Description
Microsoft 365 Copilot is the highest-penetration enterprise AI tool by seat count. Copilot interactions — prompts, responses, and the documents used for grounding — are auditable via the Office 365 Management Activity API and already flow through the Audit.General content type that the existing o365 integration collects.
The current ingest pipeline has no handling for Copilot RecordTypes. The RecordType lookup map doesn't recognise the Copilot-specific values, so Copilot events pass through with only generic field mappings applied — and the Copilot-specific payload fields that matter for security use cases are left unmapped. This is an enhancement to the existing o365 audit datastream, not a new datastream.
What this data does (and doesn't) give you
Unlike most AI-usage telemetry, Copilot audit events are unusually rich — the value is in mapping fields that are already present in the payload:
What CopilotInteraction events expose:
- The actual resources Copilot grounded on (
AccessedResources) — document IDs, SiteUrl, resource Name/Type, and the SensitivityLabelId (Purview label) on each. This is the standout signal: you can see which sensitive documents an AI response was built from.
- Where the interaction happened —
AppHost (Word, Teams, Outlook, BizChat, Excel, SharePoint, …) and AppIdentity (workloadName.appGroup.appName).
- Built-in safety signals —
XPIADetected (cross-prompt-injection attempt flag on a resource) and JailbreakDetected (on a prompt message). These are genuine threat signals, not just governance metadata.
- Model transparency —
ModelProviderName (and model name/version for non-M365 scenarios).
- Prompt/response message references (
Messages: ID, isPrompt).
What it does not expose at the base tier:
- Full prompt/response content — only available with Purview Audit Premium (E5 or add-on). At the Standard tier you get the metadata above (including sensitivity labels) but not the text of prompts/responses.
- Human-readable sensitivity label names —
SensitivityLabelId is a GUID; resolving it to a label name requires the tenant's Purview label taxonomy (a potential enrichment, not in the event).
The practical consequence: even at the Standard tier this is a strong visibility and correlation signal — Elastic can surface which sensitive documents Copilot touched, where, and whether injection/jailbreak was flagged. Content-level inspection is available too, gated only by license tier (same API, same pipeline).
Scope & data boundaries
- Enhancement, not a new datastream: this is RecordType handling + field mapping in the existing
o365 audit pipeline. Copilot events already arrive via Audit.General.
- Prompt/response content is in-scope but gated by Purview Audit Premium — no separate collection path; the same events carry it when the tier is enabled.
- Correlation with other M365 signals (anomalous sign-in, bulk SharePoint access, privileged-account activity) works today against the existing
o365 datastreams — no additional collection required.
- Sensitivity-label resolution (GUID → label name) is a possible downstream enrichment that needs to be explored during development.
Why this matters
- Sensitive-data visibility & correlation:
AccessedResources[].SensitivityLabelId shows when Copilot grounded a response in highly sensitive material. Correlating that with the user, app surface, and surrounding M365 activity is the primary security signal in these events.
- Threat detection & correlation: Copilot activity joined with other M365 signals already in Elastic produces materially higher-fidelity detections than either source alone — plus the native
XPIADetected / JailbreakDetected flags.
- AI governance & visibility: Track which users, departments, and app surfaces are using Copilot, and surface anomalous usage patterns.
- Compliance & audit: A durable, queryable record of AI tool usage to support GDPR, HIPAA, and internal acceptable-use requirements, with Premium retention up to 10 years.
- Admin oversight: Copilot admin operations (e.g.
UpdateTenantSettings, CreatePlugin, DeletePlugin, EnablePromptBook) are configuration changes that should be monitored like any other.
What needs to be supported
RecordTypes / operations to handle: Recognise and route Copilot events correctly. Verify current values against the Office 365 Management Activity API schema — Microsoft has updated these in the past. Confirmed in the current Purview Copilot schema:
CopilotInteraction — user interactions with Microsoft-developed Copilot apps (primary target)
ConnectedAIAppInteraction — custom/registered Copilot Studio or 3rd-party apps deployed in the tenant
AIAppInteraction — 3rd-party AI apps not deployed in the tenant (pay-as-you-go billing)
TeamCopilotInteraction — Teams Facilitator (AI Notes / Live Notes / meeting moderation)
- Admin activity is logged via Operation names (
UpdateTenantSettings, CreatePlugin, DeletePlugin, EnablePromptBook, …), not a dedicated RecordType. (Note: the values AICopilot and MicrosoftCopilotAdmin from earlier drafts don't appear in the current schema — confirm before relying on them.)
