Login
Open source: Agentic investigation framework for Sentinel MCP β 900+ KQL queries, 25 skills, native Entra auth, no supply chain risk
 | There's life before Sentinel MCP + GitHub Copilot, and there's life after. There's no going back. Yes, AI helped write this project. No, this isn't AI slop. This is ~4 months and hundreds of hours of building, testing, breaking, fixing, and tuning agentic investigation skills against live Sentinel/Defender XDR environments. Every one of those 900+ KQL queries has been executed, schema-verified, and battle-tested against real tables with real pitfalls (if you've ever wasted 20 minutes debugging `Timestamp` vs `TimeGenerated`, you know). What it is: A GitHub Copilot Agent Mode framework that turns natural language into full security investigations using Microsoft's own MCP servers. Clone the repo, add your tenant and workspace ID, API Keys for TI Providers (optional) and go. Zero supply chain risk for the core framework. 5 of 6 MCP servers are Microsoft-hosted HTTP endpoints (Azure, Sentinel Data Lake, Graph API, Defender XDR, Sentinel Graph, Microsoft Learn) β no npm install, no pip install, nothing to compromise. All 5 use native Entra ID authentication β your existing MFA, Conditional Access policies, and RBAC apply automatically. The only npm dependency is `kql-search-mcp` for KQL schema intelligence and GitHub query discovery β shout out to noodlemctwoodle, the version is pinned with a sha512 integrity hash, and it's fully optional. IP enrichment (ipinfo, AbuseIPDB, Shodan, vpnapi) and local visualization MCP Apps are also optional add-ons. Don't have Sentinel or Data Lake? No problem. The Sentinel MCP server has Triage Tools available to all E5 customers. RunAdvancedHunting MCP tool can query both XDR-native tables AND connected Sentinel tables β at zero query cost. The framework defaults to AH for everything β€30 days and falls back to Sentinel Data Lake only when you need 30-90+ day lookback. If you're E5 with no Sentinel workspace, the majority of skills still work, I tried to prioritize native XDR tables whenever possible. Worried about MCP adoption governance? There's a dedicated MCP Usage Monitoring skill that audits who's using which MCP servers, what endpoints they're hitting, usage trends, and behavioral anomalies β so you can track adoption and catch misuse across your team. Key features: - Threat Pulse Skill β One prompt queries 7 security domains in ~5 min. Prioritized dashboard (π΄ Escalate / π Investigate / π‘ Monitor / β Clear) with drill-down links that load the right skill, target the entity, and execute. Entry point that finds the leads FOR you. - 25 investigation skills β User, computer, incident, IoC, authentication tracing, CA policy forensics, scope drift (user/SPN/device behavioral baselines), exposure management, app registration posture, AI agent posture, identity posture, email threat posture, data security analysis, honeypot analysis, and more. Each one is a full guided workflow, not a single query. - 36 query library files β Organized by domain (identity, endpoint, email, cloud, network, incidents) used for adhoc threat hunts targeting specific TTP's. Threat intel hunting campaigns you can just point at: "hunt for Storm-1175 last 30 days" and it runs verified queries against your environment. - Author hunts from threat intel articles β Read any threat intel article (Microsoft, vendor blog, wherever), and the framework maps TTPs to KQL, tunes against your environment, and optionally pushes to Defender XDR Custom Detection API. Full lifecycle from article β queries β deployed detection, weekly updates from me. - Deterministic PowerShell pipelines β Sentinel Ingestion Report and MITRE ATT&CK Coverage Report use PowerShell to gather all data via `az rest`/`az monitor`/Graph API first, then the LLM renders the report. No hallucinated metrics. - SVG Dashboard framework β Generate consistent, portable data visualizations (KPI cards, bar/donut/line charts, tables, score cards) directly from investigation data or skill reports. No browser, no external tools β pure SVG rendered inline. Getting started: Note on models: This framework was designed and tested on Claude Opus 4.6 via GitHub Copilot. Mileage with other models may vary β the skill files and query library are model-agnostic markdown, but the instruction-following complexity benefits from a frontier model. Video walkthrough: https://youtu.be/3UFqWA4cmoE?t=1470 I'm actively developing this and adding new skills/queries regularly. Follow me on LinkedIn (https://www.linkedin.com/in/scstelz/) to keep up with new features. Feedback, contributions, and skill ideas welcome, AMA!? Dynamically link Threat Pulse findings to associated Queries or Skills [link] [comments] |
