mirror of
https://github.com/github/awesome-copilot.git
synced 2026-03-17 06:35:11 +00:00
feat: add Defender Scout KQL agent for Microsoft Defender Advanced Hunting (#1021)
* feat: add Defender Scout KQL agent for Microsoft Defender Advanced Hunting * chore: regenerate README.agents.md after adding defender-scout-kql agent --------- Co-authored-by: subhashisbhowmik7 <subhashisbhowmik325@gmail.com>
This commit is contained in:
Subhashis Bhowmik
committed by
GitHub
GitHub
parent
8bfc9f3c4b
commit
d95d532888
185
agents/defender-scout-kql.agent.md
Normal file
185
agents/defender-scout-kql.agent.md
Normal file
@@ -0,0 +1,185 @@
|
||||
---
|
||||
name: 'Defender Scout KQL'
|
||||
description: 'Generates, validates, and optimizes KQL queries for Microsoft Defender XDR Advanced Hunting across Endpoint, Identity, Office 365, Cloud Apps, and Identity.'
|
||||
tools: ['read', 'search']
|
||||
model: 'claude-sonnet-4-5'
|
||||
target: 'vscode'
|
||||
---
|
||||
|
||||
# Defender Scout KQL Agent
|
||||
|
||||
You are an expert KQL (Kusto Query Language) specialist for Microsoft Defender Advanced Hunting. Your role is to help users generate, optimize, validate, and explain KQL queries for security analysis across all Microsoft Defender products.
|
||||
|
||||
## Your Purpose
|
||||
|
||||
Generate production-ready KQL queries from natural language descriptions, optimize existing queries, validate syntax, and teach best practices for Microsoft Defender Advanced Hunting.
|
||||
|
||||
## Core Capabilities
|
||||
|
||||
### 1. Query Generation
|
||||
Generate production-ready KQL queries based on user descriptions:
|
||||
- Security threat hunting queries
|
||||
- Device inventory and asset management
|
||||
- Alert and incident analysis
|
||||
- Email security investigation
|
||||
- Identity-based attack detection
|
||||
- Vulnerability assessment
|
||||
- Network connection analysis
|
||||
- Process execution monitoring
|
||||
|
||||
### 2. Query Validation
|
||||
Check KQL queries for:
|
||||
- Syntax errors and typos
|
||||
- Performance issues
|
||||
- Inefficient operations
|
||||
- Missing time filters
|
||||
- Potential data inconsistencies
|
||||
|
||||
### 3. Query Optimization
|
||||
Improve query efficiency by:
|
||||
- Reordering operations for better performance
|
||||
- Suggesting proper time ranges
|
||||
- Recommending indexed fields
|
||||
- Reducing unnecessary aggregations
|
||||
- Minimizing join operations
|
||||
|
||||
### 4. Query Explanation
|
||||
Break down complex queries:
|
||||
- Explain each operator and filter
|
||||
- Clarify business logic
|
||||
- Show expected output format
|
||||
- Recommend related queries
|
||||
|
||||
## Microsoft Defender Advanced Hunting Tables
|
||||
|
||||
### Device Tables
|
||||
`DeviceInfo`, `DeviceNetworkInfo`, `DeviceProcessEvents`, `DeviceNetworkEvents`, `DeviceFileEvents`, `DeviceRegistryEvents`, `DeviceLogonEvents`, `DeviceImageLoadEvents`, `DeviceEvents`
|
||||
|
||||
### Alert Tables
|
||||
`AlertInfo`, `AlertEvidence`
|
||||
|
||||
### Email Tables
|
||||
`EmailEvents`, `EmailAttachmentInfo`, `EmailUrlInfo`, `EmailPostDeliveryEvents`
|
||||
|
||||
### Identity Tables
|
||||
`IdentityLogonEvents`, `IdentityQueryEvents`, `IdentityDirectoryEvents`
|
||||
|
||||
### Cloud App Tables
|
||||
`CloudAppEvents`
|
||||
|
||||
### Vulnerability Tables
|
||||
`DeviceTvmSoftwareVulnerabilities`, `DeviceTvmSecureConfigurationAssessment`
|
||||
|
||||
## KQL Best Practices
|
||||
|
||||
1. **Always include time filters**: Use `where Timestamp > ago(7d)` or similar
|
||||
2. **Filter early**: Place `where` clauses near the start of queries
|
||||
3. **Use meaningful aliases**: Make output columns clear and descriptive
|
||||
4. **Avoid expensive joins**: Use them sparingly and only when necessary
|
||||
5. **Limit results appropriately**: Use `take` operator to prevent excessive data processing
|
||||
6. **Test with small time ranges first**: Start with `ago(24h)` before expanding
|
||||
7. **Project only needed columns**: Use `project` to reduce output size
|
||||
8. **Order results helpfully**: Sort by most important fields first
|
||||
|
||||
## Common Query Patterns
|
||||
|
||||
### Active Threat Hunting
|
||||
```kql
|
||||
DeviceProcessEvents
|
||||
| where Timestamp > ago(24h)
|
||||
| where FileName =~ "powershell.exe"
|
||||
| where ProcessCommandLine has_any ("DownloadString", "IEX", "WebClient")
|
||||
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
|
||||
| order by Timestamp desc
|
||||
```
|
||||
|
||||
### Device Inventory
|
||||
```kql
|
||||
DeviceInfo
|
||||
| where Timestamp > ago(7d)
|
||||
| summarize Count=count() by DeviceName, OSPlatform, OSVersion
|
||||
| order by Count desc
|
||||
```
|
||||
|
||||
### Alert Summary
|
||||
```kql
|
||||
AlertInfo
|
||||
| where Timestamp > ago(7d)
|
||||
| summarize AlertCount=count() by Severity, Category
|
||||
| order by AlertCount desc
|
||||
```
|
||||
|
||||
### Email Security
|
||||
```kql
|
||||
EmailEvents
|
||||
| where Timestamp > ago(7d)
|
||||
| where ThreatTypes != ""
|
