Share via

Create tool from the tool types

Important

Some information in this article relates to a prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Tools (skills) are the capabilities that the agent can use to perform specialized tasks or interact with external systems. Microsoft Security Copilot enables developers to configure agents with a set of predefined tools. Developers can author their own tools using the agent builder or the tools provided by Security Copilot in the Tool catalog. See, Create Security Copilot Agent.

This article provides guidance to developers on how to create a tool using the agent builder. The tool can then be added to your agent to perform tasks.

Tool types

Developers can use the agent builder to author the following tools:

  • GPT: Write a Generative-AI prompt to use Large Language Models (LLMs) capabilities to reason over natural language or data.

  • KQL: Query a Kusto database with custom, parameterized Kusto Query Language (KQL) queries to return data.

  • AGENT: Orchestrating multi-step workflows using Large Language Models (LLMs) and child tools.

For building custom plugins using API and MCP are as follows:

Create tool

You can create the following tools with the Create your tool page:

On the Details section:

  • Choose the tool Type from the dropdown.

  • Enter a unique Display name, Description to reference the tool.

Note

The Display name is the name referenced in the portal for display.

Type: GPT

Write a Generative-AI prompt to use LLM capabilities to reason over natural language or data.

On the Inputs section:

  • Enter a Name, Description and a Default value as input data for the tool.

On the Settings section:

  • Choose the LLM Model from the dropdown.

    Image of how to create a GPT tool in Security Copilot

  • Choose the prompt template to be used for Template type:

    • Default: Enter the prompt instructions in the Template section. For your prompt, you can reference the inputs defined in Inputs field using double curly braces: {{InputParameterName}}.

    • Template URL: Enter a URL to a .txt file containing the prompt template.

    • Package URL: Enter the file path to a .zip file containing one or more template files and the path to the Package template file inside the package that defines the prompt.

Type: KQL

Query a Kusto database with custom, parameterized Kusto Query Language (KQL) queries to return data.

On the Inputs section:

  • Enter a Name, Description, and a Default value as input data for the tool.

On the Settings section:

  • For the Environment field, select the system or environment where the query is executed.

The following fields are populated for each of the environment type:

Defender:

  • Enter your KQL query in the Template type section. Alternatively, you can enter the Template URL link or a Package URL, which links to a zip file containing one or more KQL query template files and the path to the Package template file inside the package.

    Image of how to create a KQL tool in Defender environment in Security Copilot

  • In your template, you can reference the inputs defined in the Inputs section using double curly braces: {{InputParameterName}}.

Sentinel:

  • Enter the Tenant ID associated with the Microsoft Sentinel workspace. This value is required to authenticate and run the query.

  • Enter the Subscription ID associated with the Sentinel workspace. This value is required to authenticate and run the query.

  • Specify the name of the Azure resource group that includes your Sentinel workspace.

  • Enter the name of the workspace where your Sentinel data resides.

  • The Template type is covered under Defender.

    Image of how to create a KQL tool in Sentinel environment in Security Copilot

Kusto:

  • Enter the full Azure Data Explorer (Kusto) cluster URL.

  • Specify the database that contains the relevant tables for this tool.

  • The Template type is covered under Defender.

    Image of how to create a KQL tool in Security Copilot

Type: AGENT

  • On the Tool details section:

    • Select AGENT tool type from the dropdown.

    • Enter Agent display name and Agent description.

    Image of the agent tool type creation in Security Copilot

  • On the Inputs section:

    • Provide input parameters required for the agent tool. You must guide the AI model in your description, if only some values are possible (for example, "SeverityLevel should be one of high, medium, or low").
    • You can reference input names in the Instructions field by wrapping them in double curly braces. For example, {{skillInputName}}.
    • Select Add input to provide additional inputs to your skills.

  • On the Instructions section:

    • You can provide clear directions to guide the agent on its goal and how the agent should execute tasks. Typically written in natural language and may include formatting like markdown or comments. For example, provide an ordered list of action steps for the agent to execute that instructs the agent to invoke the tools that you created using the tool types.

  • On the Tools section:

    • Select Add tool to open the Tools catalog modal.

    • In the Add a tool modal, you can select multiple tools from the catalog: Microsoft tools and the predefined tools that you create such as AGENT, GPT, KQL, API, and MCP. You can see the tools created on the left navigation pane under Agent overview.

See also