dashboards/reports from investigation runs
- • Perform identity and agent posture audits (M365 Copilot/Copilot Studio agent risk assessment)
- • Detect scope drift for users/SPNs/devices using baseline vs recent activity windows
- • Assist in vulnerability/exposure management and exposure-graph style reporting
- • Support batch creation/update of Defender XDR custom detection rules via Graph API
Not For
- • Replacing an incident response process/policy for high-impact events without human approval
- • Running without appropriate tenant access/permissions to Sentinel/Defender/Graph APIs
- • Unvetted processing of sensitive data where exporting/enriching to third-party IP/abuse/CVE services is disallowed
Interface
Authentication
The README indicates use of a GitHub PAT for MCP server setup and environment variables for API tokens. It does not specify OAuth flows, scope granularity, or token refresh behavior for Microsoft APIs in the provided excerpt.
Pricing
No pricing information for the package itself is provided; costs would likely be driven by underlying Microsoft services and third-party enrichment APIs.
Agent Metadata
Known Gotchas
- ⚠ Runs multiple external integrations (Sentinel/Defender/Graph + threat-intel providers); failures in any one integration could affect investigation completeness
- ⚠ Agent-skill routing is keyword/skill-based; unexpected phrasing may route to suboptimal skills
- ⚠ Graph/Sentinel permissions must be granted; missing permissions may lead to partial results
- ⚠ Potential data governance impact when enriching IoCs with external services
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for security-investigator.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-30.