Integration

AI Integration for Natural Language Query for Microsoft Sentinel

Implement a natural language co-pilot for Microsoft Sentinel that translates analyst questions into optimized KQL queries, executes them, and returns results—reducing query writing time from minutes to seconds.

Get in touch Learn more

Moody home-office setup in a converted highrise loft, analyst working late with multiple screens showing knowledge graph visualizations, city lights through large windows behind.

ARCHITECTURE AND ROLLOUT

Natural Language Query for Microsoft Sentinel: The KQL Co-Pilot

A practical guide to deploying a natural language-to-KQL co-pilot that lets SOC analysts and threat hunters query Microsoft Sentinel in plain English.

The integration surfaces as a chat interface within the Microsoft Sentinel workspace or a connected Teams channel, where analysts type questions like "show me failed logins for service accounts in the last 48 hours" or "find all processes spawned by powershell.exe on server X last week." The core architecture involves an orchestration layer that accepts the natural language query, enriches it with contextual metadata (like known table schemas from your Log Analytics workspace), and calls a hosted LLM to generate a syntactically valid Kusto Query Language (KQL) statement. This query is then validated against a safe execution sandbox—often a dedicated, low-privilege service principal with read-only access to the Sentinel workspace—before being run. Results are returned as both a data table and a plain-language summary, with the generated KQL displayed for transparency and analyst learning.

High-value use cases center on reducing the KQL learning curve for junior analysts and accelerating threat hunting sessions. Instead of spending minutes crafting complex joins across the SecurityEvent, SigninLogs, and BehaviorAnalytics tables, an analyst can ask a multi-part question. The system can also handle implicit time-frame resolution (e.g., "last week" becomes | where TimeGenerated > ago(7d)) and common entity mapping (e.g., translating "admin users" to a dynamic list of high-privilege Entra ID groups). For production, the co-pilot should be wired to log all generated queries, user feedback (thumbs up/down), and execution results to a dedicated audit table for continuous tuning and to monitor for potential query abuse or cost overruns.

Rollout requires a phased governance approach. Start in a monitor-only pilot where queries are generated and displayed but not auto-executed, allowing analysts to review and manually run them. This builds trust and gathers data to fine-tune the prompt templates for your specific log schema. Next, enable auto-execution for low-risk queries (e.g., those that only query the last 24 hours and have a cost estimate below a threshold). Implement RBAC-driven query limits to ensure the service principal cannot access sensitive tables like those containing PII. Finally, integrate the co-pilot's audit logs into a Sentinel analytics rule to alert on anomalous patterns, such as a single user generating hundreds of expensive queries in a short period. This controlled, observable approach turns a powerful capability into a sustainable SOC force multiplier, not an operational risk.

ARCHITECTURE SURFACES

Where the NLQ Co-Pilot Connects to Microsoft Sentinel

The Primary Analyst Interface

The most direct integration point is the Kusto Query Language (KQL) query bar within the Microsoft Sentinel Logs, Hunting, and Workbooks interfaces. Here, an NLQ co-pilot acts as a real-time assistant, translating analyst intent into optimized KQL.

Example Workflow: An analyst types, "Show me all failed logins for service accounts from external IPs in the last 48 hours." The co-pilot parses this, identifies the key entities (SigninLogs table, ResultType for failures, UserPrincipalName pattern for service accounts, IPAddress geolocation), and generates the precise KQL. It can also explain the generated query's logic, suggest time range optimizations, or propose related hunting queries based on the results. This surface reduces the barrier to advanced hunting and empowers junior analysts.

SENTINEL AI INTEGRATION

High-Value Use Cases for a Sentinel NLQ Co-Pilot

A natural language query (NLQ) co-pilot transforms how SOC analysts, threat hunters, and security engineers interact with Microsoft Sentinel. By translating plain English into optimized Kusto Query Language (KQL), it accelerates investigations, democratizes data access, and reduces the cognitive load of complex query writing. Below are key workflows where this integration delivers immediate operational value.

Accelerated Incident Triage

Analysts can ask questions like 'show me all failed logins for service accounts in the last 24 hours' or 'list the top 5 source IPs for the failed logins in incident INC-12345' without writing KQL. The co-pilot generates and executes the query, returning results to the Sentinel console or a chat interface, cutting initial investigation time from 15-30 minutes to under a minute.

