Microsoft Sentinel for Visual Studio Code

The Sentinel for Visual Studio Code extension allows developers and security professionals to build and manage notebooks, custom graphs, and connectors for Microsoft Sentinel.

Features

• Explore Sentinel data lake, including tables and their schema
• Create notebooks, schedule notebook jobs and manage their lifecycle
• Create custom graphs, schedule graph jobs and manage their lifecycle
• Utilize Microsoft-managed Spark compute
• Use Sentinel chat participant to create connectors and author graph notebooks
• Package solutions for Microsoft Security Store

Requirements

The Jupyter Extension for Visual Studio Code is required and will be installed automatically.

Getting started

Sign in to the extension with the account you use to access Microsoft Sentinel and Microsoft Defender.

To use data lake exploration capabilities, you must set up the Microsoft Sentinel data lake. You also need to ensure that you have the appropriate permissions.

• Set up the data lake
• Manage permissions to the data lake

Explore data lake tier tables

The extension enables you to explore data lake tier tables by viewing the schema.

Analyze data using notebooks

The extension enables you to utilize Jupyter notebooks to build advanced analytics solutions for summarizing, transforming, and analyzing data in the Microsoft Sentinel data lake using Python and Spark.

You can also leverage the GitHub Copilot extension to get AI help writing code that’s optimized for your data.

Create scheduled jobs for automation

The extension allows you to schedule your Jupyter notebook and custom graphs to run at specific times or intervals. Jobs are also used to process data and write results to custom tables in the data lake tier or analytics tier.

From the Jobs panel you can select a job to view job details. The details view will allow you to run the job immediately, edit the job, enable and disable the job schedule, view history of job runs, or delete the job.

Investigate with custom graph insights

The extension provides the capability to build and manage custom graphs for modeling specific attack patterns, investigating threats, and running advanced graph algorithms to uncover hidden relationships within your digital environment.

Using notebooks, you define the graph schema and map relevant security data into that schema to build a graph. Then execute graph queries with Graph Query Language (GQL) to visualize the results.

To persist the graph, you can schedule a graph job to rebuild your graph frequently. Custom graphs are displayed in the Graphs panel of the extension.

From the Graphs panel you can select a custom graph to view graph details. The details view will allow you to run the graph job immediately, edit the graph job, or view history of graph job runs.

From the graph details view you can also query the persisted graph and visualize the query result.

Use the @sentinel /graph-authoring chat participant with GitHub Copilot to get AI-assisted graph authoring. It auto-detects your workspace, generates multi-cell notebooks, inserts code directly, and leverages AI to create a complete graph authoring notebook from a natural language description. It also supports modifying or debugging existing graphs, understanding generated graph code, and writing and running graph queries.

Create Sentinel connectors

Use the @sentinel /create-connector chat participant with GitHub Copilot to streamline connector development through flexible, AI-assisted code authoring. This low-code experience guides developers end to end by autonomously generating schemas, deployment assets, connector UI, secure secret handling, and polling logic.

This workflow also supports testing and deployment, helping you build connectors faster and enable data ingestion into Microsoft Sentinel.

Package solutions

The extension supports packaging a complete Microsoft Sentinel platform solution containing jobs and Security Copilot agents.

After defining the package manifest, you can create a package ZIP file which can be published through the Microsoft Security Store.

Examples and scenarios

View Jupyter notebook examples

Create a sample custom graph

Learn more about using notebooks with the extension:

• Use the Microsoft Sentinel Provider class
• Pick a compute pool
• Review limits
• Troubleshoot errors

Data and telemetry

The Microsoft Sentinel Extension for Visual Studio Code collects usage data and sends it to Microsoft to help improve our products and services. Read our privacy statement to learn more. This extension respects the telemetry.telemetryLevel setting which you can learn more about at https://code.visualstudio.com/docs/supporting/faq#_how-to-disable-telemetry-reporting.