{"id":"scstelz-security-investigator","name":"security-investigator","af_score":38.2,"security_score":47.5,"reliability_score":20.0,"what_it_does":"security-investigator is a Python-based security investigation automation framework that uses VS Code Copilot/Agent Skills and Microsoft MCP servers to run natural-language driven investigations across Microsoft Sentinel and Defender XDR/Entra (Graph API), enrich indicators with threat-intel sources, generate KQL-based analyses and HTML/SVG reports, and supports multiple specialized “agent skills” (e.g., incident/user/device/IoC investigations, posture audits, drift detection, visualization, custom detection authoring).","best_when":"You have Microsoft Sentinel/Defender/Entra telemetry available and want repeatable, agent-driven investigation workflows with templated KQL and automated reporting.","avoid_when":"You cannot grant or safely manage the required API credentials for Graph/Sentinel/Defender and third-party enrichment providers, or you need strict no-exfiltration guarantees for sensitive telemetry.","last_evaluated":"2026-03-30T13:52:42.437209+00:00","has_mcp":true,"has_api":false,"auth_methods":["GitHub PAT for MCP server first use (as described in README)","Microsoft/Entra/Sentinel/Defender API tokens/credentials provided via config (.env) (exact mechanisms not specified in provided README)","Third-party threat-intel provider API tokens via .env (ipinfo, AbuseIPDB, vpnapi, Shodan)"],"has_free_tier":false,"known_gotchas":["Runs multiple external integrations (Sentinel/Defender/Graph + threat-intel providers); failures in any one integration could affect investigation completeness","Agent-skill routing is keyword/skill-based; unexpected phrasing may route to suboptimal skills","Graph/Sentinel permissions must be granted; missing permissions may lead to partial results","Potential data governance impact when enriching IoCs with external services"],"error_quality":0.0}