15-30 min → <1 min

Initial triage time

Democratized Threat Hunting

Enable junior analysts and non-KQL experts to perform proactive hunts. A hunter can describe a hypothesis: 'Find user accounts that logged in from two different countries within 4 hours'. The co-pilot constructs the complex union, join, and where clauses needed to query the SigninLogs table, lowering the barrier to entry for advanced security work.

Batch → Interactive

Hunting cadence

Dynamic Dashboard & Workbook Creation

Instead of manually editing KQL for Sentinel Workbooks, security managers can request visualizations: 'Create a timechart of Azure AD risky sign-ins by risk level for the last week'. The co-pilot generates the underlying query and can suggest visualization types, enabling rapid creation of executive and operational dashboards.

1 sprint → Same day

Dashboard iteration

Automated Evidence Collection for Audits

Simplify compliance evidence gathering. An auditor or internal compliance officer can ask: 'Export all administrative role changes in Azure for Q3' or 'Show me all data access events for storage account 'finance-data' last month'. The co-pilot generates the precise AuditLogs or AzureActivity query and can format results for reports.

Hours → Minutes

Evidence compilation

Intelligent Alert & Rule Tuning

Help detection engineers refine analytics rules. Ask: 'How many times would this new rule have fired in the last 30 days?' or 'Show me the common false positives for rule 'Impossible Travel' grouped by user department'. The co-pilot translates these tuning tasks into historical querying and aggregation, making rule maintenance data-driven.

Manual → Data-Driven

Tuning process

Cross-Table Correlation for Attack Chain Analysis

Reconstruct complex attacks by querying across disparate log sources naturally. An investigator can ask: 'Correlate this malicious IP from the firewall logs with process creation events on endpoints and outbound DNS requests'. The co-pilot maps the intent to queries across CommonSecurityLog, SecurityEvent, and DnsEvents (via ASIM), joining on relevant entities.

Complex → Guided

Investigation depth

IMPLEMENTATION PATTERNS

Example NLQ Co-Pilot Workflows

These workflows illustrate how a natural language query (NLQ) co-pilot integrates into a Microsoft Sentinel SOC analyst's daily investigation and hunting tasks, translating plain English into optimized Kusto Query Language (KQL) and executing it within the platform.

Trigger: An analyst receives a threat intel report about a new credential dumping tool and wants to hunt for related activity.

Workflow:

The analyst opens the co-pilot interface in Sentinel and types: "Find all processes named lsass.exe that were accessed by a non-system user from a remote IP in the last 48 hours."
The co-pilot agent parses the request, identifies key entities (process_name, user_type, src_ip_addr, time_range), and maps them to the relevant tables in the Azure Monitor agent schema (e.g., SecurityEvent, DeviceProcessEvents).

The agent generates and validates a KQL query:

kql
// Co-pilot generated query for LSASS access hunting
let remoteSystems = SecurityEvent
| where TimeGenerated > ago(48h)
| where EventID == 4624 // Successful logon
| where LogonType in (3, 10) // Network or RemoteInteractive
| distinct Computer, IpAddress;
DeviceProcessEvents
| where TimeGenerated > ago(48h)
| where FileName =~ "lsass.exe"
| where InitiatingProcessFileName !endswith "svchost.exe" // Filter likely system activity
| join kind=inner remoteSystems on $left.Computer == $right.Computer
| project TimeGenerated, Computer, AccountName = InitiatingProcessAccountName, ProcessCommandLine = InitiatingProcessCommandLine, RemoteIP = IpAddress
| summarize Count=count() by Computer, AccountName, RemoteIP, bin(TimeGenerated, 1h)

The query is executed against the Sentinel workspace. Results are returned to the analyst in a table, with an option to visualize the timeline of events.
Human Review Point: The analyst reviews the results, clicks on suspicious rows to launch a detailed investigation in the Sentinel incident graph, and can choose to create a bookmark or a new analytics rule based on the generated query.

BUILDING A CO-PILOT FOR KQL

Implementation Architecture: Data Flow & Components

A practical architecture for adding a natural language interface to Microsoft Sentinel that translates analyst questions into optimized Kusto Query Language (KQL) and returns actionable results.

