원클릭으로 Manus에서 모든 스킬 실행

$pwd:

incident-investigator

Name: Incident Investigator
Author: AzureAD

// Systematically investigate IcM incidents and customer-reported authentication issues for Android Broker/MSAL. Use this skill when asked to investigate an incident, troubleshoot auth failures, analyze customer logs, diagnose PRT/SSO issues, or review IcM tickets. Triggers include "investigate incident", "troubleshoot IcM", "analyze these logs", "what's wrong with this auth flow", "diagnose this issue", or any request involving incident investigation with evidence-based diagnosis.

Manus에서 실행

$ git log --oneline --stat

stars:4

forks:4

updated:2026년 4월 1일 15:10

파일 탐색기

3 개 파일

SKILL.md

readonly

name

incident-investigator

description

Systematically investigate IcM incidents and customer-reported authentication issues for Android Broker/MSAL. Use this skill when asked to investigate an incident, troubleshoot auth failures, analyze customer logs, diagnose PRT/SSO issues, or review IcM tickets. Triggers include "investigate incident", "troubleshoot IcM", "analyze these logs", "what's wrong with this auth flow", "diagnose this issue", or any request involving incident investigation with evidence-based diagnosis.

Incident Investigator

Investigate Android authentication incidents systematically with evidence-first diagnosis.

Investigation Workflow

Execute these steps IN ORDER. Do not skip steps.

Step 1: Gather IcM Context

Query DRI Copilot MCP FIRST. The tool name varies by local config, so use tool_search_tool_regex with pattern Android_DRI_Copilot to find the correct tool, then invoke it.

Extract from IcM:

Affected app(s): Outlook, Teams, other 1P apps?
Account(s): Specific user or tenant-wide?
Device context: SDM enabled? Device model? Android version?
Symptoms: What exactly fails? Error messages?
Repro conditions: When does it happen vs. not happen?

Step 2: Extract Log Evidence

Search logs for these key patterns:

Pattern	What It Tells You
`correlation_id:`	Request tracking ID for eSTS correlation
`error_code` or `Error`	Specific failure reason
`No PRT present`	Missing Primary Refresh Token
`SignOut` or `removeAccount`	Account removal events
`disabled by MDM`	MDM policy interference
`invoked for package name:`	Which app made the request
`executed successfully` vs `failed`	Operation outcome

Build a timeline of events with correlation IDs.

Step 3: Analyze Account/Token State

Check these indicators in logs:

Log Message	Indicates
`Found [N] Accounts...`	How many accounts in cache
`No PRT present for the account`	PRT missing or wiped
`Home Account id doesn't have uid or tenant id`	Incomplete account state
`Found more than one account entry`	Duplicate account issue
`PRT is already registered-device PRT`	Valid WPJ PRT exists
`Loading Workplace Join entry for tenant:`	Device is WPJ'd

Step 4: Identify Operation Flow

Map the operations that occurred:

Operation	Purpose
`GetDeviceModeMsalBrokerOperation`	Check if SDM enabled
`GetCurrentAccountMsalBrokerOperation`	Fetch signed-in account
`AcquireTokenSilentMsalBrokerOperation`	Silent token acquisition
`AcquireTokenInteractiveMsalBrokerOperation`	Interactive auth
`SignOutFromSharedDeviceMsalBrokerOperation`	SDM sign-out (⚠️ key for SDM issues)
`GetPreferredAuthMethodMsalBrokerOperation`	Auth method check

Step 5: Form Hypotheses

Rank by evidence strength:

Confidence	Criteria
HIGH	Direct log evidence shows the issue
MEDIUM	Logs suggest but don't confirm
LOW	Inference based on patterns, no direct evidence

Common root causes to consider:

MDM triggering sign-out (Imprivata, other MDMs)
PRT deleted/expired/revoked
Device cap reached
Account-specific CA policy
SDM misconfiguration
Broker/app version incompatibility

Step 6: Identify Missing Evidence

State explicitly what's NOT in the logs that would help:

Missing correlation IDs?
No sign-out operation captured?
No eSTS error codes?
Logs from wrong time window?

