Monitor User Activities and System Events with Security Copilot and Microsoft Sentinel

We do recommend you read through the our Privacy and data security document to understand more about what data we are capturing Privacy and data security as well as how to enable Purview Audit logs: Access the Copilot for Security Audit Log

About Our Solution

Our solution enhances traditional audit logs through the Unified Audit Log (UAL) by providing a centralized and comprehensive view of all user and system activities across various Microsoft services. The UAL aggregates data from multiple sources, including Microsoft 365, Azure, and third-party applications, offering a holistic view of security events. This integration allows for more effective monitoring, quicker incident response, and improved compliance reporting. Additionally, Security Copilot uses AI to identify patterns and anomalies, providing actionable insights and recommendations to strengthen your security posture.

For a more comprehensive guide on how to create a search job in Purview, please visit our documentation here.

Security Copilot customers can now access audit events natively through Microsoft Purview by navigating to Audit unified logs and searching. On the Search Page, refine and filter the base record type and time range, then create a Search job.

To create a search for Security Copilot you will need to select the workload:

Figure 1: Selecting Workload

Security Copilot Enhance Audit solution improves audit logging for Copilot. This custom solution includes:

• Microsoft Sentinel connector that reads data from the Office Management API and writes it to Log Analytics Workspace.
• Azure workbook that provides insights on the ingested data.
• Detection rules deployed in Microsoft Sentinel to alert defenders of anomalous events.

This solution provides streaming audit logging, facilitating advanced queries and detections. It also correlates logs with other data to enhance security insights.

Prerequisites/Preparation

Enable the audit log capability in Security Copilot

During the first run experience, a Security Administrator is given the option of opting into allowing Microsoft Purview to access, process, copy and store admin actions, user actions, and Copilot responses. For more information, see Get started with Security Copilot.

Security Administrators can also access this option through the Owner settings page.

Use the following steps to update the audit log settings:

1. Sign in to Security Copilot (https://securitycopilot.microsoft.com).
2. Select the home menu icon.
3. Navigate to the Owner settings > Logging audit data in Microsoft Purview.

Figure 2: Logging audit data in Microsoft Purview

For a step-by-step guide on each of these actions, please refer to this GitHub repository: https://github.com/Azure/Security-Copilot/tree/main/Monitoring/IngestSecurityCopilotAuditlogs

Deploying the Security Copilot Audit Logs Connector via the CloudAppEvents Table

You can seamlessly use the XDR connector within Microsoft Sentinel and Defender to ingest Security Copilot audit logs. This is achieved by enabling Defender raw event logs into your Sentinel workspace. In this case, our focus is on the CloudAppEvents table.

To learn more about the CloudAppEvents table and its schema, refer to the advanced hunting schema documentation here.

 

This will bring the events Security Copilot logs directly into Sentinel, thus allowing you to deploy the workbook.

To verify that the connector is functioning and sending data to the configured workspace:

• Wait for 5-10 minutes.
• Open the workspace and go to the log section.
• In the logs canvas, enter the following KQL query:

CloudAppEvents

| where parse_json(RawEventData)["AppIdentity"] == 'Copilot.Security.SecurityCopilot'

| where parse_json(RawEventData)["Workload"] == 'Copilot'

If results appear, you can proceed with setting up the workbook and deploying the detection rules. 

Deploying Detection Rules 

1. For deploying the 3 analytics rules, press on the deploy button location here

https://github.com/Azure/Copilot-For-Security/tree/main/Monitoring/IngestSecurityCopilotAuditlogs

Figure 5: Deploy button

Once you've clicked the deploy button and authenticated with an Azure deployment user, complete the required parameters.

Figure 6: Completing parameters

• Log Analytics Workspace Name – Use the same Sentinel Workspace name as the connector.

Once deployment is complete, open Sentinel and go to analytics.

Search for "Copilot" rules and enable them.

Figure 7: Searching 'Copilot' rules

The above detection rules will complement this audit solution. We have provided three sample detections as highlighted below:

• Security Copilot - TI map IP entity to Prompts

This rule looks back one hour into the Copilot for Security Audit logs and identifies whether any prompting has been done from an IP that has been matched as an IOC that has been active for up to the last 14 days.

• Security Copilot - Anomalous sign-in activity by Security Copilot user

This rule detects anomalous user log on and resource access associated with usage of Copilot for Security where any of these operations have been executed: DeleteCopilotPromptBook,DisableCopilotPlugin,DeleteFile or EnableCopilotPlugin.  The rule checks whether these operations have been performed by a user that has performed them from a connection that is used for the first time in the tenant, whether its from a country their peers don’t normally connect from and whether its uncommon for them to access Copilot for Security.

