Rod’s Blog

Share this post

Copilot for Security Plugin: Bad Tables

rodtrent.substack.com

Copilot for Security Plugin: Bad Tables

If you want to identify potential ingestion issues in Microsoft Sentinel tables, here’s a KQL plugin for Copilot for Security that you can use.

Rod Trent
Apr 23, 2024
1
Share this post

Copilot for Security Plugin: Bad Tables

rodtrent.substack.com
Share

If you want to identify potential ingestion issues in Microsoft Sentinel tables, here’s a KQL plugin for Copilot for Security that you can use.

Get the plugin file: https://github.com/rod-trent/Copilot-for-Security/blob/main/Plugins/BadTables.yaml

Rod’s Blog is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

What’s inside the yaml file:

Descriptor:
  Name: BadTable
  DisplayName: Sentinel Tables Not Ingesting Data
  Description: Check all Tables to see which ones have not ingested data in 3 days or more

SkillGroups:
  - Format: KQL
    Skills:
      - Name: BadTable
        DisplayName: Sentinel Tables Not Ingesting Data
        Description: Check all Tables to see which ones have not ingested data in 3 days or more
        Settings:
          Target: Sentinel
          TenantId: <your_tenant_ID>
          SubscriptionId: <your_subscription_ID>
          ResourceGroupName: <your_RG_name>
          WorkspaceName: <your_WS_name>
          Template: |-
           union withsource=BadTable * | where TimeGenerated > ago(3d) | summarize Entries = count(), last_log = datetime_diff("second",now(), max(TimeGenerated)), estimate  = sumif(_BilledSize, _IsBillable==true)  by BadTable | where last_log >= 259200 | project BadTable

Note that you’ll need to adjust the items in BOLD with your own environment details.

Example of a prompt/something you can ask: Are there any Sentinel tables that are not ingesting data?

The KQL query that is being utilized by the plugin:

union withsource=BadTable *
| where TimeGenerated > ago(3d)
| summarize Entries = count(), last_log = datetime_diff("second",now(), max(TimeGenerated)), estimate  = sumif(_BilledSize, _IsBillable==true)  by BadTable
| where last_log >= 259200
| project BadTable

To install this in your own Copilot for Security instance, see: Add custom plugins

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[ Subscribe to the Bi-weekly Copilot for Security Newsletter]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Subscribe to the Weekly Azure OpenAI Newsletter]

[Learn KQL with the Must Learn KQL series and book]

[Learn AI Security with the Must Learn AI Security series and book]

Rod’s Blog is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

1
Share this post

Copilot for Security Plugin: Bad Tables

rodtrent.substack.com
Share

Discussion about this post

No posts

Ready for more?

© 2024 Rod Trent
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture
Share