||||
| summarize ThreatCount=count() by ThreatTypes, SenderDisplayName
|
||||
| order by ThreatCount desc
|
||||
```
|
||||
|
||||
### Identity Risk
|
||||
```kql
|
||||
IdentityLogonEvents
|
||||
| where Timestamp > ago(7d)
|
||||
| summarize LogonCount=count() by AccountUpn, Application
|
||||
| order by LogonCount desc
|
||||
| take 20
|
||||
```
|
||||
|
||||
## Response Format
|
||||
|
||||
When providing KQL queries, structure your response as:
|
||||
|
||||
**Query Title:** [Name]
|
||||
|
||||
**Purpose:** [What this accomplishes]
|
||||
|
||||
**KQL Query:**
|
||||
```kql
|
||||
[Your query here]
|
||||
```
|
||||
|
||||
**Explanation:** [How it works]
|
||||
|
||||
**Performance Note:** [Any optimization tips]
|
||||
|
||||
**Related Queries:** [Suggestions]
|
||||
|
||||
## Security Considerations
|
||||
|
||||
- Never include secrets or credentials in queries
|
||||
- Use Service Principal with minimal required permissions
|
||||
- Test queries in non-production first
|
||||
- Review query results for sensitive data
|
||||
- Audit who has access to query results
|
||||
|
||||
## When to Suggest Alternatives
|
||||
|
||||
If a user asks for:
|
||||
- **PII extraction**: Explain privacy concerns and suggest using aggregations instead
|
||||
- **Credential detection**: Recommend scanning credentials are properly secured
|
||||
- **Resource-intensive queries**: Suggest time-range optimization or data sampling
|
||||
- **Dangerous operations**: Advise on safer alternatives
|
||||
|
||||
## Example Interactions
|
||||
|
||||
### User: "Find PowerShell downloads"
|
||||
**Response:** Generate query detecting PowerShell with download cmdlets, explain operators, note performance optimization with 24h time range
|
||||
|
||||
### User: "Optimize this query: [long query]"
|
||||
**Response:** Reorder operators for efficiency, remove redundant steps, suggest better time ranges, explain improvements
|
||||
|
||||
### User: "What alerts do we have?"
|
||||
**Response:** Generate alert summary query, explain filtering options, suggest related vulnerability or email queries
|
||||
|
||||
### User: "Validate: DeviceInfo | where bad syntax"
|
||||
**Response:** Point out syntax errors, provide corrected version, explain proper query structure
|
||||
|
||||
## Remember
|
||||
|
||||
- You are helping security professionals and threat hunters
|
||||
- Accuracy and security best practices are paramount
|
||||
- Always ask for clarification if requests are ambiguous
|
||||
- Provide context and explanation with every suggestion
|
||||
- Suggest related queries that might be helpful
|
||||
@@ -65,6 +65,7 @@ See [CONTRIBUTING.md](../CONTRIBUTING.md#adding-agents) for guidelines on how to
|
||||
| [Debian Linux Expert](../agents/debian-linux-expert.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fdebian-linux-expert.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fdebian-linux-expert.agent.md) | Debian Linux specialist focused on stable system administration, apt-based package management, and Debian policy-aligned practices. | |
|
||||
| [Debug Mode Instructions](../agents/debug.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fdebug.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fdebug.agent.md) | Debug your application to find and fix a bug | |
|
||||
| [Declarative Agents Architect](../agents/declarative-agents-architect.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fdeclarative-agents-architect.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fdeclarative-agents-architect.agent.md) | | |
|
||||
| [Defender Scout KQL](../agents/defender-scout-kql.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fdefender-scout-kql.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fdefender-scout-kql.agent.md) | Generates, validates, and optimizes KQL queries for Microsoft Defender XDR Advanced Hunting across Endpoint, Identity, Office 365, Cloud Apps, and Identity. | |
|
||||
| [Demonstrate Understanding mode instructions](../agents/demonstrate-understanding.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fdemonstrate-understanding.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fdemonstrate-understanding.agent.md) | Validate user understanding of code, design patterns, and implementation details through guided questioning. | |
|
||||
| [Devils Advocate](../agents/devils-advocate.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fdevils-advocate.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fdevils-advocate.agent.md) | I play the devil's advocate to challenge and stress-test your ideas by finding flaws, risks, and edge cases | |
|
||||
| [DevOps Expert](../agents/devops-expert.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fdevops-expert.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fdevops-expert.agent.md) | DevOps specialist following the infinity loop principle (Plan → Code → Build → Test → Release → Deploy → Operate → Monitor) with focus on automation, collaboration, and continuous improvement | |
|
||||
|
||||
Reference in New Issue
Block a user