The core integration connects to Microsoft Sentinel's Log Analytics workspace API and the Azure OpenAI Service. The flow begins when an analyst submits a natural language question via a web UI, Teams app, or directly within a Sentinel workbook. This query is sent to a secure backend service (e.g., an Azure Function or Container App) which first calls the Azure OpenAI model with a system prompt containing KQL schema context—specifically, relevant table names (like SecurityEvent, SigninLogs, AzureActivity), common field mappings, and Sentinel-specific functions. The LLM generates a proposed KQL query, which is then validated for syntax and safety (e.g., checked for destructive commands or excessive data scope) before execution against the Sentinel workspace.

The executed query returns raw log data to the backend service. A second LLM call is often used to interpret the results, transforming rows of data into a concise, narrative answer (e.g., "There were 127 failed logins for admin users last week, peaking on Tuesday. The top source IP was X.X.X.X."). This answer, along with the generated KQL for transparency and the raw data summary, is presented to the analyst. The architecture should include a feedback loop where analysts can correct or approve queries, storing these pairs in a vector database (like /integrations/vector-database-and-rag-platforms/vector-database-for-enterprise-retrieval) to improve future accuracy through few-shot learning and RAG.

Governance is critical. All queries and results should be logged to a dedicated Sentinel table for audit and cost tracking. Implement role-based access control (RBAC) tied to Azure Entra ID to ensure queries only run against data the analyst is permitted to see. Rate limiting and query timeouts prevent runaway costs. For rollout, start with a pilot group of analysts for common hunting questions, then expand to more complex data sets. This co-pilot doesn't replace KQL expertise but accelerates initial investigation and makes Sentinel accessible to a broader range of security personnel.

IMPLEMENTATION PATTERNS

Code & Payload Examples

Translating Natural Language to Kusto Query Language (KQL)

This pattern uses an LLM to convert a user's question into a valid, optimized KQL query for Microsoft Sentinel's Log Analytics workspace. The key is to provide the model with the relevant table schemas and common query patterns as context.

python
# Example: Generate KQL from natural language
import openai

system_prompt = """You are a KQL expert for Microsoft Sentinel. Given a user's question, generate a valid Kusto Query Language (KQL) query.
Available tables: SecurityEvent, SigninLogs, AzureActivity, CommonSecurityLog.
Focus on time range optimization and proper filtering."""

user_question = "Show me all failed logins for admin users in the last 7 days"

response = openai.ChatCompletion.create(
    model="gpt-4",
    messages=[
        {"role": "system", "content": system_prompt},
        {"role": "user", "content": user_question}
    ]
)

generated_kql = response.choices[0].message.content
# Expected output might be:
# SecurityEvent
# | where TimeGenerated > ago(7d)
# | where EventID == 4625
# | where Account contains "admin" or AccountType == "Admin"
# | project TimeGenerated, Account, Computer, IpAddress

The generated query is then validated for syntax and safety (e.g., no delete commands) before being executed against the Sentinel workspace via the Azure Data Explorer API.

NATURAL LANGUAGE TO KQL

Realistic Time Savings & Operational Impact

How adding a natural language co-pilot to Microsoft Sentinel transforms analyst workflows, reducing cognitive load and accelerating investigation starts.

Workflow Step	Before AI	After AI	Implementation Notes
Initial Investigation Query	Manual KQL writing: 5-15 minutes	Natural language prompt: <1 minute	Analyst describes intent; AI generates optimized, commented KQL.
Query Debugging & Syntax Errors	Trial-and-error in Log Analytics: 2-8 minutes	AI suggests corrections: <30 seconds	AI explains syntax errors and suggests fixes based on schema.
Joining & Correlating Log Sources	Manual table joins and time alignment: 10-20 minutes	AI proposes join logic: 1-2 minutes	AI understands ASIM tables and suggests proper `join` or `union` operators.
Historical Hunting Query Creation	Review past queries, adapt for new time range: 10-30 minutes	AI adapts and parameterizes: 2-3 minutes	AI can reference a library of past successful queries for similar intents.
Result Explanation for Reporting	Manual analysis of result set: 5-10 minutes	AI-generated summary of key findings: 1 minute	AI provides a plain-English summary of top results, counts, and anomalies.
Knowledge Sharing & Onboarding	Senior analyst writes and documents KQL for juniors: Ongoing	AI acts as a query tutor, explaining generated KQL: Ad-hoc	Reduces dependency on tribal knowledge; accelerates junior analyst ramp-up.
Ad-hoc Executive Reporting	Manual data extraction, then spreadsheet/presentation work: 1-2 hours	AI generates KQL for data pull and a narrative summary: 10-15 minutes	Enables faster response to leadership questions about security posture.

