The Microsoft Copilot Data Connector for Microsoft Sentinel is Now in Public Preview

Microsoft

Feb 03, 2026

We are happy to announce a new data connector that is available to the public: the Microsoft Copilot data connector for Microsoft Sentinel. The new Microsoft Copilot data connector will allow for audit logs and activities generated by different offerings of Copilot to be ingested into Microsoft Sentinel and Microsoft Sentinel data lake. This allows for Copilot activities to be leveraged within Microsoft Sentinel features such as analytic rules/custom detections, Workbooks, automation, and more. This also allows for Copilot data to be sent to Sentinel data lake, which opens the possibilities for integrations with custom graphs, MCP server, and more while offering lower cost ingestion and longer retention as needed.

Eligibility for the Connector

The connector is available for all customers within Microsoft Sentinel, but will only ingest data for environments that have access to Copilot licenses and SCUs as the activities rely on Copilot being used. These logs are available via the Purview Unified Audit Log (UAL) feed, which is available and enabled for all users by default. A big value of this new connector is that it eliminates the need for users to go to the Purview Portal in order to see these activities, as they are proactively brought into the workspace, enabling SOCs to generate detections and proactively threat hunt on this information.

Note: This data connector is a single-tenant connector, meaning that it will ingest the data for the entire tenant that it resides in. This connector is not designed to handle multi-tenant configurations.

What’s Included in the Connector

The following are record types from Office 365 Management API that will be supported as part of this connector:

261 CopilotInteraction
310 CreateCopilotPlugin
311 UpdateCopilotPlugin
312 DeleteCopilotPlugin
313 EnableCopilotPlugin
314 DisableCopilotPlugin
315 CreateCopilotWorkspace
316 UpdateCopilotWorkspace
317 DeleteCopilotWorkspace
318 EnableCopilotWorkspace
319 DisableCopilotWorkspace
320 CreateCopilotPromptBook
321 UpdateCopilotPromptBook
322 DeleteCopilotPromptBook
323 EnableCopilotPromptBook
324 DisableCopilotPromptBook
325 UpdateCopilotSettings
334 TeamCopilotInteraction
363 Microsoft365CopilotScheduledPrompt
371 OutlookCopilotAutomation
389 CopilotForSecurityTrigger
390 CopilotAgentManagement

These are great options for monitoring users who have permission to make changes to Copilot across the environment. This data can assist with identifying if there are anomalous interactions taking place between users and Copilot, unauthorized attempts of access, or malicious prompt usage.

How to Deploy the Connector

The connector is available via the Microsoft Sentinel Content Hub and can be installed today. To find the connector:

Within the Defender Portal, expand the Microsoft Sentinel navigation in the left menu.
Expand Configuration and select Content Hub.
Within the search bar, search for “Copilot”.

Click on the solution that appears and click Install.
Once the solution is installed, the connector can be configured by clicking on the connector within the solution and selecting Open Connector Page.
To enable the connector, the user will need either Global Administrator or Security Administrator on the tenant.

Once the connector is enabled, the data will be sent to the table named CopilotActivity.

Note: Data ingestion costs apply when using this data connector. Pricing will be based on the settings for the Microsoft Sentinel workspace or at the Microsoft Sentinel data lake tier pricing.

As this data connector is in Public Preview, users can start deploying this connector right now! As always, let us know what you think in the comments so that we may continue to build what is most valuable to you. We hope that this new data connector continues to assist your SOC with high valuable insights that best empowers your security.