{"id":"scstelz-security-investigator","name":"security-investigator","homepage":null,"repo_url":"https://github.com/SCStelz/security-investigator","category":"security","subcategories":[],"tags":["security","microsoft-sentinel","defender-xdr","entra-id","graph-api","mcp","copilot-agent-skills","kql","threat-intelligence","automation","reporting","python"],"what_it_does":"security-investigator is a Python-based security investigation automation framework that uses VS Code Copilot/Agent Skills and Microsoft MCP servers to run natural-language driven investigations across Microsoft Sentinel and Defender XDR/Entra (Graph API), enrich indicators with threat-intel sources, generate KQL-based analyses and HTML/SVG reports, and supports multiple specialized “agent skills” (e.g., incident/user/device/IoC investigations, posture audits, drift detection, visualization, custom detection authoring).","use_cases":["Investigate Microsoft Sentinel/Defender XDR incidents, users, devices, and IoCs with automated entity extraction and recursive follow-ups","Enrich and score IP/domain/URL/hash indicators using external threat-intel services","Generate analyst-ready HTML and SVG dashboards/reports from investigation runs","Perform identity and agent posture audits (M365 Copilot/Copilot Studio agent risk assessment)","Detect scope drift for users/SPNs/devices using baseline vs recent activity windows","Assist in vulnerability/exposure management and exposure-graph style reporting","Support batch creation/update of Defender XDR custom detection rules via Graph API"],"not_for":["Replacing an incident response process/policy for high-impact events without human approval","Running without appropriate tenant access/permissions to Sentinel/Defender/Graph APIs","Unvetted processing of sensitive data where exporting/enriching to third-party IP/abuse/CVE services is disallowed"],"best_when":"You have Microsoft Sentinel/Defender/Entra telemetry available and want repeatable, agent-driven investigation workflows with templated KQL and automated reporting.","avoid_when":"You cannot grant or safely manage the required API credentials for Graph/Sentinel/Defender and third-party enrichment providers, or you need strict no-exfiltration guarantees for sensitive telemetry.","alternatives":["Microsoft Sentinel analytics rules and workbooks","Microsoft Defender XDR hunting workflows and advanced hunting queries","Generic KQL query libraries/playbooks (e.g., community-driven templates)","Commercial SOAR/SIEM automation platforms with threat-intel enrichment","Custom scripts using Microsoft Graph API + Sentinel REST APIs without Copilot/MCP orchestration"],"af_score":38.2,"security_score":47.5,"reliability_score":20.0,"package_type":"mcp_server","discovery_source":["github"],"priority":"high","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-03-30T13:52:42.437209+00:00","interface":{"has_rest_api":false,"has_graphql":false,"has_grpc":false,"has_mcp_server":true,"mcp_server_url":null,"has_sdk":false,"sdk_languages":["python"],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":["GitHub PAT for MCP server first use (as described in README)","Microsoft/Entra/Sentinel/Defender API tokens/credentials provided via config (.env) (exact mechanisms not specified in provided README)","Third-party threat-intel provider API tokens via .env (ipinfo, AbuseIPDB, vpnapi, Shodan)"],"oauth":false,"scopes":false,"notes":"The README indicates use of a GitHub PAT for MCP server setup and environment variables for API tokens. It does not specify OAuth flows, scope granularity, or token refresh behavior for Microsoft APIs in the provided excerpt."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"No pricing information for the package itself is provided; costs would likely be driven by underlying Microsoft services and third-party enrichment APIs."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":38.2,"security_score":47.5,"reliability_score":20.0,"mcp_server_quality":55.0,"documentation_accuracy":55.0,"error_message_quality":0.0,"error_message_notes":null,"auth_complexity":45.0,"rate_limit_clarity":10.0,"tls_enforcement":60.0,"auth_strength":55.0,"scope_granularity":20.0,"dependency_hygiene":45.0,"secret_handling":55.0,"security_notes":"Security posture inferred from README: configuration via .env suggests secrets are externalized rather than hard-coded, and the README recommends hash-verified requirements.lock. However, the excerpt does not show explicit TLS enforcement, scope-granular access control, secrets logging/redaction behavior, or explicit mitigations for supply-chain/credential leakage. The tool also depends on third-party threat-intel providers, which may introduce data-sharing considerations for sensitive telemetry/identifiers.","uptime_documented":0.0,"version_stability":35.0,"breaking_changes_history":25.0,"error_recovery":20.0,"idempotency_support":"false","idempotency_notes":"No explicit idempotency guarantees described; batch detection authoring via Graph API is mentioned but idempotent/retry semantics are not specified.","pagination_style":"unknown","retry_guidance_documented":false,"known_agent_gotchas":["Runs multiple external integrations (Sentinel/Defender/Graph + threat-intel providers); failures in any one integration could affect investigation completeness","Agent-skill routing is keyword/skill-based; unexpected phrasing may route to suboptimal skills","Graph/Sentinel permissions must be granted; missing permissions may lead to partial results","Potential data governance impact when enriching IoCs with external services"]}}