KQL plugins in Microsoft Security Copilot
Create powerful plugins using Kusto Query Language (KQL) queries to explore your data and discover patterns.
These settings are common to all KQL skills.
Settings:
# What type of KQL endpoint to connect to.
# One of { Defender, Sentinel, LogAnalytics, Kusto }
Target: Sentinel
# A URL to download the KQL query template from.
# Specify either TemplatUrl or Template but not both.
TemplateUrl: https://gist.githubusercontent.com/NitinKumarGoel/c862ba63878dd2624acb1b0e260f409a/raw/3a527014757b4ee1f00302a1b34a13e7b83ff77a/gistfile1.txt
# An inline KQL query template.
# Specify either TemplatUrl or Template but not both.
Template: |-
SigninLogs
| where UserDisplayName == '{{user}}' or UserPrincipalName == '{{user}}'
| project TimeGenerated, OperationName, UserDisplayName, UserPrincipalName, Location, ResourceDisplayName, ConditionalAccessStatus, IsInteractive
| top 100 by TimeGenerated desc
The following table shows the settings
that can be configured for any KQL skill targets:
Setting Name | Type | Description | Required |
---|---|---|---|
Template |
string | KQL prompt template. Supports upto 80,000 chars. | Yes, if TemplateUrl isn't specified. |
TemplateUrl |
string | Public URL to download the KQL prompt template (upto 80,000 chars) from. | Yes. Specify either TemplatUrl or Template but not both. |
PackageUrl |
string | Public URL for the zip file with the KQL prompt template in it. Note: This is specified at SkillGroup level. Similar to GPT skill packageurl - example. | Yes, if Template or TemplateUrl aren't specified. |
TemplateFile |
string | Relative path to the KQL prompt template (upto 80,000 chars) within PackageUrl zip file. | Yes, if PackageUrl is specified. |
These settings are valid for KQL skills where the Target
is Sentinel
.
Settings:
# The ID of the AAD Organization that the Sentinel workspace is in.
TenantId:
# The id of the Azure Subscription that the Sentinel workspace is in.
SubscriptionId:
# The name of the Resource Group that the Sentinel workspace is in.
ResourceGroupName:
# The name of the Sentinel workspace.
WorkspaceName:
These settings are valid for KQL skills where the Target
is Kusto
.
Settings:
# The Kusto cluster URL.
Cluster:
# The Kusto database name.
Database:
Descriptor:
Name: SampleDefenderKQL
DisplayName: My Sample Defender KQL Plugin
Description: Skills to query email logs in M365 Advanced Hunting
SkillGroups:
- Format: KQL
Skills:
- Name: GetLatestEmailsByRecipient
DisplayName: Get Latest Emails By Recipient
Description: Fetches the latest emails received by the user with the specified email address
Inputs:
- Name: email
Description: The email address of the recipient
Required: true
Settings:
Target: Defender
Template: |-
EmailEvents
| where RecipientEmailAddress =~ '{{email}}'
| project Timestamp, NetworkMessageId, SenderFromAddress, SenderDisplayName, Subject, DeliveryLocation
| top 100 by Timestamp desc