Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Some information in this article relates to a prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Agents have the capability to take actions and automate workflows. They take actions by using tools. A tool is a function given to the LLM to meet an objective. The right tools help agents to accomplish tasks for their specific use case. Agents handle the entire tool execution process in the background.
Tools enable LLMs to interact with external systems, such as querying databases, calling APIs, or performing computations. Each tool is uniquely identified by a name and includes metadata describing its schema.
This article explains the types of tools developers can create or integrate using the agent builder.
Action tools
Developers can author their own tools using the Create tool feature or integrate with the existing tools from the extensive tool catalog.
Security Copilot provides different action tools for integration:
API: Make a REST request to an external API using the OpenAPI specification to return a response.
GPT: Write a Generative-AI prompt to use LLM capabilities to reason over natural language or data.
KQL: Query a Kusto database with custom, parameterized Kusto Query Language (KQL) queries to return data.
Model Context Protocol (MCP): Allows an MCP server to expose tools that is invoked by an MCP client.
You can use the GPT and KQL tools to build agents in the standalone experience. To add Microsoft Sentinel's collection of MCP tools, see Steps to create a custom agent.
To build custom plugins using API and MCP: