Tip: Using KQL Request Templates for Copilot for Security
Do what I say
When Generative AI became the new hotness, those with and without KQL skills salivated: “I’ll never have to learn KQL again!” was the pervading cry of joy.
And, then when Copilot for Security was released with the Natural Language to KQL (NL2KQL) capability, it seemed like the vision of never having to learn KQL to generate KQL was a super solid bet.
But I started testing. Knowing KQL the way I do after working with it for about 4 years for very diverse scenarios, the results I saw from ChatGPT and Copilot for Security left me wanting. Yes, they could both generate KQL, and the KQL generated could do the job for the most part, but many times the queries produced were not optimized causing unnecessary processing and timeouts due to large datasets, and the GenAI tools knew nothing about custom tables, schema changes, or other things. So, there was still a lot of tweaking that needed to be done after the fact.
I said shortly after and many times following (a lot of it on The Microsoft Security Insights Show) that folks still needed to know KQL.
Don’t yet know this super simple query language called KQL? See:
Must Learn KQL: https://aka.ms/MustLearnKQL
The Definitive Guide to KQL from Microsoft Press: https://amzn.to/4d0WbTY
It was true then, and it’s still true now, the more KQL you know, the better off you’ll be. The better you understand it, the less time you’ll need to tweak. But you can actually apply your KQL knowledge up front instead of having to wait to tweak the results after the fact. Using a sort of template, you can alter your prompts for Copilot for Security to include all the information it needs to produce better KQL.
Consider using a template like the following in your Copilot for Security prompts:
Use the following information to generate a proper KQL query for Microsoft Sentinel.
Table = <tablename>
Time/Date range = <time range>
Query = <query processing example: the top medium severity alert and the number of times is shows up in the data>
Display = <how the results are displayed example: just the alert name and the times it shows up>This template and more, located here: https://github.com/rod-trent/Copilot-for-Security/blob/main/Prompts/Plugins/NL2KQL.md
Example:
Challenge: Try using this template method with your custom tables.
Built a better template? Let me know.
Take this to the next level: Turning a KQL Request Template into a Copilot for Security Promptbook
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[ Subscribe to the Bi-weekly Copilot for Security Newsletter]
[Subscribe to the Weekly SIEM and XDR Newlsetter]
[Learn KQL with the Must Learn KQL series and book]
[Learn AI Security with the Must Learn AI Security series and book]
** Need a Tech break?? Sure, we all do! Check out my fiction novels: Sword of the Shattered Kingdoms: Ancient Crystal of Eldoria and WW2045: Alien Revenge