Key fields to map for CopilotInteraction events:
AccessedResources[] — ID, Name, SiteUrl, Type, SensitivityLabelId, Action, and the security flags XPIADetected / PolicyDetails / Status (the most important DLP/visibility signal in these events)
AppHost and AppIdentity — which Copilot surface/app generated the event
Messages[] — ID, isPrompt, and JailbreakDetected
ModelTransparencyDetails[] — ModelProviderName (and model name/version where present)
AISystemPlugin — e.g. BingWebSearch indicates the response used the public web
- Admin configuration-change operations classified appropriately
Dashboards: Copilot usage by user and app, sensitivity-label exposure in grounding contexts, admin configuration-change timeline, usage volume over time.
Sample event
⚠️ Illustrative sample. Field names follow the current Purview Copilot audit schema; values are representative. A real captured event should be added during development from an M365 E5 tenant with Copilot enabled, and the numeric RecordType confirmed against the Management API schema.
{
"CreationTime": "2026-06-01T14:23:11",
"Id": "aaaa1111-bbbb-2222-cccc-3333dddd4444",
"Operation": "CopilotInteraction",
"OrganizationId": "11112222-3333-4444-5555-666677778888",
"RecordType": 261,
"UserKey": "i:0h.f|membership|analyst@contoso.com",
"UserId": "analyst@contoso.com",
"UserType": 0,
"Version": 1,
"Workload": "Copilot",
"AppIdentity": "Copilot.MicrosoftCopilot.BizChat",
"AppHost": "Word",
"Contexts": [
{ "ID": "https://contoso.sharepoint.com/sites/Finance/Shared Documents/Q3-Forecast.docx", "Type": "docx" }
],
"AccessedResources": [
{
"Action": "Read",
"ID": "AAAAAEYE2GAACp1FlnN_CHXStUkH...AABwvq8gAAA2",
"Name": "Q3-Forecast.docx",
"Type": "docx",
"SiteUrl": "https://contoso.sharepoint.com/sites/Finance/Shared Documents/Q3-Forecast.docx",
"SensitivityLabelId": "f41ab342-8706-4188-bd11-ebb85995028c",
"XPIADetected": false
}
],
"Messages": [
{ "ID": "1715186983849", "isPrompt": true, "JailbreakDetected": false },
{ "ID": "1715186984291", "isPrompt": false }
],
"ModelTransparencyDetails": [
{ "ModelProviderName": "Microsoft" }
],
"AISystemPlugin": [
{ "Name": "BingWebSearch", "ID": "BingWebSearch" }
]
}
Key fields
| Field |
Description |
UserId |
The user who interacted with Copilot |
Operation / RecordType |
CopilotInteraction — the AI interaction event |
AppHost |
Copilot surface (Word, Teams, Outlook, BizChat, Excel, SharePoint, …) |
AppIdentity |
Specific Copilot/AI app (workloadName.appGroup.appName) |
AccessedResources[].SiteUrl / .Name / .Type |
The grounding document(s) Copilot read |
AccessedResources[].SensitivityLabelId |
Purview sensitivity label (GUID) on the grounding doc — primary DLP signal |
AccessedResources[].XPIADetected |
Cross-prompt-injection attack flagged on a resource |
Messages[].isPrompt / .JailbreakDetected |
Prompt vs. response; jailbreak-attempt flag |
ModelTransparencyDetails[].ModelProviderName |
Model publisher |
AISystemPlugin.ID |
BingWebSearch indicates the response used the public web |
Availability note: CopilotInteraction events are captured under Audit (Standard). Full prompt/response content and extended retention (up to 10 years) require Audit (Premium) — relevant to what fields are populated during testing.
Access requirements
- Purview Audit Standard (M365 E3): captures
CopilotInteraction events with metadata including sensitivity labels on referenced documents, but not prompt/response content
- Purview Audit Premium (M365 E5 or add-on): adds full prompt and response content, extended retention up to 10 years
Development requires an M365 E5 tenant with Copilot enabled.
References
Description
Microsoft 365 Copilot is the highest-penetration enterprise AI tool by seat count. Copilot interactions — prompts, responses, and the documents used for grounding — are auditable via the Office 365 Management Activity API and already flow through the
Audit.Generalcontent type that the existingo365integration collects.The current ingest pipeline has no handling for Copilot RecordTypes. The RecordType lookup map doesn't recognise the Copilot-specific values, so Copilot events pass through with only generic field mappings applied — and the Copilot-specific payload fields that matter for security use cases are left unmapped. This is an enhancement to the existing
o365auditdatastream, not a new datastream.What this data does (and doesn't) give you
Unlike most AI-usage telemetry, Copilot audit events are unusually rich — the value is in mapping fields that are already present in the payload:
What
CopilotInteractionevents expose:AccessedResources) — document IDs,SiteUrl, resourceName/Type, and theSensitivityLabelId(Purview label) on each. This is the standout signal: you can see which sensitive documents an AI response was built from.AppHost(Word, Teams, Outlook, BizChat, Excel, SharePoint, …) andAppIdentity(workloadName.appGroup.appName).XPIADetected(cross-prompt-injection attempt flag on a resource) andJailbreakDetected(on a prompt message). These are genuine threat signals, not just governance metadata.ModelProviderName(and model name/version for non-M365 scenarios).Messages:ID,isPrompt).What it does not expose at the base tier:
SensitivityLabelIdis a GUID; resolving it to a label name requires the tenant's Purview label taxonomy (a potential enrichment, not in the event).The practical consequence: even at the Standard tier this is a strong visibility and correlation signal — Elastic can surface which sensitive documents Copilot touched, where, and whether injection/jailbreak was flagged. Content-level inspection is available too, gated only by license tier (same API, same pipeline).
