Skip to content

Add Sentinel Data Connector and Agent Builder tool#14543

Open
suchandanreddy wants to merge 1 commit into
Azure:masterfrom
suchandanreddy:add-sentinel-data-connector-and-agent-builder
Open

Add Sentinel Data Connector and Agent Builder tool#14543
suchandanreddy wants to merge 1 commit into
Azure:masterfrom
suchandanreddy:add-sentinel-data-connector-and-agent-builder

Conversation

@suchandanreddy

Copy link
Copy Markdown

Overview

This PR adds a new tool under Tools/Sentinel-Data-Connector-and-Agent-Builder/: a
workspace-level VS Code GitHub Copilot Chat agent that walks an ISV / partner developer
end-to-end through onboarding to Microsoft Sentinel Data Lake and shipping a
Security Copilot agent (or a Custom MCP tool collection) on top of it — in a single chat.

The agent is delivered as GitHub Copilot custom instructions + skills
(.github/copilot-instructions.md and .github/skills/) plus a set of cross-platform
PowerShell / Python helper scripts. There is no marketplace extension to install — a
developer sparse-checks-out this folder, opens it as the VS Code workspace root, and Copilot
Chat auto-loads the agent.

It guides developers through a phased workflow:

  • Connector discovery — looks up the ISV's published connector in Azure-Sentinel/Solutions/,
    classifies it (custom-table / native-cef-syslog / native-builtin), or kicks off a custom
    connector build when none exists.
  • Use-case ideation — maps the ISV's data to an agentic SOC use case.
  • Data Lake onboarding — validates/creates a Sentinel-enabled workspace and onboards the data lake.
  • Sample-data ingestion — generates correlated attack-scenario sample data and ingests it via the
    Logs Ingestion API so agents are testable in later phases.
  • MCP schema verification — uses the Sentinel MCP server to confirm real table schemas before any KQL is authored.
  • Agent authoring + validation — drafts Security Copilot agent instructions (or MCP tool collections),
    lints them, and validates every KQL block against the data lake.
  • Packaging / publishing — packages the agent for the Microsoft Security Store (Partner Center),
    or generates a deployment guide for customer-tenant rollout.

All Azure-mutating steps are gated behind explicit confirmation, and the tool keeps no secrets in
source — per-tenant / per-session runtime artifacts are .gitignored.

Why it belongs in Tools/

It is a self-contained developer enablement tool for the Sentinel platform — it consumes
Azure-Sentinel/Solutions/ connector content as an input and helps partners build on top of
Sentinel Data Lake + Security Copilot. It adds no analytic rules, parsers, hunting queries,
or workbooks, and touches no existing files — it is purely additive under a single new folder.

What's included

  • .github/copilot-instructions.md + .github/skills/ — the agent definition (personality, phase rules, lint rules).
  • scripts/ — PowerShell + Python helpers (prerequisite checks, data-lake validation, ingestion engine,
    KQL instruction validator, SCU cost-control automation, Partner Center packager).
  • knowledge/ — runtime reference guides the agent reads.
  • templates/, config/ (templates + .gitkeep only), infra/ — supporting assets.
  • README.md — setup, prerequisites, and usage.

Change(s):

  • Adds a new, self-contained developer tool at Tools/Sentinel-Data-Connector-and-Agent-Builder/
    (Copilot agent instructions + skills + helper scripts + docs). No existing files are modified.

Reason for Change(s):

  • Provides ISV / partner developers a guided, in-IDE workflow to onboard to Sentinel Data Lake and
    build + validate + publish Security Copilot agents and Custom MCP tool collections on the Sentinel platform.

Version Updated:

  • N/A — this is a Tools/ contribution, not a Detection / Analytic Rule template.

Testing Completed:

  • Yes. The full phased workflow was exercised end-to-end against a live Microsoft Sentinel Data Lake
    tenant across multiple ISVs and multiple VS Code Copilot Chat sessions — connector discovery,
    data-lake onboarding, attack-scenario sample-data ingestion (Logs Ingestion API), MCP schema
    verification, agent-instruction authoring + KQL validation, and packaging. Helper scripts run on
    PowerShell 7+ / Python 3.10+, and the optional Azure-side SCU auto-delete automation was deployed
    and validated in-tenant. The tool adds no KQL/YAML detection content to the repo's validation surface.

Checked that the validations are passing and have addressed any issues that are present:

  • Yes — no analytic rules / parsers / workbooks are added, so the detection/KQL/YAML validation checks
    have nothing new to validate in this folder. The added files are docs, scripts, and templates only.

