Control 3.1: Copilot Interaction Audit Logging (Purview Unified Audit Log)

Control ID: 3.1 Pillar: Compliance & Audit Regulatory Reference: FINRA 4511 (Books and Records), SEC 17a-3/4 (Books and Records), Sarbanes-Oxley §§302/404 (where applicable to ICFR) Last Verified: 2026-05-25 Governance Levels: Baseline / Recommended / Regulated

Objective

Configure and maintain comprehensive audit logging for all Microsoft 365 Copilot interactions using the Purview Unified Audit Log (UAL), providing a defensible record of Copilot usage that supports compliance with regulatory record-keeping requirements.

Why This Matters for FSI

Every interaction between a user and Microsoft 365 Copilot creates a potential record-keeping obligation under financial services regulations. When an analyst uses Copilot to summarize client portfolio data, when a broker uses Copilot to draft client correspondence, or when a compliance officer uses Copilot to review documents, those interactions may constitute records that must be captured, retained, and made available for regulatory examination.

FINRA Rule 4511 requires member firms to make and preserve books and records as required under FINRA rules, the Securities Exchange Act (SEA), and applicable SEA rules. SEC Rules 17a-3 and 17a-4 specify detailed requirements for creating and retaining records of business activities. Sarbanes-Oxley §§302/404 requires that management assess the effectiveness of internal controls over financial reporting, which extends to AI-assisted financial analysis and document generation.

Without systematic audit logging of Copilot interactions, firms face material gaps in their regulatory record-keeping obligations. The Purview Unified Audit Log provides the native Microsoft capability to capture these interactions, but it requires deliberate configuration and monitoring to meet FSI requirements.

Control Description

This control addresses the end-to-end lifecycle of Copilot audit logging: enabling the Unified Audit Log, understanding the CopilotInteraction event schema, configuring search and export capabilities, setting appropriate retention periods, and integrating audit data with external SIEM and archival systems.

CopilotInteraction Audit Events

Microsoft 365 captures Copilot interactions as CopilotInteraction events in the Unified Audit Log. Each event includes:

Field	Description	FSI Relevance
`CreationDate`	Timestamp of the Copilot interaction	Establishes when the interaction occurred for record-keeping timelines
`UserId`	UPN of the user who invoked Copilot	Identifies the individual for supervisory review and examination response
`Operation`	Type of Copilot activity (e.g., `CopilotInteraction`)	Classifies the nature of the AI-assisted activity
`Workload`	M365 application (Teams, Word, Excel, Outlook, etc.)	Maps to application-specific regulatory requirements
`AppAccessContext`	Details on the Copilot surface used	Identifies whether Microsoft 365 Copilot Chat, in-app, or other Copilot surface was used
`CopilotEventData`	Structured data about the interaction	Contains prompt metadata and referenced content identifiers
`AccessedResources`	Files, emails, or content Copilot referenced	Critical for understanding what data Copilot surfaced during the interaction
`AgentId`	Unique identifier for the Copilot agent invoked	Identifies which agent was used — critical for FINRA Rule 3110 supervisory mapping of agent actions to approved use cases
`AgentName`	Display name of the Copilot agent	Human-readable agent identification for supervisory review and audit trail readability
`XPIA`	Cross-plugin or inter-agent interaction detection	Flags multi-agent orchestration chains requiring full-chain telemetry per FINRA 2026 agentic supervision expectations

| JailbreakDetected | Boolean indicating whether a jailbreak attempt was detected | Security event requiring immediate escalation per 12 CFR part 30, appendix D (OCC Heightened Standards) and FFIEC incident response expectations | | SensitivityLabelId | GUID of the sensitivity label applied to accessed content | Enables verification that Copilot respected label-based access boundaries — supports Reg S-P (17 CFR Section 248.30) safeguard compliance |

Agent-Specific Audit Operations and Workloads

Current Microsoft Learn guidance records Agent 365 and Copilot Studio activity through documented operations rather than older, tenant-specific labels. Use the Search-UnifiedAuditLog -Operations parameter when searching for agent activity, and constrain the record type only to documented values such as CopilotInteraction for Agent 365 runtime events or MicrosoftCopilotStudio for Copilot Studio authoring and lifecycle events.

Agent 365 runtime operations — AIInvokeAgent, AIExecuteTool, and AIInferenceCall capture agent invocation, tool execution, and model inference events. These events support incident triage and supervisory review by showing when an agent acted and what type of runtime action occurred.

Agent 365 administrative operations — AgentRegistered, AgentDeregistered, and AgentSettingsModified capture agent registration and settings changes. These operations help provide the change-management audit trail needed for Sarbanes-Oxley §§302/404 IT general controls, where applicable to ICFR, and FINRA Rule 3110 supervisory review.

Copilot Studio workload operations — Copilot Studio events use the MicrosoftCopilotStudio workload and documented operations such as BotComponentUpdated, BotComponentDeleted, PublishBot, BotEnvironmentVariableUpdated, AgentInstalled, and AgentUninstalled. Organizations should verify these operations in their tenant's Purview Audit results before building automated workflows.

E5 vs E3 Audit Capabilities and Pay-As-You-Go Billing

Capability	E3 (Standard Audit)	E5 (Audit Premium)	PAYG (Per-Event Billing)
CopilotInteraction events	Yes	Yes	Yes
Default retention — Exchange / SharePoint / OneDrive / Microsoft Entra audit records	180 days	1 year (unmodifiable default policy)	Configured per policy
Default retention — CopilotInteraction and all other activities	180 days	180 days	Configured per policy
Custom retention policies	No	Up to 10 years (with the 10-year add-on for retention beyond defaults)	Up to 10 years
Audit search export (portal)	Up to 50,000 rows	Up to 1,000,000 rows	Up to 1,000,000 rows
High-bandwidth API access	No	Yes	Yes
Intelligent insights	No	Yes	Available
MailItemsAccessed events	No	Yes	Available
Audit search concurrency	Standard	Higher throughput	Higher throughput
Extended retention billing	N/A	Included with E5 + add-on	$0.01 per event

Audit Premium default-retention scope (Microsoft Learn): Audit (Premium) retains all Exchange Online, SharePoint, OneDrive, and Microsoft Entra audit records for one year through an unmodifiable default policy. All other activities — including CopilotInteraction, AgentAdminActivity, and AgentSettingsAdminActivity — are retained for 180 days by default, and require a custom audit retention policy to extend beyond 180 days. Reference: Manage audit log retention policies. FSI tenants relying on the E5 default for Copilot evidence should explicitly create a custom audit retention policy targeting Copilot record types rather than assume the one-year default applies.

Non-user entity retention (service principals, system events, application activities): Audit records generated by non-user entities are retained for a fixed period of one year. This retention period is not configurable and custom audit log retention policies do not apply to these records.

Pay-As-You-Go Audit Billing: Microsoft now offers a PAYG model for Purview Audit at $0.01 per event for extended retention beyond E3/E5 defaults. This model enables organizations to retain Copilot audit events for multi-year periods without requiring E5 Audit Premium licensing for every user. PAYG billing is particularly relevant for regulated firms that must retain audit records for the six-year period required by SEC Rule 17a-4(a), which mandates that broker-dealers preserve records for a minimum of six years from the date of creation.

PAYG governance controls required for FSI deployments:

Budget caps: Set spending limits in Azure Cost Management to prevent unbounded audit event accumulation during high-activity periods (e.g., regulatory examinations, M&A due diligence)
Spend threshold alerting: Configure alerts when monthly PAYG audit spend exceeds predefined thresholds — recommended at 75% and 95% of monthly budget
Per-workload cost tracking: Tag audit event streams by workload and operation (CopilotInteraction, MicrosoftCopilotStudio, Agent 365 operations, and Copilot Studio lifecycle operations) to attribute retention costs to the appropriate business unit

FSI tier guidance for audit retention:

Tier	Audit Model	Retention Period	Primary Driver
Baseline	E3 Standard Audit	180 days (default for all activities, including Copilot)	Operational visibility
Recommended	E5 Audit Premium + custom policy for Copilot record types	1 year for Exchange/SharePoint/OneDrive/Entra (default); custom policy required to extend Copilot record types beyond their 180-day default	FINRA Rule 4511 books-and-records
Regulated	E5 Audit Premium with 10-year add-on, OR PAYG with governance controls	7+ years (portal) or 10 years (PowerShell `TenYears`) for Copilot and agent record types — helps meet SEC Rule 17a-4(a) six-year preservation	SEC Rule 17a-4(a) six-year retention requirement

PowerShell duration values: New-UnifiedAuditLogRetentionPolicy -RetentionDuration accepts only ThreeMonths, SixMonths, NineMonths, TwelveMonths, or TenYears. There is no SixYears value — use TenYears in PowerShell to safely cover the 6-year SEC Rule 17a-4(a) minimum, or use the Purview portal to configure a 7-year retention duration. Reference: New-UnifiedAuditLogRetentionPolicy.

