Skip to content

[M365] Add Microsoft 365 Copilot activity log support #19409

Description

@jamiehynds

Description

Microsoft 365 Copilot is the highest-penetration enterprise AI tool by seat count. Copilot interactions — prompts, responses, and the documents used for grounding — are auditable via the Office 365 Management Activity API and already flow through the Audit.General content type that the existing o365 integration collects.

The current ingest pipeline has no handling for Copilot RecordTypes. The RecordType lookup map doesn't recognise the Copilot-specific values, so Copilot events pass through with only generic field mappings applied — and the Copilot-specific payload fields that matter for security use cases are left unmapped. This is an enhancement to the existing o365 audit datastream, not a new datastream.

What this data does (and doesn't) give you

Unlike most AI-usage telemetry, Copilot audit events are unusually rich — the value is in mapping fields that are already present in the payload:

What CopilotInteraction events expose:

  • The actual resources Copilot grounded on (AccessedResources) — document IDs, SiteUrl, resource Name/Type, and the SensitivityLabelId (Purview label) on each. This is the standout signal: you can see which sensitive documents an AI response was built from.
  • Where the interaction happenedAppHost (Word, Teams, Outlook, BizChat, Excel, SharePoint, …) and AppIdentity (workloadName.appGroup.appName).
  • Built-in safety signalsXPIADetected (cross-prompt-injection attempt flag on a resource) and JailbreakDetected (on a prompt message). These are genuine threat signals, not just governance metadata.
  • Model transparencyModelProviderName (and model name/version for non-M365 scenarios).
  • Prompt/response message references (Messages: ID, isPrompt).

What it does not expose at the base tier:

  • Full prompt/response content — only available with Purview Audit Premium (E5 or add-on). At the Standard tier you get the metadata above (including sensitivity labels) but not the text of prompts/responses.
  • Human-readable sensitivity label namesSensitivityLabelId is a GUID; resolving it to a label name requires the tenant's Purview label taxonomy (a potential enrichment, not in the event).

The practical consequence: even at the Standard tier this is a strong visibility and correlation signal — Elastic can surface which sensitive documents Copilot touched, where, and whether injection/jailbreak was flagged. Content-level inspection is available too, gated only by license tier (same API, same pipeline).

Scope & data boundaries

  • Enhancement, not a new datastream: this is RecordType handling + field mapping in the existing o365 audit pipeline. Copilot events already arrive via Audit.General.
  • Prompt/response content is in-scope but gated by Purview Audit Premium — no separate collection path; the same events carry it when the tier is enabled.
  • Correlation with other M365 signals (anomalous sign-in, bulk SharePoint access, privileged-account activity) works today against the existing o365 datastreams — no additional collection required.
  • Sensitivity-label resolution (GUID → label name) is a possible downstream enrichment that needs to be explored during development.

Why this matters

  • Sensitive-data visibility & correlation: AccessedResources[].SensitivityLabelId shows when Copilot grounded a response in highly sensitive material. Correlating that with the user, app surface, and surrounding M365 activity is the primary security signal in these events.
  • Threat detection & correlation: Copilot activity joined with other M365 signals already in Elastic produces materially higher-fidelity detections than either source alone — plus the native XPIADetected / JailbreakDetected flags.
  • AI governance & visibility: Track which users, departments, and app surfaces are using Copilot, and surface anomalous usage patterns.
  • Compliance & audit: A durable, queryable record of AI tool usage to support GDPR, HIPAA, and internal acceptable-use requirements, with Premium retention up to 10 years.
  • Admin oversight: Copilot admin operations (e.g. UpdateTenantSettings, CreatePlugin, DeletePlugin, EnablePromptBook) are configuration changes that should be monitored like any other.

What needs to be supported

RecordTypes / operations to handle: Recognise and route Copilot events correctly. Verify current values against the Office 365 Management Activity API schema — Microsoft has updated these in the past. Confirmed in the current Purview Copilot schema:

  • CopilotInteraction — user interactions with Microsoft-developed Copilot apps (primary target)
  • ConnectedAIAppInteraction — custom/registered Copilot Studio or 3rd-party apps deployed in the tenant
  • AIAppInteraction — 3rd-party AI apps not deployed in the tenant (pay-as-you-go billing)
  • TeamCopilotInteraction — Teams Facilitator (AI Notes / Live Notes / meeting moderation)
  • Admin activity is logged via Operation names (UpdateTenantSettings, CreatePlugin, DeletePlugin, EnablePromptBook, …), not a dedicated RecordType. (Note: the values AICopilot and MicrosoftCopilotAdmin from earlier drafts don't appear in the current schema — confirm before relying on them.)