Output Format

## Investigation: IcM [Number]

### IcM Summary
| Field | Value |
|-------|-------|
| Affected App(s) | |
| Account | |
| Device | Android [version], Broker [version] |
| SDM Enabled | Yes/No |
| Symptoms | |

### Key Correlation IDs
| Correlation ID | Operation | Result |
|----------------|-----------|--------|
| `abc-123...` | AcquireTokenSilent | ✅/❌ |

### Evidence from Logs

#### Finding 1: [Description]
- **Timestamp**: 
- **Evidence**: [Exact log line]
- **Implication**: 

### Hypotheses (Ranked by Evidence)

| # | Hypothesis | Confidence | Supporting Evidence |
|---|------------|------------|---------------------|
| 1 | | HIGH/MED/LOW | |

### Missing Evidence
- [ ] [What additional data is needed]

### Recommended Actions
1. [Next step]
2. [Next step]

Common Patterns

Pattern: MDM-Triggered Sign-Out (SDM)

Symptoms: User signs in, immediately signed out Evidence to look for:

SignOutFromSharedDeviceMsalBrokerOperation from MDM package
disabled by MDM messages
No PRT present after successful auth

Pattern: Missing PRT

Symptoms: Silent auth fails, interactive works Evidence to look for:

No PRT present for the account
Check if AcquireTokenSilent fails but AcquireTokenInteractive succeeds
Look for prior sign-out or PRT revocation

Pattern: Device Cap

Symptoms: New device can't register Evidence to look for:

Error during device registration
eSTS error about device limit
Check eSTS logs with correlation ID

Pattern: Duplicate Accounts

Symptoms: Inconsistent auth behavior Evidence to look for:

Found more than one account entry for user
Multiple accounts with same UPN but different home account IDs

DRI Copilot Queries

Initial Query (always start here)

When given just an incident ID, query DRI Copilot with:

"Investigate IcM [number]. What are the affected apps, symptoms, and known issues?"

This single query extracts:

Affected application(s)
Customer-reported symptoms
Account/device context
Any known root cause or past similar incidents

Follow-up Queries (after initial context)

Once you have context from the initial query, use targeted follow-ups:

"TSG for error code [error_code]"           # After finding error in logs
"Past incidents related to [symptom]"        # After identifying symptom from IcM
"How to troubleshoot [specific_issue]"       # For deep-dive guidance

eSTS Correlation

Use the Kusto MCP tool to correlate with eSTS when needed:

mcp_my-mcp-server_execute_query

Parameters:

cluster: https://estswus2.kusto.windows.net
database: ESTS
query: (see below)

Basic correlation query:

AllPerRequestTable
| where env_time >= ago(7d)
| where DevicePlatformForUI == "Android"
| where CorrelationId == "[correlation-id]"
| project env_time, CorrelationId, Call, Result, ErrorCode, PrtData

For more Kusto queries, see references/kusto-queries.md.

Key Reminders

Query DRI Copilot FIRST - Get IcM context before analyzing logs
Evidence over assumptions - Only state what logs show
State what's missing - Be explicit about evidence gaps
Search all log files - Issue may span multiple log segments
Check for sign-out operations - Critical for SDM issues

related-skills.json

같은 저장소

aria-alert-investigator.md

from "AzureAD/android-complete"

Investigate Aria health-metric alerts (threshold-based IcMs of the form "Aria detected an incident in <project> for <metric>"). Use this skill when an IcM was triggered by Aria's threshold monitor on android_spans / android_metrics — NOT for customer-reported authentication failures. Triggers include "investigate Aria alert", "Aria detected an incident", "health metric incident", "telemetry threshold breach", or any IcM where the title starts with "Aria detected".

2026-05-124

kusto-analyst.md

from "AzureAD/android-complete"

Analyze Android authentication telemetry using Azure Data Explorer (Kusto). Use this skill for querying android_spans, eSTS correlation, latency investigation, error analysis, and telemetry troubleshooting. Triggers include "query Kusto", "analyze telemetry", "check android_spans", "eSTS correlation", "latency investigation", "error patterns", or any request involving telemetry data analysis.

2026-05-054

codebase-researcher.md

from "AzureAD/android-complete"

Systematically explore unfamiliar codebases to find implementations, patterns, and architecture. Use this skill when asked to find code, locate implementations, understand how features work, trace call flows, or explore project structure. Triggers include "where is X implemented", "find the code for Y", "how does Z work in this repo", "trace the flow of", "show me the implementation of", or any request requiring codebase exploration with evidence-based findings.

2026-04-214

feature-planner.md

from "AzureAD/android-complete"

Decompose high-level feature requests into detailed, repo-targeted PBIs for the Android Auth multi-repo project. Use this skill when a developer describes a feature at a high level and wants it broken down into actionable work items. Triggers include "plan this feature", "break this down into PBIs", "decompose this into tasks", "plan implementation for", or any request to turn a feature idea into structured development work items. This skill produces a plan for developer review — actual ADO work item creation is handled by the `pbi-creator` skill.