Audit Log Search Queries

Common search patterns for Copilot audit data:

All Copilot interactions in a date range:

Search-UnifiedAuditLog -StartDate "2026-01-01" -EndDate "2026-01-31" -Operations CopilotInteraction -ResultSize 5000

Copilot interactions by specific user:

Search-UnifiedAuditLog -StartDate "2026-01-01" -EndDate "2026-01-31" -Operations CopilotInteraction -UserIds "user@firm.com" -ResultSize 5000

Copilot interactions filtered by workload:

Search-UnifiedAuditLog -StartDate "2026-01-01" -EndDate "2026-01-31" -Operations CopilotInteraction -ResultSize 5000 | Where-Object { ($_.AuditData | ConvertFrom-Json).Workload -eq "MicrosoftTeams" }

Agent 365 runtime activity:

Search-UnifiedAuditLog -StartDate "2026-01-01" -EndDate "2026-01-31" -RecordType CopilotInteraction -Operations "AIInvokeAgent","AIExecuteTool","AIInferenceCall" -ResultSize 5000

Agent 365 registration and settings changes:

Search-UnifiedAuditLog -StartDate "2026-01-01" -EndDate "2026-01-31" -Operations "AgentRegistered","AgentDeregistered","AgentSettingsModified" -ResultSize 5000

Copilot Studio authoring and lifecycle events:

Search-UnifiedAuditLog -StartDate "2026-01-01" -EndDate "2026-01-31" -RecordType MicrosoftCopilotStudio -Operations "BotComponentUpdated","BotComponentDeleted","PublishBot","BotEnvironmentVariableUpdated","AgentInstalled","AgentUninstalled" -ResultSize 5000

Filter by AgentId for a specific agent audit trail:

Search-UnifiedAuditLog -StartDate "2026-01-01" -EndDate "2026-01-31" -RecordType CopilotInteraction -Operations "AIInvokeAgent","AIExecuteTool","AIInferenceCall" -ResultSize 5000 | Where-Object { ($_.AuditData | ConvertFrom-Json).AgentId -eq "your-agent-id" }

Export Copilot audit data to CSV for analysis:

$results = Search-UnifiedAuditLog -StartDate "2026-01-01" -EndDate "2026-01-31" -Operations CopilotInteraction -ResultSize 5000
$results | Select-Object CreationDate, UserIds, Operations, AuditData | Export-Csv -Path "CopilotAudit_Jan2026.csv" -NoTypeInformation

Copilot Surface Coverage

Audit logging applies across all Copilot surfaces within Microsoft 365:

Copilot Surface	Event Captured	Key Audit Data
Microsoft 365 Copilot Chat	CopilotInteraction	User prompt, referenced files/emails/chats, response metadata
Word Copilot	CopilotInteraction	Document context, draft/rewrite/summarize actions, source references
Excel Copilot	CopilotInteraction	Spreadsheet context, formula generation, data analysis actions
PowerPoint Copilot	CopilotInteraction	Presentation context, slide generation, design actions
Outlook Copilot	CopilotInteraction	Email context, draft/reply/summarize actions, recipient information
Teams Copilot	CopilotInteraction	Meeting transcript context, chat summarization, action items
Copilot Pages	CopilotInteraction	Page creation, collaborative editing, content generation
Copilot Notebooks	CopilotInteraction	Page creation, collaborative editing, content generation
Loop Copilot	CopilotInteraction	Loop component context, collaborative content actions
Copilot Agents (declarative and Copilot Studio)	CopilotInteraction, MicrosoftCopilotStudio, Agent 365 operations	Agent invocations, tool calls, registration/settings changes, Copilot Studio publishing and component updates

Coverage Gaps to Monitor

Copilot response content is not stored verbatim in standard audit events -- the audit log captures metadata about the interaction, not the full text of Copilot responses. For full content retention, configure retention policies (see Control 3.2) and eDiscovery holds (see Control 3.3).
Copilot Pages content is stored in a user-owned SharePoint Embedded container and follows SharePoint/SharePoint Embedded audit, retention, and eDiscovery workflows.
Teams meeting recap content follows Teams message retention policies.
XPIA and JailbreakDetected fields are populated only when the relevant detection event occurs — absence of these fields in an audit record does not indicate a problem; their presence requires investigation.

