Auditing is a critical feature in any security solution, providing visibility into user activities and system events. With this new Microsoft Security Copilot, auditing is taken to the next level by leveraging advanced capabilities to analyze and interpret audit logs. This feature helps organizations gain insights into their admin and user activities, detect usage and activities anomalies, and ensure compliance with regulatory requirements. By sending Security Copilot audit logs into your cloud native SIEM, users can gain deeper insights into their Security Copilot usage and take proactive measures to mitigate risks.
We do recommend you read through the our Privacy and data security document to understand more about what data we are capturing Privacy and data security as well as how to enable Purview Audit logs: Access the Copilot for Security Audit Log
About Our Solution
Our solution enhances traditional audit logs through the Unified Audit Log (UAL) by providing a centralized and comprehensive view of all user and system activities across various Microsoft services. The UAL aggregates data from multiple sources, including Microsoft 365, Azure, and third-party applications, offering a holistic view of security events. This integration allows for more effective monitoring, quicker incident response, and improved compliance reporting. Additionally, Security Copilot uses AI to identify patterns and anomalies, providing actionable insights and recommendations to strengthen your security posture.
For a more comprehensive guide on how to create a search job in Purview, please visit our documentation here.
Security Copilot customers can now access audit events natively through Microsoft Purview by navigating to Audit unified logs and searching. On the Search Page, refine and filter the base record type and time range, then create a Search job.
To create a search for Security Copilot you will need to select the workload:
Figure 1: Selecting WorkloadSecurity Copilot Enhance Audit solution improves audit logging for Copilot. This custom solution includes:
- Microsoft Sentinel connector that reads data from the Office Management API and writes it to Log Analytics Workspace.
- Azure workbook that provides insights on the ingested data.
- Detection rules deployed in Microsoft Sentinel to alert defenders of anomalous events.
This solution provides streaming audit logging, facilitating advanced queries and detections. It also correlates logs with other data to enhance security insights.
Prerequisites/Preparation
Enable the audit log capability in Security Copilot
During the first run experience, a Security Administrator is given the option of opting into allowing Microsoft Purview to access, process, copy and store admin actions, user actions, and Copilot responses. For more information, see Get started with Security Copilot.
Security Administrators can also access this option through the Owner settings page.
Use the following steps to update the audit log settings:
- Sign in to Security Copilot (https://securitycopilot.microsoft.com).
- Select the home menu icon.
- Navigate to the Owner settings > Logging audit data in Microsoft Purview.
For a step-by-step guide on each of these actions, please refer to this GitHub repository: https://github.com/Azure/Security-Copilot/tree/main/Monitoring/IngestSecurityCopilotAuditlogs
Deploying the Security Copilot Audit Logs Connector via the CloudAppEvents Table
You can seamlessly use the XDR connector within Microsoft Sentinel and Defender to ingest Security Copilot audit logs. This is achieved by enabling Defender raw event logs into your Sentinel workspace. In this case, our focus is on the CloudAppEvents table.
To learn more about the CloudAppEvents table and its schema, refer to the advanced hunting schema documentation here.
This will bring the events Security Copilot logs directly into Sentinel, thus allowing you to deploy the workbook.
To verify that the connector is functioning and sending data to the configured workspace:
- Wait for 5-10 minutes.
- Open the workspace and go to the log section.
- In the logs canvas, enter the following KQL query:
CloudAppEvents
| where parse_json(RawEventData)["AppIdentity"] == 'Copilot.Security.SecurityCopilot'
| where parse_json(RawEventData)["Workload"] == 'Copilot'
If results appear, you can proceed with setting up the workbook and deploying the detection rules.
Deploying Detection Rules
- For deploying the 3 analytics rules, press on the deploy button location here
https://github.com/Azure/Copilot-For-Security/tree/main/Monitoring/IngestSecurityCopilotAuditlogs
Figure 5: Deploy buttonOnce you've clicked the deploy button and authenticated with an Azure deployment user, complete the required parameters.
Figure 6: Completing parameters- Log Analytics Workspace Name – Use the same Sentinel Workspace name as the connector.
Once deployment is complete, open Sentinel and go to analytics.
Search for "Copilot" rules and enable them.
Figure 7: Searching 'Copilot' rulesThe above detection rules will complement this audit solution. We have provided three sample detections as highlighted below:
- Security Copilot - TI map IP entity to Prompts
This rule looks back one hour into the Copilot for Security Audit logs and identifies whether any prompting has been done from an IP that has been matched as an IOC that has been active for up to the last 14 days.
