Turning a KQL Request Template into a Copilot for Security Promptbook
Work smarter, strong, faster
I wrote recently about how to get better results from Copilot for Security when requesting KQL queries.
See: Tip: Using KQL Request Templates for Copilot for Security
But because when we talk about Copilot for Security, the approach is generally one about efficiency, let’s take this request template to the next level. Instead of having to enter the same template details every time, create a Promptbook that requests the applicable variables.
Here’s an example of what this would look like in a Promptbook.
By supplying the following, using the “prompt variables” when creating a new Promptbook, you can shortcut the operation and enable this repeatable prompt template for anyone in your security organization.
Use the following information to generate a proper KQL query for <PRODUCT_NAME>.
Table = <TABLE_NAME>
Time/Date range = <TIME_RANGE>
Query = <QUERY_RESULT>
Display = <RESULTS_DISPLAY><PRODUCT_NAME> =
Microsoft Sentinel or Defender<TABLE_NAME> = The table you want to query. This could be a custom table. You should know that the table exists. For example:
SecurityAlert<TIME_RANGE> = The time or date range for which the query should return results. For Example:
the last 3 days<QUERY_RESULT> = The actual query details you want. For example:
the top medium severity alert and the number of times is shows up in the data<RESULTS_DISPLAY> = The columns you want to display in the results along with how you want them to display. For example:
just the alert name and the times it shows up
Get the full Promptbook template here: https://github.com/rod-trent/Copilot-for-Security/blob/main/Prompts/Promptbooks/KQL_Request.md
What the Promptbook might look like when run:
What the actual Promptbook looks like:
The Promptbook in the Promptbook Library:
The Promptbook results:
Take this further? Create something extra cool? Let me know.
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[ Subscribe to the Bi-weekly Copilot for Security Newsletter]
[Subscribe to the Weekly SIEM and XDR Newlsetter]
[Learn KQL with the Must Learn KQL series and book]
[Learn AI Security with the Must Learn AI Security series and book]
** Need a Tech break?? Sure, we all do! Check out my fiction novels: Sword of the Shattered Kingdoms: Ancient Crystal of Eldoria and WW2045: Alien Revenge