Governance Levels

Baseline

Verify Unified Audit Log is enabled and actively recording events
Confirm CopilotInteraction events appear in audit log searches — this is the primary RecordType covering all Microsoft-built Copilot surfaces (Word, Excel, PowerPoint, Outlook, Teams, SharePoint, OneDrive, Loop, BizChat, and others)
Verify TeamCopilotInteraction events are captured for Teams meeting AI Notes (AINotesUpdate), Live Notes (LiveNotesUpdate), and in-meeting chat (TeamCopilotMsgInteraction)
Search via the Purview portal: Microsoft Purview portal > Solutions > Audit > New search — use the Activities dropdown to select "Interacted with Copilot" or the Record types dropdown to search "Copilot" and select CopilotInteraction
Confirm via PowerShell: Search-UnifiedAuditLog -RecordType CopilotInteraction -Operations "CopilotInteraction" -ResultSize 5000
Set audit log retention to a minimum of 180 days — note E3/Audit (Standard) default is 180 days for all activities; E5/Audit (Premium) provides an unmodifiable 1-year default only for Exchange Online, SharePoint, OneDrive, and Microsoft Entra audit records, while CopilotInteraction, AgentAdminActivity, and AgentSettingsAdminActivity continue to use the 180-day default unless a custom audit retention policy extends them (extendable to 10 years via the Audit Premium 10-year add-on)
Establish a weekly manual review cadence for Copilot audit events
Document the audit log as part of the firm's books-and-records inventory

Upgrade to Audit (Premium) (E5 license tier) and create custom audit retention policies for Copilot record types — Audit (Premium) only extends the default retention to 1 year for Exchange/SharePoint/OneDrive/Entra audit records; CopilotInteraction, AgentAdminActivity, and AgentSettingsAdminActivity remain on the 180-day default until a custom policy is created
Configure custom audit retention policies for Copilot events with a minimum 1-year retention
Automate Copilot audit log exports via the Office 365 Management Activity API to external storage
Integrate Copilot audit events with Microsoft Sentinel or third-party SIEM — verify whether the connector forwards MicrosoftCopilotStudio workload events and documented Agent 365 operations; use the Office 365 Management Activity API or an alternative ingestion method where connector coverage is incomplete
Establish automated alerting for anomalous Copilot usage patterns (e.g., high-volume data access), leveraging key audit properties: AccessedResources (lists files/emails Copilot accessed, including SensitivityLabelId), Messages.JailbreakDetected (boolean flag), and ModelTransparencyDetails (model name, version, provider)
Create standardized audit search queries and save them for recurring use — include queries for CopilotInteraction, TeamCopilotInteraction, admin operations (UpdateTenantSettings, CreatePlugin, DeletePlugin, EnablePromptBook), Agent 365 operations (AIInvokeAgent, AIExecuteTool, AIInferenceCall, AgentRegistered, AgentDeregistered, AgentSettingsModified), and Copilot Studio operations (BotComponentUpdated, BotComponentDeleted, PublishBot, BotEnvironmentVariableUpdated, AgentInstalled, AgentUninstalled)
Configure recurring searches for MicrosoftCopilotStudio workload events and Agent 365 operations using the -Operations parameter; configure search queries for AgentAdminActivity (agent publish/deploy/remove/update) and AgentSettingsAdminActivity (tenant-wide Agent 365 settings) record types — these record types use the 180-day default retention on both Standard and E5/Audit (Premium); a custom audit retention policy is required to extend them up to the 10-year Audit Premium maximum
Use the Graph API for newer audit queries that support pagination: POST https://graph.microsoft.com/beta/security/auditLog/queries with recordTypeFilters including CopilotInteraction and TeamCopilotInteraction
Enable DSPM for AI as an additional storage layer — captures prompt/response pair content (not just metadata), providing more granular visibility than UAL alone

Regulated

Configure audit retention policies for 6+ years to help meet SEC Rule 17a-4(a) requirements using E5 Audit Premium with 10-year add-on retention or PAYG billing with governance controls
Implement WORM-compliant archival of Copilot audit data in a designated records management system
Establish chain-of-custody documentation for audit data exports used in regulatory responses
Configure high-bandwidth audit API access for large-scale data extraction during examinations
Implement real-time audit event streaming to SIEM for immediate compliance monitoring — supplement the M365 Sentinel connector with Office 365 Management Activity API ingestion for MicrosoftCopilotStudio workload events and Agent 365 operations when needed
Create pre-built examination response packages with Copilot audit data organized by regulatory requirement — include ConnectedAIAppInteraction (Copilot Studio/third-party apps) and AIAppInteraction (third-party SaaS AI apps via PAYG) record types for complete coverage
Conduct quarterly audit log integrity reviews to verify completeness and accuracy
Document audit log coverage gaps and compensating controls in the firm's compliance manual
Establish a JailbreakDetected response procedure — events must be investigated and escalated per the firm's security incident response plan; correlate with XPIADetected (cross-prompt injection) flags in AccessedResources and AISystemPlugin.Id = BingWebSearch (public web access) indicators

