Automatically gather context on a security incident from Sentinel and Defender
Check flagged IPs and file hashes against VirusTotal and GreyNoise automatically
Get a confidence-scored verdict and evidence chain before escalating to a human analyst
Watch the agent's reasoning stream live while it investigates an incident
| rod-trent/siemtriage | cschanhniem/clawping | cub3y0nd/entropic | |
|---|---|---|---|
| Stars | 24 | 24 | 24 |
| Language | TypeScript | TypeScript | TypeScript |
| Setup difficulty | hard | moderate | moderate |
| Complexity | 4/5 | 3/5 | 3/5 |
| Audience | ops devops | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires Node.js, Postgres, and Redis, plus optional live Azure infrastructure.
SIEMTriage is a TypeScript-based AI agent that acts as a first-line security analyst for organizations using Microsoft Sentinel and Defender XDR, both are security monitoring platforms that generate alerts when suspicious activity is detected on a company's systems. The agent handles the routine, time-consuming work that junior analysts typically do manually: pulling in the alert details, gathering additional context about suspicious IPs, file hashes, and user accounts from external threat intelligence services, and running investigative database queries. Given a security incident ID, the agent automatically fetches the full incident, checks flagged IPs and domains against threat databases like VirusTotal and GreyNoise, looks up risky user accounts, and runs targeted log queries across both Sentinel and Defender. It then produces a structured verdict, essentially a classification of whether the incident is a real threat or a false alarm, along with a confidence score, a chain of evidence, and a recommended plan for a human analyst to follow up on. Critically, the agent never takes any action on its own: it only reads data and produces verdicts. A human analyst always makes the final call. The UI streams each step of the agent's reasoning in real time so analysts can watch and intervene. The repo ships with three realistic example incidents to demonstrate the full cycle. You can run it locally in demo mode with pre-computed results, or wire it to live Azure infrastructure. Built on the Claude Agent SDK, written in TypeScript, and requires Node.js, Postgres, and Redis. The full README is longer than what was provided.
An AI agent that triages Microsoft Sentinel and Defender security incidents automatically, producing a verdict for a human analyst to review.
Mainly TypeScript. The stack also includes TypeScript, Claude Agent SDK, Node.js.
Setup difficulty is rated hard, with roughly 1h+ to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.