Key fields to map for CopilotInteraction events:

  • AccessedResources[]ID, Name, SiteUrl, Type, SensitivityLabelId, Action, and the security flags XPIADetected / PolicyDetails / Status (the most important DLP/visibility signal in these events)
  • AppHost and AppIdentity — which Copilot surface/app generated the event
  • Messages[]ID, isPrompt, and JailbreakDetected
  • ModelTransparencyDetails[]ModelProviderName (and model name/version where present)
  • AISystemPlugin — e.g. BingWebSearch indicates the response used the public web
  • Admin configuration-change operations classified appropriately

Dashboards: Copilot usage by user and app, sensitivity-label exposure in grounding contexts, admin configuration-change timeline, usage volume over time.

Sample event

⚠️ Illustrative sample. Field names follow the current Purview Copilot audit schema; values are representative. A real captured event should be added during development from an M365 E5 tenant with Copilot enabled, and the numeric RecordType confirmed against the Management API schema.

{
  "CreationTime": "2026-06-01T14:23:11",
  "Id": "aaaa1111-bbbb-2222-cccc-3333dddd4444",
  "Operation": "CopilotInteraction",
  "OrganizationId": "11112222-3333-4444-5555-666677778888",
  "RecordType": 261,
  "UserKey": "i:0h.f|membership|analyst@contoso.com",
  "UserId": "analyst@contoso.com",
  "UserType": 0,
  "Version": 1,
  "Workload": "Copilot",
  "AppIdentity": "Copilot.MicrosoftCopilot.BizChat",
  "AppHost": "Word",
  "Contexts": [
    { "ID": "https://contoso.sharepoint.com/sites/Finance/Shared Documents/Q3-Forecast.docx", "Type": "docx" }
  ],
  "AccessedResources": [
    {
      "Action": "Read",
      "ID": "AAAAAEYE2GAACp1FlnN_CHXStUkH...AABwvq8gAAA2",
      "Name": "Q3-Forecast.docx",
      "Type": "docx",
      "SiteUrl": "https://contoso.sharepoint.com/sites/Finance/Shared Documents/Q3-Forecast.docx",
      "SensitivityLabelId": "f41ab342-8706-4188-bd11-ebb85995028c",
      "XPIADetected": false
    }
  ],
  "Messages": [
    { "ID": "1715186983849", "isPrompt": true, "JailbreakDetected": false },
    { "ID": "1715186984291", "isPrompt": false }
  ],
  "ModelTransparencyDetails": [
    { "ModelProviderName": "Microsoft" }
  ],
  "AISystemPlugin": [
    { "Name": "BingWebSearch", "ID": "BingWebSearch" }
  ]
}

Key fields

Field Description
UserId The user who interacted with Copilot
Operation / RecordType CopilotInteraction — the AI interaction event
AppHost Copilot surface (Word, Teams, Outlook, BizChat, Excel, SharePoint, …)
AppIdentity Specific Copilot/AI app (workloadName.appGroup.appName)
AccessedResources[].SiteUrl / .Name / .Type The grounding document(s) Copilot read
AccessedResources[].SensitivityLabelId Purview sensitivity label (GUID) on the grounding doc — primary DLP signal
AccessedResources[].XPIADetected Cross-prompt-injection attack flagged on a resource
Messages[].isPrompt / .JailbreakDetected Prompt vs. response; jailbreak-attempt flag
ModelTransparencyDetails[].ModelProviderName Model publisher
AISystemPlugin.ID BingWebSearch indicates the response used the public web

Availability note: CopilotInteraction events are captured under Audit (Standard). Full prompt/response content and extended retention (up to 10 years) require Audit (Premium) — relevant to what fields are populated during testing.

Access requirements

  • Purview Audit Standard (M365 E3): captures CopilotInteraction events with metadata including sensitivity labels on referenced documents, but not prompt/response content
  • Purview Audit Premium (M365 E5 or add-on): adds full prompt and response content, extended retention up to 10 years

Development requires an M365 E5 tenant with Copilot enabled.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    9.5 candidateEpicNew IntegrationIssue or pull request for creating a new integration package.Team:Security-Service IntegrationsSecurity Service Integrations team [elastic/security-service-integrations]

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions