Security Monitoring: Auditing Copilot Activity
How to audit and monitor Microsoft 365 Copilot activity using Purview Audit. Learn what gets logged, how to investigate, and how to integrate signals into your SIEM.
Overview
In government security, visibility is everything. You need to know who did what, when, and with what data.
When you introduce Copilot, that requirement doesn’t change.
This video walks you through Microsoft Purview Audit for Copilot. We’ll show you exactly what gets logged, how to run a search, and how to build an investigation timeline when you need to answer the question: “What did this user do with AI?”
What You’ll Learn
- The specific audit events generated by Copilot interactions
- How to enable and verify audit logging for your tenant
- A step-by-step workflow for investigating a Copilot incident
- Best practices for SIEM integration and alerting
Script
Hook: “If you can’t audit it, you can’t approve it”
Copilot is powerful, but for an Authorizing Official (AO) or a CISO, the first question is always: “Can we audit it?”
If a user does something malicious, or if we have a data spill, can we reconstruct the timeline?
The answer is yes. But you need to know where to look. Let’s walk through what Microsoft logs, how to find it, and how to operationalize it in your SOC.
What gets logged: Copilot activity in Purview Audit
All Copilot activity flows into the Unified Audit Log—the same place you look for SharePoint file downloads or Exchange login events.
When a user interacts with Copilot, you get specific events that tell you:
- Who the user was
- When the interaction happened
- Which Copilot host app was used (Word, Teams, etc.)
- And often, references to the files that were accessed for grounding.
Crucially: You must understand that auditing tells you that activity occurred and gives you the metadata to investigate. It is not necessarily a full transcript of every thought the user had. It’s an accountability record.
Enablement and prerequisites
Before you start searching, check your prerequisites.
- Verify Auditing is Enabled. Most government tenants have this on by default, but check it.
- Check Permissions. Your SOC analysts need the right permissions in Purview to run audit searches.
- Retention. For GCC, GCC High, and DoD, your ATO likely dictates a minimum retention period (often 1 year or more). Ensure your audit retention policies match that requirement.
How to search for Copilot activity
To find these events, you go to the Microsoft Purview portal and open Audit.
You can search by:
- Date Range: Narrow it down to the incident window.
- User: Filter to the specific identity you are investigating.
- Workload: Look for “Copilot” activities.
The Investigation Workflow: An investigation rarely stays inside the “Copilot” log. You usually start there, and then pivot.
- You see a user asked Copilot to summarize a sensitive project.
- You identify the files Copilot accessed for that summary.
- You then pivot to the SharePoint audit log to see if the user downloaded those files or shared them externally.
- You pivot to the Exchange audit log to see if they emailed the summary.
That cross-workload correlation is how you build a real timeline.
Alerting and SIEM integration patterns
You probably don’t want to manually search logs every day. You want alerts.
I recommend creating alerts for specific patterns:
- Spikes in Volume: A user making 1000 requests in an hour is unusual.
- Sensitive Data Access: Correlate Copilot activity with DLP alerts.
- New Locations: A user accessing Copilot from a country they have never been to.
And for your SIEM—whether it’s Microsoft Sentinel or something else—you need to ensure these new Copilot events are being ingested. Don’t assume your existing connector picks them up automatically; validate the schema.
Close: minimum viable monitoring for a pilot
For your pilot, don’t try to boil the ocean.
Start with a Minimum Viable Monitoring plan:
- Enable auditing for your pilot users.
- Run a weekly report to confirm you are seeing data.
- Simulate one investigation: Pick a pilot user (with permission) and reconstruct their Tuesday morning.
If you can do that, you can pass the audit requirement for your ATO.
Next up, we’ll move into the Compliance section, starting with FedRAMP Authorization and how it applies to Copilot.
Sources & References
- Audit logs for Copilot — Official list of Copilot-related audit events and properties
- Search the audit log — How to use the Purview Audit search tool effectively
- Audit log activities — Reference for correlating Copilot events with other workload activities
- Security for Microsoft 365 Copilot — Security architecture overview