The Definitive Guide to KQL Custom Plugin for Copilot for Security
Frivolarity
Here’s a somewhat frivolous plugin for Copilot for Security but is another measure of what is possible using the AI framework provided in Copilot for Security.
Imagine sitting reading The Definitive Guide to KQL from Microsoft Press and you see one of the many KQL samples provided in the book and you want to test the query in your own environment. You know that the book comes with its own GitHub repository, and even though the repo is organized effectively to match the book chapters, you’ll still need to do some manual searching to locate the query. This is where The Definitive Guide to KQL from Microsoft Press plugin comes into play.
After installing the plugin, you simply use Copilot for Security to locate the samples and it will supply a direct link.
You can ask things like (prompts):
How do I get the book The Definitive Guide to KQL from Microsoft Press?
I'm reading the Definitive Guide to KQL from Microsoft Press. Where can I find the query samples from the Advanced chapter in the book?
Give me a bullet point chapter summary for The Definitive Guide to KQL from Microsoft Press.
I could be wrong, but this is probably the first plugin ever developed for a book launch.
How to get the plugin
The plugin is available directly from The Definitive Guide to KQL from Microsoft Press GitHub repository: https://github.com/KQLMSPress/definitive-guide-kql/tree/main/Other/CfSPlugin
The instructions are located at that link, but I’ll also include them here…
Pre-requisites
Microsoft Sentinel Workspace created.
Parameters for KQL Plugin - Microsoft Sentinel Workspace Name, Subscription ID, Resource Group Name and Entra Tenant ID
Instructions
Upload the Custom Plugin
Obtain the file DefinitiveKQL.yaml from this directory.
Modify the yaml file to specify your specific Entra TentantId, SubscriptionId, ResourceGroupName and WorkspaceName for your Sentinel instance.
Upload the custom plugin
About the plugin
The plugin for The Definitive Guide to KQL from Microsoft Press is a KQL-based plugin. I needed a couple things to make the plugin work.
A data file
A KQL query
The repo extraction tool
To generate the data needed to supply the proper responses for Copilot for Security, I had to create a tool to extract the GitHub repository’s file structure into a .csv file. I created both Python and PowerShell versions of this tool:
To use this tool for any GitHub repo, in each version you simply need to modify the OWNER and REPO variables.
The data file
The tool runs and outputs a .csv file with the name of the repo so it can be uploaded anywhere to gain access for querying. I uploaded the data for this plugin to The Definitive Guide to KQL from Microsoft Press sample repository. The repo contains all of the KQL query examples from the book.
The data for this specific plugin exists at: https://github.com/KQLMSPress/definitive-guide-kql/blob/main/Other/Data/definitive-guide-kql_file_structure.csv
The KQL query
Now that the data file is tucked neatly away in the accessible repo, I use the externaldata KQL operator (covered in the book) to query and parse it into results that are accessed by the plugin.
The query:
let DefinitiveKQL = externaldata (type:string,path:string,url:string) [@"https://raw.githubusercontent.com/KQLMSPress/definitive-guide-kql/main/Other/Data/definitive-guide-kql_file_structure.csv"] with (ignoreFirstRecord=true, format="csv"); DefinitiveKQLThe book
The book is available now from the Microsoft Press website and will be available to ship from Amazon on May 24th, 2024.
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[ Subscribe to the Bi-weekly Copilot for Security Newsletter]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Subscribe to the Weekly Azure OpenAI Newsletter]
[Learn KQL with the Must Learn KQL series and book]
[Learn AI Security with the Must Learn AI Security series and book]