@suchandanreddy suchandanreddy requested a review from a team as a code owner June 23, 2026 01:30
@suchandanreddy

suchandanreddy commented Jun 23, 2026 via email

Copy link
Copy Markdown
Author

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds a new self-contained “Sentinel Data Connector and Agent Builder” tool under Tools/ to guide ISVs/partners through Sentinel Data Lake onboarding, sample data ingestion, MCP schema verification, Security Copilot agent (or custom MCP tools) creation, and publishing workflows—primarily via Copilot instructions/skills plus helper scripts.

Changes:

  • Adds templates and knowledge-base docs to drive a phased onboarding + authoring workflow.
  • Adds multiple PowerShell/bash utilities for prerequisite checks, data lake detection/remediation, ingestion validation, SCU lifecycle/cost control, MCP manifest validation, and packaging.
  • Adds VS Code chat participant extension scaffolding (package.json, src/extension.js) alongside workspace-level Copilot instructions/skills.

Reviewed changes

Copilot reviewed 50 out of 56 changed files in this pull request and generated 11 comments.

Show a summary per file
File Description
Tools/Sentinel-Data-Connector-and-Agent-Builder/templates/use-case-brief.md.tmpl Use-case brief template for ideation and planning inputs.
Tools/Sentinel-Data-Connector-and-Agent-Builder/templates/mcp-tool-definition.json.tmpl Template for a custom MCP tool definition with parameterized KQL.
Tools/Sentinel-Data-Connector-and-Agent-Builder/templates/entities.json.tmpl Entity pools template for generating correlated scenarios/sample data.
Tools/Sentinel-Data-Connector-and-Agent-Builder/templates/dcr-transform.kql.tmpl KQL transform template for DCR ingestion normalization.
Tools/Sentinel-Data-Connector-and-Agent-Builder/templates/dcr-per-table.json ARM template for per-table DCR deployments for Logs Ingestion API.
Tools/Sentinel-Data-Connector-and-Agent-Builder/templates/custom-table-schema.json.tmpl Template for creating custom table schema resources.
Tools/Sentinel-Data-Connector-and-Agent-Builder/templates/agent-instructions.yaml.tmpl YAML template for agent instruction scaffolding.
Tools/Sentinel-Data-Connector-and-Agent-Builder/src/extension.js VS Code chat participant implementation that loads instructions/knowledge and calls the LM.
Tools/Sentinel-Data-Connector-and-Agent-Builder/scripts/validate-urls.sh URL validation helper to enforce link hygiene with JSONL output.
Tools/Sentinel-Data-Connector-and-Agent-Builder/scripts/Validate-Prerequisites.ps1 Prerequisite and role checks for tenant/subscription readiness.
Tools/Sentinel-Data-Connector-and-Agent-Builder/scripts/Validate-Ingestion.ps1 Validates ingestion by querying tables and (optionally) scenario assertions.
Tools/Sentinel-Data-Connector-and-Agent-Builder/scripts/Validate-DataLake.ps1 Tenant-wide data lake onboarding detection + remediation directions.
Tools/Sentinel-Data-Connector-and-Agent-Builder/scripts/Test-McpToolsManifest.ps1 Static validator for custom MCP tool manifests (lint + optional render).
Tools/Sentinel-Data-Connector-and-Agent-Builder/scripts/Test-AgentInSecurityCopilot.ps1 SCU preflight + runbook generation for SCC validation.
Tools/Sentinel-Data-Connector-and-Agent-Builder/scripts/Setup-ScuAutoDelete.ps1 One-time deployment of server-side SCU auto-delete automation.
Tools/Sentinel-Data-Connector-and-Agent-Builder/scripts/Setup-DataIngestion.ps1 Sets up table/DCE/DCR ingestion infrastructure via az + REST.
Tools/Sentinel-Data-Connector-and-Agent-Builder/scripts/Remove-SccCapacity.ps1 Deletes SCU capacities (and optionally RG) with cost estimation and cleanup.
Tools/Sentinel-Data-Connector-and-Agent-Builder/scripts/Package-Agent.ps1 Packages agent for publishing with Phase 5 validation gate + table renames.
Tools/Sentinel-Data-Connector-and-Agent-Builder/scripts/Ingest-SampleData.ps1 Posts sample records to Logs Ingestion API for verification.
Tools/Sentinel-Data-Connector-and-Agent-Builder/scripts/Grant-IngestionRbac.ps1 Grants RG-scope RBAC to avoid per-DCR cold-start authorization caching issues.
Tools/Sentinel-Data-Connector-and-Agent-Builder/scripts/Get-ScuCostWindow.ps1 Computes cost-window timing + recommendations for SCU hour-block billing.
Tools/Sentinel-Data-Connector-and-Agent-Builder/scripts/Create-Workspace.ps1 Creates LAW + enables Sentinel with region allowlist checks.
Tools/Sentinel-Data-Connector-and-Agent-Builder/schemas/.gitkeep Placeholder documenting per-ISV schemas directory usage.
Tools/Sentinel-Data-Connector-and-Agent-Builder/scenarios/.gitkeep Placeholder documenting per-ISV scenarios directory usage.
Tools/Sentinel-Data-Connector-and-Agent-Builder/package.json VS Code extension manifest for chat participant contribution.
Tools/Sentinel-Data-Connector-and-Agent-Builder/knowledge/use-case-frameworks.md Reference content for structured use-case ideation.
Tools/Sentinel-Data-Connector-and-Agent-Builder/knowledge/security-copilot-agent-guide.md Step-by-step SCC build/validation guidance and Phase 5 gate definition.
Tools/Sentinel-Data-Connector-and-Agent-Builder/knowledge/publishing-guide.md Partner Center/Security Store packaging and submission guide.
Tools/Sentinel-Data-Connector-and-Agent-Builder/knowledge/mcp-verification-guide.md MCP setup + Phase 4 schema/query verification recipe and gates.
Tools/Sentinel-Data-Connector-and-Agent-Builder/knowledge/agent-instructions-lint.md Prose-level lint rules for SCC instruction documents.
Tools/Sentinel-Data-Connector-and-Agent-Builder/infra/scu-autodelete/scu-autodelete.bicep Infrastructure for server-side SCU teardown + notification.
Tools/Sentinel-Data-Connector-and-Agent-Builder/config/workspace.json.template Workspace config template for per-tenant setup.
Tools/Sentinel-Data-Connector-and-Agent-Builder/config/regions.json Supported region catalog + defaults and guidance.
Tools/Sentinel-Data-Connector-and-Agent-Builder/agent/investigation-queries.kql Example investigation KQL blocks mirroring example agent steps.
Tools/Sentinel-Data-Connector-and-Agent-Builder/agent/agent-instructions.yaml Example agent instructions YAML for a Contoso scenario.
Tools/Sentinel-Data-Connector-and-Agent-Builder/agent/README.md Example Phase 5 workflow instructions for the sample agent.
Tools/Sentinel-Data-Connector-and-Agent-Builder/README.md Main tool documentation (setup, prerequisites, phases, scripts).
Tools/Sentinel-Data-Connector-and-Agent-Builder/.vscode/launch.json VS Code debug configuration for running the extension host.
Tools/Sentinel-Data-Connector-and-Agent-Builder/.gitignore Ignores per-tenant/per-ISV state, packaging outputs, and local artifacts.
Tools/Sentinel-Data-Connector-and-Agent-Builder/.github/skills/sentinel-data-connector-agent-builder/SKILL.md Skill definition describing capabilities, phase gates, and behaviors.
Files not reviewed (1)
  • Tools/Sentinel-Data-Connector-and-Agent-Builder/package-lock.json: Generated file