Scope & data boundaries
o365auditpipeline. Copilot events already arrive viaAudit.General.o365datastreams — no additional collection required.Why this matters
AccessedResources[].SensitivityLabelIdshows when Copilot grounded a response in highly sensitive material. Correlating that with the user, app surface, and surrounding M365 activity is the primary security signal in these events.XPIADetected/JailbreakDetectedflags.UpdateTenantSettings,CreatePlugin,DeletePlugin,EnablePromptBook) are configuration changes that should be monitored like any other.What needs to be supported
RecordTypes / operations to handle: Recognise and route Copilot events correctly. Verify current values against the Office 365 Management Activity API schema — Microsoft has updated these in the past. Confirmed in the current Purview Copilot schema:
CopilotInteraction— user interactions with Microsoft-developed Copilot apps (primary target)ConnectedAIAppInteraction— custom/registered Copilot Studio or 3rd-party apps deployed in the tenantAIAppInteraction— 3rd-party AI apps not deployed in the tenant (pay-as-you-go billing)TeamCopilotInteraction— Teams Facilitator (AI Notes / Live Notes / meeting moderation)UpdateTenantSettings,CreatePlugin,DeletePlugin,EnablePromptBook, …), not a dedicated RecordType. (Note: the valuesAICopilotandMicrosoftCopilotAdminfrom earlier drafts don't appear in the current schema — confirm before relying on them.)Key fields to map for
CopilotInteractionevents:AccessedResources[]—ID,Name,SiteUrl,Type,SensitivityLabelId,Action, and the security flagsXPIADetected/PolicyDetails/Status(the most important DLP/visibility signal in these events)AppHostandAppIdentity— which Copilot surface/app generated the eventMessages[]—ID,isPrompt, andJailbreakDetectedModelTransparencyDetails[]—ModelProviderName(and model name/version where present)AISystemPlugin— e.g.BingWebSearchindicates the response used the public webDashboards: Copilot usage by user and app, sensitivity-label exposure in grounding contexts, admin configuration-change timeline, usage volume over time.
Sample event
{ "CreationTime": "2026-06-01T14:23:11", "Id": "aaaa1111-bbbb-2222-cccc-3333dddd4444", "Operation": "CopilotInteraction", "OrganizationId": "11112222-3333-4444-5555-666677778888", "RecordType": 261, "UserKey": "i:0h.f|membership|analyst@contoso.com", "UserId": "analyst@contoso.com", "UserType": 0, "Version": 1, "Workload": "Copilot", "AppIdentity": "Copilot.MicrosoftCopilot.BizChat", "AppHost": "Word", "Contexts": [ { "ID": "https://contoso.sharepoint.com/sites/Finance/Shared Documents/Q3-Forecast.docx", "Type": "docx" } ], "AccessedResources": [ { "Action": "Read", "ID": "AAAAAEYE2GAACp1FlnN_CHXStUkH...AABwvq8gAAA2", "Name": "Q3-Forecast.docx", "Type": "docx", "SiteUrl": "https://contoso.sharepoint.com/sites/Finance/Shared Documents/Q3-Forecast.docx", "SensitivityLabelId": "f41ab342-8706-4188-bd11-ebb85995028c", "XPIADetected": false } ], "Messages": [ { "ID": "1715186983849", "isPrompt": true, "JailbreakDetected": false }, { "ID": "1715186984291", "isPrompt": false } ], "ModelTransparencyDetails": [ { "ModelProviderName": "Microsoft" } ], "AISystemPlugin": [ { "Name": "BingWebSearch", "ID": "BingWebSearch" } ] }Key fields
UserIdOperation/RecordTypeCopilotInteraction— the AI interaction eventAppHostWord,Teams,Outlook,BizChat,Excel,SharePoint, …)AppIdentityworkloadName.appGroup.appName)AccessedResources[].SiteUrl/.Name/.TypeAccessedResources[].SensitivityLabelIdAccessedResources[].XPIADetectedMessages[].isPrompt/.JailbreakDetectedModelTransparencyDetails[].ModelProviderNameAISystemPlugin.IDBingWebSearchindicates the response used the public webAccess requirements
CopilotInteractionevents with metadata including sensitivity labels on referenced documents, but not prompt/response contentDevelopment requires an M365 E5 tenant with Copilot enabled.
References