Rod’s Blog

Share this post

Rod’s Blog
Rod’s Blog
Copilot for Security Plugin: Country Info
Copy link
Facebook
Email
Notes
More

Copilot for Security Plugin: Country Info

This plugin retrieves Country information using a publicly available database.

Rod Trent
Apr 26, 2024

Share this post

Rod’s Blog
Rod’s Blog
Copilot for Security Plugin: Country Info
Copy link
Facebook
Email
Notes
More
Share

If you need additional country information to use as part of your investigations using Copilot for Security instead of utilizing the standard GPT model, this plugin will help. It utilizes the externaldata operator to get the information from a publicly available GitHub dataset (https://github.com/datasets). This is a great example of how to use KQL with Copilot for Security to pull data from external sources.

Get the plugin file: https://github.com/rod-trent/Copilot-for-Security/blob/main/Plugins/CountryInfo.yaml

Rod’s Blog is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

What’s inside the yaml file:

Descriptor:
  Name: CountryInfo
  DisplayName: Country Codes
  Description: Country information including country code and language and region and TLD and currency

SkillGroups:
  - Format: KQL
    Skills:
      - Name: CountryInfo
        DisplayName: Country Codes
        Description: Country information including country code and language and region and TLD and currency
        Settings:
          Target: Sentinel
          TenantId: <your_tenant_ID>
          SubscriptionId: <your_subscription_ID>
          ResourceGroupName: <your_RG_name>
          WorkspaceName: <your_WS_name>
          Template: |-
            let CountryInfo = externaldata (FIFA:string,Dial:string,ISO31661Alpha3:string,MARC:string,independence:string,ISO31661numeric:string,GAUL:string,FIPS:string,WMO:string,ISO31661Alpha2:string,ITU:string,IOC:string,DS:string,UNTERMSpanishFormal:string,GlobalCode:string,IntermediateRegionCode:string,officialnamefr:string,UNTERMFrenchShort:string,ISO4217currencyname:string,DevelopedDevelopingCountries:string,UNTERMRussianFormal:string,UNTERMEnglishShort:string,ISO4217currencyalphabeticcode:string,SmallIslandDevelopingStates:string,UNTERMSpanishShort:string,ISO4217currencynumericcode:string,UNTERMChineseFormal:string,UNTERMFrenchFormal:string,UNTERMRussianShort:string,M49:string,SubregionCode:string,RegionCode:string,officialnamear:string,ISO4217currencyminorunit:string,UNTERMArabicFormal:string,UNTERMChineseShort:string,LandLockedDevelopingCountries:string,IntermediateRegionName:string,officialnamees:string,UNTERMEnglishFormal:string,officialnamecn:string,officialnameen:string,SO4217currencycountryname:string,LeastDevelopedCountries:string,RegionName:string,UNTERMArabicShort:string,SubregionName:string,officialnameru:string,GlobalName:string,Capital:string,Continent:string,TLD:string,Languages:string,GeonameID:string,CLDRdisplayname:string,EDGAR:string) [@"https://raw.githubusercontent.com/datasets/country-codes/master/data/country-codes.csv"] with (ignoreFirstRecord=true, format="csv"); CountryInfo

Note that you’ll need to adjust the items in BOLD with your own environment details.

Examples prompts:

  1. What is the country code for Taiwan?

  2. What is the TLD for Taiwan?

  3. What is the currency for Taiwan?

  4. What's the languages for Taiwan?

  5. What is the capital of Taiwan?

The KQL query that is being utilized by the plugin:

let CountryInfo = externaldata (FIFA:string,Dial:string,ISO31661Alpha3:string,MARC:string,independence:string,ISO31661numeric:string,GAUL:string,FIPS:string,WMO:string,ISO31661Alpha2:string,ITU:string,IOC:string,DS:string,UNTERMSpanishFormal:string,GlobalCode:string,IntermediateRegionCode:string,officialnamefr:string,UNTERMFrenchShort:string,ISO4217currencyname:string,DevelopedDevelopingCountries:string,UNTERMRussianFormal:string,UNTERMEnglishShort:string,ISO4217currencyalphabeticcode:string,SmallIslandDevelopingStates:string,UNTERMSpanishShort:string,ISO4217currencynumericcode:string,UNTERMChineseFormal:string,UNTERMFrenchFormal:string,UNTERMRussianShort:string,M49:string,SubregionCode:string,RegionCode:string,officialnamear:string,ISO4217currencyminorunit:string,UNTERMArabicFormal:string,UNTERMChineseShort:string,LandLockedDevelopingCountries:string,IntermediateRegionName:string,officialnamees:string,UNTERMEnglishFormal:string,officialnamecn:string,officialnameen:string,ISO4217currencycountryname:string,LeastDevelopedCountries:string,RegionName:string,UNTERMArabicShort:string,SubregionName:string,officialnameru:string,GlobalName:string,Capital:string,Continent:string,TLD:string,Languages:string,GeonameID:string,CLDRdisplayname:string,EDGAR:string) [@"https://raw.githubusercontent.com/datasets/country-codes/master/data/country-codes.csv"] with (ignoreFirstRecord=true, format="csv"); 
CountryInfo

Tip: Run this in the Logs blade of a Log Analytics workspace to see all the data you can use with Copilot for Security. Use the free resource if you need one: https://aka.ms/lademo

To install this in your own Copilot for Security instance, see: Add custom plugins

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[ Subscribe to the Bi-weekly Copilot for Security Newsletter]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Subscribe to the Weekly Azure OpenAI Newsletter]

[Learn KQL with the Must Learn KQL series and book]

[Learn AI Security with the Must Learn AI Security series and book]

Rod’s Blog is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

Share this post

Rod’s Blog
Rod’s Blog
Copilot for Security Plugin: Country Info
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

No posts

Ready for more?

© 2025 Rod Trent
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More