Blog Post

Microsoft Security Copilot Blog
9 MIN READ

Using parameterized functions with KQL-based custom plugins in Microsoft Security Copilot

Inwafula's avatar
Inwafula
Icon for Microsoft rankMicrosoft
Jun 02, 2025

Microsoft Security Copilot offers customers great flexibility to bring custom insights into Security Copilot sessions using custom plugins. KQL-based plugins are commonly used to tap into data stored in Microsoft Sentinel Log Analytics workspaces, Microsoft Defender XDR Advanced Hunting tables and Azure Data Explorer clusters to bring insights into a Security Copilot session. KQL-based user-defined functions are supported across these three platforms and offer significant advantages for querying and analyzing large datasets. These benefits include the ability to encapsulate reusable logic, enhance query efficiency, and improve maintainability.

      In this blog, I will walk through how you can build functions based on a Microsoft Sentinel Log Analytics workspace for use in custom KQL-based plugins for Security Copilot. The same appr...
Updated Jun 02, 2025
Version 1.0
best practices
building with copilot
prompting
security operations
Inwafula's avatar
Icon for Microsoft rankMicrosoft
Joined November 11, 2017
View Profile
Microsoft Security Copilot Blog

Microsoft Security Copilot is a generative AI-powered assistant for daily operations in security and IT that empowers teams to manage and protect at the speed and scale of AI.

Parth999's avatar
Parth999
Copper Contributor
Nov 30, 2025

Thanks for showcasing a cleaner way to do build these plugins! This will help!