Microsoft Sentinel for Visual Studio Code

The Sentinel for Visual Studio Code extension allows developers and security professionals to build and manage notebooks, custom graphs, and connectors for Microsoft Sentinel.

Features

• Explore Sentinel data lake, including tables and their schema
• Create notebooks, schedule notebook jobs and manage their lifecycle
• Create custom graphs, schedule graph jobs and manage their lifecycle
• Utilize Microsoft-managed Spark compute
• Use Sentinel chat participant to create connectors and author graph notebooks
• Package solutions for Microsoft Security Store

Requirements

The Jupyter Extension for Visual Studio Code is required and will be installed automatically.

Getting started

Sign in to the extension with the account you use to access Microsoft Sentinel and Microsoft Defender.

To use data lake exploration capabilities, you must set up the Microsoft Sentinel data lake. You also need to ensure that you have the appropriate permissions.

• Set up the data lake
• Manage permissions to the data lake

Explore data lake tier tables

The extension enables you to explore data lake tier tables by viewing the schema.

Analyze data using notebooks

The extension enables you to utilize Jupyter notebooks to build advanced analytics solutions for summarizing, transforming, and analyzing data in the Microsoft Sentinel data lake using Python and Spark. You can also leverage the GitHub Copilot extension to get AI help writing code that’s optimized for your data.

Create scheduled jobs for automation

The extension allows you to schedule your Jupyter notebook and custom graphs to run at specific times or intervals. Jobs are also used to process data and write results to custom tables in the data lake tier or analytics tier.

Investigate with custom graph insights

The extension provides the capability to build and manage custom graphs for modeling specific attack patterns, investigating threats, and running advanced graph algorithms to uncover hidden relationships within your digital environment.

Use the @sentinel /graph-authoring chat participant with GitHub Copilot to get AI-assisted graph authoring. It auto-detects your workspace, generates multi-cell notebooks, inserts code directly, and leverages AI to create a complete graph authoring notebook from a natural language description. You can also use it to modify or debug existing graphs, understand generated graph code, and write and run graph queries.

Create Sentinel connectors

Use the @sentinel /create-connector chat participant with GitHub Copilot to streamline connector development through flexible, AI-assisted code authoring. This unified workflow supports authoring, validation, testing, and deployment end to end, helping you build connectors faster and enable data ingestion into Microsoft Sentinel.

Package solutions

The extension supports packaging solutions containing notebook jobs and Security Copilot agents so they can be distributed through the Microsoft Security Store.

Examples and scenarios

View Jupyter notebook examples

Create a sample custom graph

Learn more about using notebooks with the extension:

• Use the Microsoft Sentinel Provider class
• Pick a compute pool
• Review limits
• Troubleshoot errors

Data and telemetry

The Microsoft Sentinel Extension for Visual Studio Code collects usage data and sends it to Microsoft to help improve our products and services. Read our privacy statement to learn more. This extension respects the telemetry.telemetryLevel setting which you can learn more about at https://code.visualstudio.com/docs/supporting/faq#_how-to-disable-telemetry-reporting.