Comment on lines +14 to +15
"activationEvents": [],
"main": "./src/extension.js",
Comment on lines +74 to +89
// Build the system prompt with agent instructions + relevant knowledge
const systemPrompt = buildPrompt(instructions, knowledgeContext, command);

// Use Copilot's language model to generate response
const messages = [
vscode.LanguageModelChatMessage.User(systemPrompt),
...context.history.map(h => {
if (h instanceof vscode.ChatResponseTurn) {
return vscode.LanguageModelChatMessage.Assistant(
h.response.map(r => r.value?.value || r.value || '').join('')
);
}
return vscode.LanguageModelChatMessage.User(h.prompt);
}),
vscode.LanguageModelChatMessage.User(request.prompt)
];
Comment on lines +101 to +112
try {
$qr = az monitor log-analytics query `
--workspace $workspaceId `
--analytics-query $kql `
--output json 2>$null | ConvertFrom-Json

if ($qr -and $qr.Count -gt 0) {
$rows = [int]$qr[0].Rows
$latest = $qr[0].Latest
} else {
$rows = 0; $latest = $null
}
Comment on lines +186 to +205
try {
$qr = az monitor log-analytics query `
--workspace $workspaceId `
--analytics-query $sc.kqlAssertion `
--output json 2>$null | ConvertFrom-Json