ARCHITECTING FOR PRODUCTION

Governance, Security, and Phased Rollout

Implementing a natural language query co-pilot for Microsoft Sentinel requires a security-first architecture and a controlled rollout to manage risk and build user trust.

A production-ready architecture for a Sentinel NLQ co-pilot must enforce strict data governance. This means implementing role-based access control (RBAC) that respects existing Azure Active Directory groups and Sentinel roles, ensuring analysts can only query data they are authorized to see. The AI service should be deployed within your Azure tenant, with all prompts, generated KQL, and query results logged to a dedicated Log Analytics workspace for a complete audit trail. Crucially, the system should never execute a generated KQL query automatically; it must always present the query for analyst review and manual execution, maintaining the human-in-the-loop for security-critical actions.

A phased rollout is essential for adoption and risk management. Start with a pilot group of senior analysts in a non-production Sentinel workspace. Focus on low-risk, high-value queries like historical data exploration for threat hunting or generating baseline reports. Use this phase to tune the system's prompt engineering for your specific log schemas (e.g., CommonSecurityLog, SecurityEvent) and to build a library of validated, optimized KQL patterns. Gradually expand access, incorporating feedback to improve the assistant's understanding of your environment's unique entities, such as custom-named servers, applications, and network zones.

Governance extends to the AI model itself. Establish a process for monitoring the quality and security of generated KQL. Track metrics like query execution success rate, performance impact (CPU/Time), and analyst feedback scores. Implement a review workflow where novel or complex queries suggested by the AI can be vetted by a lead analyst before being added to a shared library of trusted patterns. This controlled, iterative approach minimizes disruption, ensures the AI assistant acts as a force multiplier for your SOC, and aligns the integration with broader security and compliance frameworks like NIST or MITRE ATT&CK.

Enabling Efficiency, Speed & Accuracy

Intelligent Analysis, Decision & Execution

We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.

Talk to Us

Search across company data

Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.

Useful when people spend too long searching or get different answers from different systems.

Enterprise searchRAGPermissions

Automate internal workflows

Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.

Useful when repetitive work moves across multiple tools and teams.

AI agentsWorkflow automationGovernance

Add AI to products and internal tools

Build assistants, guided actions, or decision support into the software your team or customers already use.

Useful when AI needs to be part of the product, not a separate tool.

AI integrationDecision supportModel routing

IMPLEMENTING NATURAL LANGUAGE QUERY FOR MICROSOFT SENTINEL

Frequently Asked Questions (FAQ)

Practical questions for teams evaluating or implementing an AI co-pilot to translate natural language into Kusto Query Language (KQL) for Microsoft Sentinel.

The system uses a multi-step grounding process to map natural language to your unique Sentinel environment:

Schema Discovery: The agent first queries Sentinel's LogManagement and other relevant tables to build a dynamic catalog of available tables, columns, and common values.
Intent & Entity Mapping: A model trained on security operations maps phrases like "failed logins" to known signal types (e.g., SigninLogs) and entities like "admin users" to identity fields (e.g., userPrincipalName, conditionalAccessPolicies).
Custom Log Source Handling: For custom tables (e.g., MyApp_CL), we pre-load a reference mapping of field names and sample values. The system can prompt users for clarification (e.g., "Which field contains the user ID?") and learn from feedback.
Query Validation & Explanation: Before execution, the generated KQL is often run in a dry-run or take 10 mode to validate it returns plausible results. The system can also explain the query structure to the user for trust and correction.

This approach avoids brittle, static mappings and adapts to your evolving log landscape.

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.

Limited slotsGet a Free AI Consultation

How We Work

Custom AI workflows for your Business

One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.