Creating a Copilot for Security KQL Plugin to Query Sentinel Watchlists

Microsoft Copilot for Security’s extensibility ensures you can continually add additional capabilities and knowledge.

Microsoft Copilot for Security’s extensibility ensures you can continually add additional capabilities and knowledge. This can be accomplished through 1st and 3rd party plugins but can also be accomplished through custom plugins that you create yourself.

There are a few types of custom plugins that you can create including API, GTP, and KQL. I’ll walk through all of these eventually, but wanted to supply a quick solution for those wanting to incorporate the curated data that you may be maintaining in your Microsoft Sentinel Watchlists using the KQL type plugin.

Read more: Create your own custom plugins

After some customization, the following .yaml file, can be imported (see: Adding Custom Plugins) into Copilot for Security to enable access to any Watchlist you are maintaining through the use of some simple KQL queries.

The template format, fields, and spacing is important, otherwise the Copilot for Security import will fail with an error message. So, don’t change the spacing, only change the boldened fields with your information.

Descriptor:
  Name: WatchlistKQL
  DisplayName: Trusted Users List
  Description: Fetches the list of trusted users that is being maintained as a Microsoft Sentinel watchlist

SkillGroups:
  - Format: KQL
    Skills:
      - Name: GetTrustedUsers
        DisplayName: Get the Trusted Users List
        Description: Fetches the list of trusted users that is being maintained as a Microsoft Sentinel watchlist
        Settings:
          Target: Sentinel
          TenantId: <your_tenant_ID>
          SubscriptionId: <your_subscription_ID>
          ResourceGroupName: <your_RG_name>
          WorkspaceName: <your_WS_name>
          Template: |-
            _GetWatchlist('TrustedUsers') | distinct TrustedUsers

You can also download the .yaml file from here: KQL_Plugin_TrustedUsersWatchlist.yaml

You can see the standard, simple _GetWatchlist function is being used, along with just a quick, simple KQL query. Nothing fancy is needed here to expose the Watchlist data to Copilot for Security.

Of interest, is that Microsoft Sentinel KQL-based plugins require your TenantId, SubscriptionId, ResourceGroupName, and WorkspaceName settings (as shown in the .yaml file) otherwise, Copilot for Security will not have proper access to the Log Analytics workspace to execute the query. A KQL-based Defender plugin doesn’t require this type of information.

Now, when I want to enact my plugin, I just include Trusted Users List in my Copilot for Security prompts and it’s smart enough to know to use the plugin. The following is an example what this looks like...

Read more: KQL plugins in Microsoft Copilot for Security

---

Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Subscribe to the Weekly Azure OpenAI Newsletter]

[Learn KQL with the Must Learn KQL series and book]

[Learn AI Security with the Must Learn AI Security series and book]