sentinel

Use before writing any Microsoft Sentinel connector ARM template, DCR, KQL transform, or createUiDefinition.json. Provides the complete CCF (Codeless Connector Framework) reference for RestApiPoller, Push, and GCP connector types — including escaping rules, authentication, pagination, UI definitions, and deployment gotchas. Also use when debugging connector deployment failures or reviewing existing CCP templates.

KQL expert for Microsoft Sentinel, Azure Monitor, and M365 Defender. Use proactively when the user works with any .kql file, writes or reviews KQL queries, develops analytics or detection rules, performs threat hunting, needs DCR transformation KQL, or asks to optimise, validate, or convert a KQL query. Covers query optimisation, schema validation, ASIM normalisation, SPL migration, and best practices.

Generates deployment-ready Microsoft Sentinel Analytic Rule ARM templates from KQL detection queries. Use when the user asks to create, export, or package a Sentinel analytics rule, convert a KQL query into an ARM template, or generate rule deployment files with MITRE ATT&CK mappings and entity extraction.

Documents Microsoft Sentinel analytics rules as comprehensive SOC use cases. Use when the user wants to document a Sentinel rule, create SOC documentation, generate use case docs from an ARM template, or document a KQL detection query.