Microsoft has released a public preview of the Microsoft Copilot Data Connector for Microsoft Sentinel, enabling security teams to monitor and analyze AI interactions across their environment.
Microsoft has announced the public preview of a new data connector that brings Microsoft Copilot audit logs and activities directly into Microsoft Sentinel, the company's cloud-native Security Information and Event Management (SIEM) platform. This integration represents a significant step forward in securing AI-powered interactions within enterprise environments.
What the Copilot Data Connector Brings to Microsoft Sentinel
The new Microsoft Copilot data connector enables organizations to ingest audit logs and activities generated by various Copilot offerings directly into Microsoft Sentinel and its data lake. This integration unlocks several powerful capabilities:
- Enhanced Detection and Analytics: Copilot activities can now be leveraged within Microsoft Sentinel's analytic rules and custom detections, allowing security teams to identify anomalous interactions, unauthorized access attempts, and potentially malicious prompt usage.
- Comprehensive Monitoring: The connector brings Copilot data into Sentinel workbooks, automation workflows, and other native features, providing a unified view of AI interactions alongside traditional security data.
- Data Lake Integration: By sending Copilot data to the Sentinel data lake, organizations can create custom graphs, integrate with MCP servers, and benefit from lower-cost ingestion and extended retention periods.
Eligibility and Availability
The connector is available to all Microsoft Sentinel customers, but it will only ingest data for environments that have access to Copilot licenses and Security Compute Units (SCUs), as the activities rely on actual Copilot usage. The logs are sourced from the Purview Unified Audit Log (UAL) feed, which is enabled by default for all users.
A key advantage of this connector is that it eliminates the need for security teams to manually access the Purview Portal to view these activities. Instead, the data is proactively brought into the workspace, enabling Security Operations Centers (SOCs) to generate detections and conduct threat hunting on Copilot interactions in real-time.
Important Note: This is a single-tenant connector, meaning it will ingest data for the entire tenant where it resides. It is not designed to handle multi-tenant configurations.
Supported Record Types
The connector supports a comprehensive set of record types from the Office 365 Management API, covering various Copilot-related activities:
- Copilot Interactions: Records like
261 CopilotInteractionand334 TeamCopilotInteractioncapture user interactions with Copilot across different platforms. - Plugin Management: Records
310-314track the creation, updating, deletion, enabling, and disabling of Copilot plugins. - Workspace Management: Records
315-319monitor the lifecycle of Copilot workspaces. - Prompt Book Management: Records
320-324track the management of Copilot prompt books. - Settings and Automation: Records like
325 UpdateCopilotSettings,371 OutlookCopilotAutomation, and363 Microsoft365CopilotScheduledPromptcapture configuration changes and automation activities. - Security-Specific: Records
389 CopilotForSecurityTriggerand390 CopilotAgentManagementare particularly relevant for security monitoring.
These record types provide security teams with granular visibility into how users interact with Copilot, who has permissions to make changes, and whether any anomalous or unauthorized activities are occurring.
Deployment and Configuration
Organizations can deploy the connector through the Microsoft Sentinel Content Hub:
- Within the Defender Portal, navigate to Microsoft Sentinel
- Expand Configuration and select Content Hub
- Search for "Copilot" in the search bar
- Click on the solution that appears and select Install
- Once installed, configure the connector by opening its connector page
To enable the connector, users need either Global Administrator or Security Administrator permissions on the tenant. After configuration, data will be sent to the CopilotActivity table within the workspace.
Cost Considerations
It's important to note that this is a paid connector. Costs will be generated once data begins being ingested, with pricing based on the settings for the Microsoft Sentinel workspace or at the Microsoft Sentinel data lake tier pricing. Organizations should factor these costs into their security budget when planning to implement this solution.
The Strategic Importance of AI Security Monitoring
As organizations increasingly adopt AI tools like Microsoft Copilot, the need for robust security monitoring becomes critical. This new connector addresses a growing concern in the security community: how to effectively monitor and secure AI interactions within the enterprise.
The ability to track Copilot usage, monitor plugin and workspace management, and detect anomalous behavior provides security teams with essential visibility into their AI-powered workflows. This is particularly important as AI tools become more deeply integrated into business processes and handle sensitive data.
By bringing Copilot activities into Microsoft Sentinel, Microsoft is enabling a more comprehensive security posture that encompasses both traditional IT systems and emerging AI technologies. This integration allows organizations to apply their existing security analytics, automation, and response capabilities to AI interactions, creating a unified security approach.
Getting Started
Since the data connector is in public preview, organizations can begin deploying it immediately. The connector is available through the Microsoft Sentinel Content Hub, and detailed documentation is available through Microsoft Learn resources:
- Office Management API Event Number List
- Purview Unified Audit Log Library
- Microsoft Sentinel Overview
As AI continues to transform the workplace, security solutions that can effectively monitor and protect these new technologies will become increasingly essential. Microsoft's Copilot data connector for Sentinel represents a significant step toward comprehensive AI security monitoring, giving organizations the tools they need to secure their AI-powered future.
Comments
Please log in or register to join the discussion