2026-04-214

release-helper.md

from "AzureAD/android-complete"

Understand, navigate, and troubleshoot the Android Auth Client CI/CD pipeline system. Use this skill when asked about pipelines, release processes, build pipelines, hotfix workflows, daily validation, cron schedules, pipeline templates, release branches, RC testing, publishing to Maven Central, or any ADO/GitHub Actions pipeline question. Triggers include "how does the release pipeline work", "what pipeline does X", "where is the cron job for releases", "how do hotfixes work", "trace the monthly release flow", "pipeline template for Y", "how are broker apps built".

2026-04-214

copilot-review-analyst.md

from "AzureAD/android-complete"

Analyze GitHub Copilot code review effectiveness across Android Auth repositories. Collects all Copilot inline review comments via GitHub API, classifies them as helpful/not-helpful/unresolved through reply analysis, diff verification, and AI-assisted classification, then generates a report with per-repo and per-engineer statistics. Use this skill when asked to "analyze Copilot reviews", "measure Copilot review effectiveness", "generate Copilot review report", "how helpful are Copilot reviews", "run review analysis", or any request to measure/report on GitHub Copilot code review quality and adoption.

2026-04-214

package.json

"author": "AzureAD"

"repository": "AzureAD/android-complete"

GitHub 저장소 열기 Creator 저장소 보기

$ install --global

$ download --local

Manus에서 실행

$ useful --forSOC

정보 보안 분석가컴퓨터 및 수학직15-1212L4

name

incident-investigator

description

Incident Investigator

Investigate Android authentication incidents systematically with evidence-first diagnosis.

Investigation Workflow

Execute these steps IN ORDER. Do not skip steps.

Step 1: Gather IcM Context

Query DRI Copilot MCP FIRST. The tool name varies by local config, so use tool_search_tool_regex with pattern Android_DRI_Copilot to find the correct tool, then invoke it.

Extract from IcM:

Affected app(s): Outlook, Teams, other 1P apps?
Account(s): Specific user or tenant-wide?
Device context: SDM enabled? Device model? Android version?
Symptoms: What exactly fails? Error messages?
Repro conditions: When does it happen vs. not happen?

Step 2: Extract Log Evidence

Search logs for these key patterns:

Pattern	What It Tells You
`correlation_id:`	Request tracking ID for eSTS correlation
`error_code` or `Error`	Specific failure reason
`No PRT present`	Missing Primary Refresh Token
`SignOut` or `removeAccount`	Account removal events
`disabled by MDM`	MDM policy interference
`invoked for package name:`	Which app made the request
`executed successfully` vs `failed`	Operation outcome

Build a timeline of events with correlation IDs.

Step 3: Analyze Account/Token State

Check these indicators in logs:

Log Message	Indicates
`Found [N] Accounts...`	How many accounts in cache
`No PRT present for the account`	PRT missing or wiped
`Home Account id doesn't have uid or tenant id`	Incomplete account state
`Found more than one account entry`	Duplicate account issue
`PRT is already registered-device PRT`	Valid WPJ PRT exists
`Loading Workplace Join entry for tenant:`	Device is WPJ'd

Step 4: Identify Operation Flow

Map the operations that occurred:

Operation	Purpose
`GetDeviceModeMsalBrokerOperation`	Check if SDM enabled
`GetCurrentAccountMsalBrokerOperation`	Fetch signed-in account
`AcquireTokenSilentMsalBrokerOperation`	Silent token acquisition
`AcquireTokenInteractiveMsalBrokerOperation`	Interactive auth
`SignOutFromSharedDeviceMsalBrokerOperation`	SDM sign-out (⚠️ key for SDM issues)
`GetPreferredAuthMethodMsalBrokerOperation`	Auth method check

Step 5: Form Hypotheses

Rank by evidence strength:

Confidence	Criteria
HIGH	Direct log evidence shows the issue
MEDIUM	Logs suggest but don't confirm
LOW	Inference based on patterns, no direct evidence

Common root causes to consider:

MDM triggering sign-out (Imprivata, other MDMs)
PRT deleted/expired/revoked
Device cap reached
Account-specific CA policy
SDM misconfiguration
Broker/app version incompatibility

Step 6: Identify Missing Evidence

State explicitly what's NOT in the logs that would help:

Missing correlation IDs?
No sign-out operation captured?
No eSTS error codes?
Logs from wrong time window?

Output Format

## Investigation: IcM [Number]

### IcM Summary
| Field | Value |
|-------|-------|
| Affected App(s) | |
| Account | |
| Device | Android [version], Broker [version] |
| SDM Enabled | Yes/No |
| Symptoms | |

### Key Correlation IDs
| Correlation ID | Operation | Result |
|----------------|-----------|--------|
| `abc-123...` | AcquireTokenSilent | ✅/❌ |

### Evidence from Logs

#### Finding 1: [Description]
- **Timestamp**: 
- **Evidence**: [Exact log line]
- **Implication**: 

### Hypotheses (Ranked by Evidence)

| # | Hypothesis | Confidence | Supporting Evidence |
|---|------------|------------|---------------------|
| 1 | | HIGH/MED/LOW | |

### Missing Evidence
- [ ] [What additional data is needed]

### Recommended Actions
1. [Next step]
2. [Next step]

Common Patterns

Pattern: MDM-Triggered Sign-Out (SDM)

Symptoms: User signs in, immediately signed out Evidence to look for:

SignOutFromSharedDeviceMsalBrokerOperation from MDM package
disabled by MDM messages
No PRT present after successful auth

Pattern: Missing PRT

Symptoms: Silent auth fails, interactive works Evidence to look for:

No PRT present for the account
Check if AcquireTokenSilent fails but AcquireTokenInteractive succeeds
Look for prior sign-out or PRT revocation

Pattern: Device Cap

Symptoms: New device can't register Evidence to look for:

Error during device registration
eSTS error about device limit
Check eSTS logs with correlation ID

Pattern: Duplicate Accounts

Symptoms: Inconsistent auth behavior Evidence to look for:

Found more than one account entry for user
Multiple accounts with same UPN but different home account IDs

DRI Copilot Queries

Initial Query (always start here)

When given just an incident ID, query DRI Copilot with:

"Investigate IcM [number]. What are the affected apps, symptoms, and known issues?"

This single query extracts:

Affected application(s)
Customer-reported symptoms
Account/device context
Any known root cause or past similar incidents

Follow-up Queries (after initial context)

Once you have context from the initial query, use targeted follow-ups:

"TSG for error code [error_code]"           # After finding error in logs
"Past incidents related to [symptom]"        # After identifying symptom from IcM
"How to troubleshoot [specific_issue]"       # For deep-dive guidance

eSTS Correlation

Use the Kusto MCP tool to correlate with eSTS when needed:

mcp_my-mcp-server_execute_query

Parameters:

cluster: https://estswus2.kusto.windows.net
database: ESTS
query: (see below)

Basic correlation query:

AllPerRequestTable
| where env_time >= ago(7d)
| where DevicePlatformForUI == "Android"
| where CorrelationId == "[correlation-id]"
| project env_time, CorrelationId, Call, Result, ErrorCode, PrtData

For more Kusto queries, see references/kusto-queries.md.

Key Reminders

Query DRI Copilot FIRST - Get IcM context before analyzing logs
Evidence over assumptions - Only state what logs show
State what's missing - Be explicit about evidence gaps
Search all log files - Issue may span multiple log segments
Check for sign-out operations - Critical for SDM issues

incident-investigator

Incident Investigator

Investigation Workflow

Step 1: Gather IcM Context

Step 2: Extract Log Evidence

Step 3: Analyze Account/Token State

Step 4: Identify Operation Flow

Step 5: Form Hypotheses

Step 6: Identify Missing Evidence

Output Format

Common Patterns

Pattern: MDM-Triggered Sign-Out (SDM)

Pattern: Missing PRT

Pattern: Device Cap

Pattern: Duplicate Accounts

DRI Copilot Queries

Initial Query (always start here)

Follow-up Queries (after initial context)

eSTS Correlation

Key Reminders

이 저장소의 다른 Skills

이 저장소의 다른 Skills

Incident Investigator

Investigation Workflow

Step 1: Gather IcM Context

Step 2: Extract Log Evidence

Step 3: Analyze Account/Token State

Step 4: Identify Operation Flow

Step 5: Form Hypotheses

Step 6: Identify Missing Evidence

Output Format

Common Patterns

Pattern: MDM-Triggered Sign-Out (SDM)

Pattern: Missing PRT

Pattern: Device Cap

Pattern: Duplicate Accounts

DRI Copilot Queries

Initial Query (always start here)

Follow-up Queries (after initial context)

eSTS Correlation

Key Reminders