• Security Copilot - Anomalous Operations by Copilot for Security User

Detect Anomalous operations involving actions such as "DisableCopilotPlugin" , "DeleteFile" , "UpdatePluginSettings" , or  "DeleteCopilotPromptBook". The detection uses the KQL basket() function to detect whether any these activities have been performed by a user that does not typically perform these operations based on a 14 day baseline.

Deploying the Workbook

To deploy the Workbook, press on the deploy button located here:

https://github.com/Azure/Copilot-For-Security/tree/main/Monitoring/IngestSecurityCopilotAuditlogs

Figure 8: Deploy button

After pressing the deploy button and authenticating with an Azure deployment user, fill in the above parameters.

Figure 9: Completing parameters

• Log Analytics Workspace Name – Use the same Sentinel Workspace name as the connector.

Once deployment is complete, open Sentinel and go to Workbook.

Open My Workbooks and locate the workspace with the name “Security Copilot Audit”.

Press on View Saved Workbook

Figure 10: Finding your saved workbook

Note: Please note that filters apply to all the widgets simultaneously. You can filter by Time Range and Workspace. 

What can we find in the Workbook?

We designed this workbook to satisfy the most important questions our customers have. With that in mind, we created 3 separate widgets that focus on: an all up view in the Dashboard, information about sign-ins, especially failed sign-ins, and lastly information about SCU changes.

Now, let’s take a look at each of them individually:

Security Copilot Audit Dashboard

Figure 11: Security Copilot Audit Dashboard

In the first view, we have some general information about how Security Copilot has been used. Here we can find:

Figure 12: First view

We will also provide a visual chart of prompt numbers over time, allowing you to identify busier periods and understand which Security Copilot Experience drives usage.

Figure 13: Visual chart of prompt numbers over time

In the next graphs, we are focusing on three different aspects of the logs:

1. Security Copilot interactions: this will show you the different types of interactions users have performed (changing a promptbook, creation of a plugin, deletion of a plugin, etc.)
2. Security Copilot interactions by Location: this shows you a visual map of where all the interactions occurred
3. Top Users Prompts: this table will show you the user and the number of prompts they have performed

Figure 14: Security Copilot chart of prompts per experienceFigure 15: Top user prompts within the chart

Following this, we have a list of Promptbook interactions where we can see who created, deleted or updated promptbooks:

Figure 16: List of promptbook interactions

In the next two graphs we will be able to find who enabled and disabled different plugins

Figure 17: List of enabled and disabled plugins

In the final graph we will be able to find a list of the users who made changes either at a tenant level or user level:

Figure 18: Graph of user changes

Security Copilot Sign in Data

In the Second Widget that we created, you will be able to filter and see all of the sign-in data in Security Copilot. As such, to this widget we have four components:

1. A visual representation of successful and Failed sign-ins by location
2. Successful sign-ins: here you will be able to see all the data about every user’s successful sign-in such as IP Address, Location, Platform and OS Platform and more.
3. Failed sign-ins: here you will be able to see the data about a user's unsuccessful sign ins such as the reason for the authentication fail, IP Address, as well as more granular information about the attempted sign-in
4. Lastly, we have a graph depicting all the different reasons for the unsuccessful sign-ins. These can include: Flow token expired, User did not pass the MFA challenge, Invalid username or password or Invalid on-premises username or password, etc.

Figure 19: Visual representation of successful or failed logins by regionFigure 20: List of successful sign-insFigure 21: List of failed sign-insFigure 22: Chart of failed sign-ins by reasons

Security Copilot SCU Events

The last Widget that we implemented is Security Copilot SCU Events. Here you will be able to view the number of purchased SCU's as well as any changes that is done to them. For example, you will be able to see increases or decreases in the SCUs and who has performed the change.

Figure 23: List of SCU changes

Lastly, we have SCU Capacity Activity where we will be able to find SCU alignment operation.

The integration of Microsoft Security Copilot with Microsoft Sentinel provides a powerful, AI-driven solution for monitoring and analyzing audit logs across your organization’s security landscape. This setup offers deeper visibility into user activities and system events, enabling more proactive threat detection and compliance management. With features like anomaly detection, custom connectors, and interactive workbooks, Security Copilot simplifies and strengthens your security operations. Ready to take your security to the next level? Explore our GitHub repository to get started with the setup or contact our team to learn more about enhancing your organization's security posture.