magic-tool

magic-tool / magic

Public

The MAGIC tool is a wrapper around the Microsoft Graph Python SDK, designed to download incident response-relevant data from M365 environments.

31
1
100% credibility
Found Feb 18, 2026 at 17 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
Python
AI Summary

MAGIC is a Python tool that extracts and consolidates incident response data such as audit logs, sign-ins, and message traces from Microsoft 365 environments into analyzable JSONL files.

How It Works

1
🔍 Discover MAGIC

You hear about MAGIC while investigating a security issue in your company's Microsoft 365, as it helps gather login and activity records easily.

2
🛠️ Prepare your workspace

You set up a simple folder on your computer where MAGIC will save its findings.

3
🔗 Link to your company account

You connect MAGIC to your Microsoft 365 service using your secure login details, so it can reach the right records.

4
📋 Pick what to collect

You choose the types of records you need, like user sign-ins, email traces, or audit logs, for your investigation.

5
▶️ Start gathering data

With one command, MAGIC pulls all the selected records and organizes them neatly.

🎉 Review your results

You get clean, ready-to-use files that you can load into analysis tools to quickly understand what happened.

Sign up to see the full architecture

4 more

Sign Up Free

Star Growth

See how this repo grew from 17 to 31 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is magic?

MAGIC pulls incident response data—sign-ins, audits, message traces, unified audit logs—from Microsoft 365 via the Graph API, outputting consolidated JSONL files for Timesketch or OpenSearch. You pip-install from GitHub, run `magic-init` for YAML config and folders, add Entra ID app creds and crawl targets like `m365_signin`, then `magic` dumps structured logs. Built in Python on the Graph SDK, it skips manual API scripting for IR triage.

Why is it gaining traction?

Pure Python means it runs anywhere—no Windows-only PowerShell— with CLI perks like `--manifest` for permissions and preflight checks to avoid runtime fails. Chained enrichers add IP geolocation, Timesketch formatting, and SHA256 hashes automatically. The hook: full forensics workflow in one config file, unlike scattered Graph queries or tools like github magic wormhole.

Who should use this?

Incident responders hunting M365 breaches via sign-in spikes or risky message traces. SOC analysts building timelines from UAL without Excel exports. DFIR teams feeding logs to Timesketch for magic john-level analysis in Entra tenants.

Verdict

Solid for M365 IR despite 12 stars and 1.0% credibility—v0.5 feels mature with crisp docs and MIT license, but low adoption signals watch for edge cases. Try it if you crawl Graph daily; fork for custom needs.

(198 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.