$count = 0
if ($qr -and $qr.Count -gt 0) {
# `| count` returns single row with single 'Count' column
$row = $qr[0]
foreach ($prop in $row.PSObject.Properties) {
if ($prop.Name -match '^(Count|Count_)$') { $count = [int]$prop.Value; break }
}
if ($count -eq 0) {
# fallback: first numeric property
foreach ($prop in $row.PSObject.Properties) {
if ($prop.Value -is [int] -or $prop.Value -is [long]) { $count = [int]$prop.Value; break }
}
}
}
Comment on lines +125 to +129
try {
az rest --method post `
--uri "$logicAppId/runs/$runId/cancel?api-version=2016-06-01" `
--output none 2>$null
Write-Info "Cancelled server-side auto-delete (Logic App run $runId)."
Comment on lines +15 to +19
"main": "./src/extension.js",
"contributes": {
"chatParticipants": [
{
"id": "sentinel-data-connector-agent-builder.builder",
Comment on lines +124 to +129
if (-not $currentUserId) {
Write-Status "Could not resolve signed-in user object ID via 'az ad signed-in-user show'. Falling back to UPN-based lookup (may miss MSA / guest accounts)." "warn"
$azureRoles = az role assignment list --assignee $account.user.name --subscription $SubscriptionId --include-inherited --include-groups --output json 2>$null | ConvertFrom-Json
} else {
$azureRoles = az role assignment list --assignee-object-id $currentUserId --subscription $SubscriptionId --include-inherited --include-groups --output json 2>$null | ConvertFrom-Json
}
Write-Status "Azure: MISSING required Azure roles for Step A" "fail"
if (-not $hasUAA) {
Write-Host " Missing: User Access Administrator"
Write-Host " Remediation: az role assignment create --assignee-object-id $currentUserId --assignee-principal-type User --role 'User Access Administrator' --scope /subscriptions/$SubscriptionId"
}
if (-not $hasSentinelContrib) {
Write-Host " Missing: Microsoft Sentinel Contributor"
Write-Host " Remediation: az role assignment create --assignee-object-id $currentUserId --assignee-principal-type User --role 'Microsoft Sentinel Contributor' --scope /subscriptions/$SubscriptionId"
Comment on lines +69 to +81
try {
$response = Invoke-RestMethod -Uri $uri -Method Post -Headers $headers -Body $body
Write-Host "✅ Data ingested successfully!"
} catch {
$statusCode = $_.Exception.Response.StatusCode.value__
if ($statusCode -eq 204) {
Write-Host "✅ Data ingested successfully (204 No Content)."
} else {
Write-Host "❌ Ingestion failed: $($_.Exception.Message)"
Write-Host " Status: $statusCode"
exit 1
}
}
"rules": [{"id": r["id"], "status": r["status"]} for r in rules_log],
"renameMapApplied": rename_log,
},
"scuEstimate": "__SCU_TBD__",
"renameMapApplied": rename_log,
},
"scuEstimate": "__SCU_TBD__",
"partnerCenterStatus": "draft",
import argparse
import datetime
import json
import os
import re
import subprocess
import sys
from io import StringIO
fixed = collapsed
if fixed != orig:
# Preserve original block-scalar style on assignment
style = getattr(orig, "_yaml_format", None)
@suchandanreddy

Copy link
Copy Markdown
Author

@v-shukore , @v-atulyadav , Could you please let me know if you need any further details to approve the PR?

Please note that I have reviewed all the comments from Copilot, they stem from Copilot not being able to run its full tool suite and reflect static assumptions about az REST shapes rather than actual CLI behavior.

We have verified the tool locally in VS Code and tested end-to-end with external ISVs/partners across multiple live-tenant sessions — all phases work as expected. The documented Azure CLI prerequisite (2.60+) and other required tools to the run agent, already handles every scenario the scripts rely on.

@suchandanreddy

Copy link
Copy Markdown
Author

@v-shukore, Below are the screenshots of using the agent from VS code chat. Please let me know if you need any further details for approving the PR.

image

Security Copilot Agent Use Case Ideation using the Tool:

image

Data Lake Onboarding using the Tool and progress to Data Ingestion phase:

image

Data Ingestion script triggered and successfully executed by Agent:

image image

Validation script run successfully by the Agent:

image

End to End outputs across phases when using the Agent:

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants