Listen to this Post

Introduction:
The security operations center (SOC) is drowning in data but starving for context. Analysts spend hours pivoting between identity logs, device timelines, and conditional access policies, often repeating the same investigative playbooks manually. Chris S., a Senior Solution Engineer at Microsoft, has open-sourced a solution that transforms this workflow: Security Investigator. This framework leverages GitHub Copilot, the Model Context Protocol (MCP), and Microsoft Sentinel to execute complex, multi-stage investigations from a single natural language prompt. More importantly, it is architected to avoid the critical vulnerabilities plaguing many new AI agents, such as the recently disclosed CVE-2026-25253.
Learning Objectives:
- Understand how to deploy and configure an open-source AI investigation framework using VS Code, GitHub Copilot, and Microsoft MCP Servers.
- Learn to automate complex security workflows—such as scope drift analysis and threat hunting—using natural language prompts.
- Master the structural security principles (sandboxing, read-only APIs, human-in-the-loop) that prevent AI agent exploitation.
- Acquire hands-on experience with KQL pre-flight checks and custom skill creation to codify tribal knowledge.
You Should Know:
1. Deploying the Security Investigator Framework
The framework operates entirely within the VS Code sandbox, using GitHub Copilot as the orchestration layer and MCP servers as the data plane. Unlike cloud-based agents, there is no persistent server, open ports, or WebSocket connections to exploit.
Step‑by‑step setup:
Prerequisites: Python 3.9+, Node.js 18+, git, and VS Code with GitHub Copilot installed. git clone https://github.com/SCStelz/security-investigator.git cd security-investigator python -m venv venv source venv/bin/activate On Windows: venv\Scripts\activate pip install -r requirements.txt cp config.example.json config.json
Edit `config.json` to include your Sentinel Workspace ID, Tenant ID, and API keys (optional if using device flow). Open VS Code, launch the command palette, and start the MCP servers. In the Copilot Chat, type: “What can you do and skills do you have access to?” The agent will list the 12 available skills, from Incident Tracing to MCP Usage Analysis.
2. The Anti-Hallucination Framework and KQL Pre-Flight Checks
AI models are prone to generating plausible but false findings. This framework enforces a strict evidence chain. Every output must cite query results. If a query returns zero results, a mandatory sanity check runs to validate the scope and syntax before reporting “no activity.”
KQL Pre-Flight Checklist (built into every query):
- Search Verified Libraries: The agent checks the `queries/` directory for pre-vetted templates.
- Validate Schema: It queries the `Information_Schema` to ensure fields exist.
- Check Known Pitfalls: Flags common issues like timezone mismatches in
SigninLogs. - Syntax Validation: Runs a `parse` command before execution.
- Zero-Result Sanity: If no data returns, it re-runs with a broader time filter to confirm.
Example manual validation command (Windows PowerShell using KQL):
Test a query structure without running it (simulated) $kqlQuery = "SigninLogs | where UserPrincipalName == '[email protected]' | project TimeGenerated, Location" In a real environment, you would use the REST API or Kusto .NET libraries to parse. Write-Host "Validating schema for UserPrincipalName..." -ForegroundColor Cyan Actual validation logic is embedded in the MCP server.
3. Executing a Scope Drift Investigation
The new “Scope Drift” skill builds a 90-day behavioral baseline for users, devices, or service principals and compares it against the last 7 days. It calculates a weighted drift score across dimensions like logon locations, accessed applications, and process trees. This catches “slow privilege creep” that static alerts miss.
Prompt in VS Code Copilot Chat:
"Detect scope drift for user [email protected] over the last 90 days, save to markdown"
The agent will: fetch 90 days of `SigninLogs` and AuditLogs, aggregate patterns (e.g., “user normally logs in from Seattle, USA”), compare to the last 7 days, calculate the drift score, and write a `Scope_Drift_Report.md` with tables and visualizations. For CLI enthusiasts, the underlying queries can be exported.
Linux/macOS command to view the raw KQL used:
grep -r "SigninLogs" ./skills/scope_drift/ | head -10
4. Interactive Visualizations via MCP Apps
Text-based investigation reports are powerful, but geospatial context often reveals anomalies instantly. The framework includes three MCP Apps that render data directly in the VS Code chat window: a Geo Map, a Sign-in Heatmap, and an Incident Comments timeline.
When you prompt “Investigate my honeypot contoso-admin for the last 90 days,” the agent queries the Sentinel Data Lake, enriches IPs with geolocation, and renders a map showing every authentication attempt. The map is generated locally; no data is sent to a third-party visualization service.
Example of enabling the Geo Map MCP App:
// In your mcp_settings.json
{
"geo-map": {
"command": "node",
"args": ["apps/geo-map-server.js"],
"env": {
"MAP_TILES": "https://{s}.basemaps.cartocdn.com/light_all/{z}/{x}/{y}.png"
}
}
}
- Authoring Custom Skills: From Tribal Knowledge to Automation
The most innovative feature is the ability to create new skills dynamically. After running a complex investigation, an analyst can type: “Package this investigation as a new skill.” GitHub Copilot captures the KQL queries, the enrichment logic, and the schema pitfalls, then generates a `SKILL.md` file. This file lives in the repository and can be invoked by any analyst with a single prompt, version-controlling what was once tribal knowledge.
Manual creation of a skill stub (Linux):
touch skills/custom/custom_ioc_enrichment.md echo " Custom IoC Enrichment Skill" >> skills/custom/custom_ioc_enrichment.md echo " Enrich IP addresses with external threat intel" >> skills/custom/custom_ioc_enrichment.md echo "KQL:" >> skills/custom/custom_ioc_enrichment.md echo '<code>bash' >> skills/custom/custom_ioc_enrichment.md echo 'let IPs = dynamic(["192.168.1.1", "10.0.0.1"]);' >> skills/custom/custom_ioc_enrichment.md echo 'IPs | evaluate ipv4_lookup(ExternalThreatIntel, IP)' >> skills/custom/custom_ioc_enrichment.md echo '</code>' >> skills/custom/custom_ioc_enrichment.md
6. Why This Architecture Mitigates CVE-2026-25253
The recent OpenClaw vulnerability (CVE-2026-25253, CVSS 8.8) demonstrates the risk of AI agents: token theft from local storage, WebSocket hijacking, and disabled sandboxing leading to RCE. Security Investigator is structurally immune:
– No Server: Runs as a VS Code extension; no open ports, no WebSocket.
– No Browser Tokens: Uses Entra ID OAuth with short-lived, auto-rotated tokens. No secrets in localStorage.
– Read-Only MCP: All queries are KQL `read` commands. No shell access, no RCE surface.
– Human-in-the-Loop: Every action is previewed in the chat before execution.
– RBAC + CA: The agent inherits the user’s Azure RBAC, Conditional Access, and PIM policies. It cannot disable its own guardrails.
To verify the authentication method on your Windows machine:
Check for stored tokens (should be in secure storage, not plaintext) Get-ChildItem -Path "$env:APPDATA\Microsoft\MSAL" -Recurse | Select-Object FullName Expected output: Empty or encrypted cache files.
7. Real-World Investigation Example: AiTM Defense Program
An analyst prompted the agent: “AiTM attacks still scare me, review the 2026 updates in this blog, research key Microsoft defensive techniques, and help me put together a defensive program with actionable improvements.”
The agent read the blog, cross-referenced Microsoft Learn documentation, and generated a comprehensive markdown file containing:
– Phishing-resistant MFA deployment steps (FIDO2, WHfB).
– Conditional Access policies to block non-compliant devices.
– Hunting KQL rules to detect AiTM toolkit patterns.
– A prioritized remediation roadmap.
Snippet of a generated KQL rule for AiTM detection:
// AiTM proxy detection - unusual user agent strings and rapid geo-hopping SigninLogs | where TimeGenerated > ago(1h) | where UserAgent contains "HeadlessChrome" or UserAgent contains "Python-requests" | extend GeoCluster = strcat(Location, "|", IPAddress) | summarize Attempts = count(), Locations = make_set(Location) by UserPrincipalName, bin(TimeGenerated, 10m) | where array_length(Locations) > 2
What Undercode Say:
- Architecture is Security: The shift from monolithic AI agents to sandboxed, locally-executed frameworks eliminates entire classes of vulnerabilities. The platform you build on is your security posture.
- Codify Tribal Knowledge: The ability to package an investigation as a version-controlled skill transforms analyst expertise from perishable knowledge into reusable, auditable automation.
The Security Investigator project demonstrates that AI in the SOC does not require trading security for efficiency. By building on enterprise-grade foundations (VS Code sandbox, Azure RBAC, read-only APIs) and enforcing structural defenses, it provides a blueprint for the “Agentic SOC.” The future of detection engineering lies not in writing more alerts, but in empowering analysts to investigate at machine speed while maintaining complete control. Analysts stay in the driver’s seat; AI removes the toil. Both win.
Prediction:
Within the next 12 months, the market will see a divergence in AI security tools: “disposable” cloud agents will face increasing scrutiny and regulation due to their inherent attack surface, while “embedded” frameworks like this one—which leverage existing hardened IDEs and cloud APIs—will become the standard for enterprise threat hunting. The convergence of development environments (VS Code) and security operations will accelerate, turning every SOC analyst into a “prompt engineer” who orchestrates complex data plane queries without ever leaving their workflow.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Scstelz Socgpt – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