- Security Copilot - Anomalous sign-in activity by Security Copilot user
This rule detects anomalous user log on and resource access associated with usage of Copilot for Security where any of these operations have been executed: DeleteCopilotPromptBook,DisableCopilotPlugin,DeleteFile or EnableCopilotPlugin. The rule checks whether these operations have been performed by a user that has performed them from a connection that is used for the first time in the tenant, whether its from a country their peers don’t normally connect from and whether its uncommon for them to access Copilot for Security.
- Security Copilot - Anomalous Operations by Copilot for Security User
Detect Anomalous operations involving actions such as "DisableCopilotPlugin" , "DeleteFile" , "UpdatePluginSettings" , or "DeleteCopilotPromptBook". The detection uses the KQL basket() function to detect whether any these activities have been performed by a user that does not typically perform these operations based on a 14 day baseline.
Deploying the Workbook
To deploy the Workbook, press on the deploy button located here:
https://github.com/Azure/Copilot-For-Security/tree/main/Monitoring/IngestSecurityCopilotAuditlogs
Figure 8: Deploy buttonAfter pressing the deploy button and authenticating with an Azure deployment user, fill in the above parameters.
Figure 9: Completing parameters- Log Analytics Workspace Name – Use the same Sentinel Workspace name as the connector.
Once deployment is complete, open Sentinel and go to Workbook.
Open My Workbooks and locate the workspace with the name “Security Copilot Audit”.
Press on View Saved Workbook
Figure 10: Finding your saved workbookNote: Please note that filters apply to all the widgets simultaneously. You can filter by Time Range and Workspace.
What can we find in the Workbook?
We designed this workbook to satisfy the most important questions our customers have. With that in mind, we created 3 separate widgets that focus on: an all up view in the Dashboard, information about sign-ins, especially failed sign-ins, and lastly information about SCU changes.
Now, let’s take a look at each of them individually:
Security Copilot Audit Dashboard
Figure 11: Security Copilot Audit DashboardIn the first view, we have some general information about how Security Copilot has been used. Here we can find:
Figure 12: First viewWe will also provide a visual chart of prompt numbers over time, allowing you to identify busier periods and understand which Security Copilot Experience drives usage.
Figure 13: Visual chart of prompt numbers over timeIn the next graphs, we are focusing on three different aspects of the logs:
- Security Copilot interactions: this will show you the different types of interactions users have performed (changing a promptbook, creation of a plugin, deletion of a plugin, etc.)
- Security Copilot interactions by Location: this shows you a visual map of where all the interactions occurred
- Top Users Prompts: this table will show you the user and the number of prompts they have performed
Following this, we have a list of Promptbook interactions where we can see who created, deleted or updated promptbooks:
Figure 16: List of promptbook interactionsIn the next two graphs we will be able to find who enabled and disabled different plugins
Figure 17: List of enabled and disabled pluginsIn the final graph we will be able to find a list of the users who made changes either at a tenant level or user level:
Figure 18: Graph of user changesSecurity Copilot Sign in Data
In the Second Widget that we created, you will be able to filter and see all of the sign-in data in Security Copilot. As such, to this widget we have four components:
- A visual representation of successful and Failed sign-ins by location
- Successful sign-ins: here you will be able to see all the data about every user’s successful sign-in such as IP Address, Location, Platform and OS Platform and more.
- Failed sign-ins: here you will be able to see the data about a user's unsuccessful sign ins such as the reason for the authentication fail, IP Address, as well as more granular information about the attempted sign-in
- Lastly, we have a graph depicting all the different reasons for the unsuccessful sign-ins. These can include: Flow token expired, User did not pass the MFA challenge, Invalid username or password or Invalid on-premises username or password, etc.
Security Copilot SCU Events
The last Widget that we implemented is Security Copilot SCU Events. Here you will be able to view the number of purchased SCU's as well as any changes that is done to them. For example, you will be able to see increases or decreases in the SCUs and who has performed the change.
Figure 23: List of SCU changesLastly, we have SCU Capacity Activity where we will be able to find SCU alignment operation.
The integration of Microsoft Security Copilot with Microsoft Sentinel provides a powerful, AI-driven solution for monitoring and analyzing audit logs across your organization’s security landscape. This setup offers deeper visibility into user activities and system events, enabling more proactive threat detection and compliance management. With features like anomaly detection, custom connectors, and interactive workbooks, Security Copilot simplifies and strengthens your security operations. Ready to take your security to the next level? Explore our GitHub repository to get started with the setup or contact our team to learn more about enhancing your organization's security posture.
Updated Nov 26, 2024
Version 3.0RozaliaJarnea
Microsoft
Joined January 03, 2023
Microsoft Security Copilot Blog
Follow this blog board to get notified when there's new activity