Azure-Sentinel icon indicating copy to clipboard operation
Azure-Sentinel copied to clipboard
verified publisher icon Azure

M365 Copilot logs to Azure Sentinel

Open AbhishekChourey17 opened this issue 7 months ago • 3 comments

Hi, I just want the visibility of M365 copiolet logs to aAzure Sentinel. Already having M365 data connector integrated .Whether I have to integrate any other data connector for that ?

AbhishekChourey17 avatar Jun 18 '25 08:06 AbhishekChourey17

Hi @AbhishekChourey17 , Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!

v-tsawant avatar Jun 18 '25 08:06 v-tsawant

From what I understand, Telemetry for Copilot usage may be found in Microsoft Graph logs, Unified Audit Logs (UAL), Microsoft Purview logs, and Microsoft Entra ID logs.

Copilot-specific logging is part of: Microsoft 365 Audit Logs (Unified Audit Log); Microsoft Graph Activity Logs (Entra ID logs); Microsoft Purview (particularly audit); Entra ID sign-ins with API scopes and permission grants

ref. https://learn.microsoft.com/en-us/purview/audit-copilot

CarnegieJ avatar Jun 18 '25 21:06 CarnegieJ

Still not clear. Any modification is required in the existing integration or M365 copilot license enabled for specific users and logs will get auto forwarded to Sentinel?

AbhishekChourey17 avatar Jun 19 '25 06:06 AbhishekChourey17

Hi @AbhishekChourey17 , To ensure that M365 Copilot logs are available in Azure Sentinel, no additional modification to the existing integration is typically needed, provided the following requirements are met:

Users must have a Microsoft 365 Copilot license assigned to them. Only activities performed by licensed users will be logged. You can review licensing requirements here: https://learn.microsoft.com/en-us/copilot/microsoft-365/microsoft-365-copilot-requirements Please ensure that the "Unified Audit Log" (UAL) is enabled for ingestion within your environment, as Copilot activity is surfaced through UAL. For guidance on verifying and enabling audit logging, refer to: https://learn.microsoft.com/en-us/purview/audit-copilot Once both conditions are satisfied, Copilot-related logs will automatically be forwarded to Sentinel via your existing Microsoft 365 data connector.

v-tsawant avatar Jul 03 '25 07:07 v-tsawant

Hi @AbhishekChourey17 , If all your questions related to this GitHub issue have been addressed, would you like me to close the issue? Please let me know if you need any further assistance. Thanks!

v-tsawant avatar Jul 07 '25 03:07 v-tsawant

Hi @AbhishekChourey17 , Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond to it in the next 2 days. If we don't receive a response by 09-07-2025 date, we will be closing this issue. Thanks!

v-tsawant avatar Jul 08 '25 03:07 v-tsawant

Hi @AbhishekChourey17 , As there is no response from the Author after gentle reminder Issue has been closed as per our standard operating procedures.

v-tsawant avatar Jul 09 '25 03:07 v-tsawant