Setup & Configuration

Step 1: Verify Unified Audit Log Status

Navigate to Microsoft Purview portal
Go to Audit in the left navigation
Verify the status shows "Recording" -- if not, click Start recording user and admin activity
Note: It may take up to 24 hours for audit events to begin appearing after initial enablement

Step 2: Verify Copilot Events Are Captured

In the Purview Audit search interface, set the date range to the past 7 days
In the Activities filter, search for "Copilot" and select CopilotInteraction
Click Search and verify results appear
If no results appear and Copilot is actively in use, verify licensing and wait 24-48 hours for event pipeline propagation

Step 3: Configure Audit Retention Policies (E5 / Audit Premium)

In Purview, navigate to Audit > Audit retention policies
Click + New audit retention policy
Configure:
- Name: FSI-Copilot-Audit-Retention-7Year
- Description: Retains Copilot interaction audit events for 7 years — helps meet SEC Rule 17a-4(a) six-year preservation requirement (the Purview portal does not expose a 6-year option; valid portal durations are 7 days, 30 days, 6 months, 9 months, 1 year, 3 years, 5 years, 7 years, and 10 years)
- Record type: CopilotInteraction
- Duration: 7 years (next supported portal value above the 6-year regulatory minimum) or 10 years for additional headroom
- Priority: Set higher than default policies
Click Save
Create a second policy for agent and Copilot Studio record types:
- Name: FSI-Agent-Admin-Audit-Retention-7Year
- Record types: AgentAdminActivity, AgentSettingsAdminActivity, MicrosoftCopilotStudio (confirm availability in your tenant before saving)
- Operations to validate in search procedures: AIInvokeAgent, AIExecuteTool, AIInferenceCall, AgentRegistered, AgentDeregistered, AgentSettingsModified, BotComponentUpdated, BotComponentDeleted, PublishBot, BotEnvironmentVariableUpdated, AgentInstalled, AgentUninstalled
- Duration: 7 years (or 10 years)
- Priority: Same as the Copilot interaction policy

PowerShell equivalent: New-UnifiedAuditLogRetentionPolicy -RetentionDuration accepts only ThreeMonths, SixMonths, NineMonths, TwelveMonths, or TenYears. Use TenYears in PowerShell to satisfy the same regulatory minimum (a 7-year duration is portal-only).

Step 4: Configure Management Activity API Export

For automated export of audit data to external systems:

# Register the Management Activity API subscription for Audit.General
$tenantId = "your-tenant-id"
$authToken = "your-oauth-token"

# Start a subscription for Audit.General content (includes CopilotInteraction)
Invoke-RestMethod -Method Post -Uri "https://manage.office.com/api/v1.0/$tenantId/activity/feed/subscriptions/start?contentType=Audit.General" -Headers @{ Authorization = "Bearer $authToken" }

Step 5: Integrate with Microsoft Sentinel (Recommended)

In Microsoft Sentinel, navigate to Data connectors
Enable the Microsoft 365 data connector
Under Configuration, confirm Exchange, SharePoint, and Teams checkboxes are selected (these capture Copilot events from their respective workloads)
Create analytics rules for Copilot-specific alert scenarios (see Control 4.x for Sentinel rule templates)

Financial Sector Considerations

Regulatory Examination Response

When a FINRA or SEC examiner requests records of AI-assisted activities, the Copilot audit log serves as the primary evidence source. Firms should:

Maintain pre-built audit search queries for common examiner requests (e.g., "all Copilot interactions by registered representatives in Q4 2025")
Document the audit log schema and data dictionary for examiner reference
Prepare explanatory materials describing what Copilot audit events represent and their limitations
Test audit data export workflows quarterly to verify they produce examination-ready output
Include AgentId and AgentName in examination packages to demonstrate which agents were used by which users

Cross-Workload Correlation

Copilot interactions often span multiple workloads in a single user workflow (e.g., a user drafts a client letter in Word Copilot, then sends it via Outlook Copilot). Audit analysis should correlate events across workloads using UserId and timestamp proximity to reconstruct complete interaction chains.

Volume Planning

Large FSI deployments may generate significant audit log volume. Plan for:

Storage capacity in archival systems based on estimated Copilot adoption rates
API throughput limits when extracting large volumes of audit data
Search performance considerations when querying multi-year audit datasets
Cost implications of long-term audit data storage in Azure or third-party archival — evaluate PAYG billing vs. E5 Audit Premium licensing based on event volume projections

Data Sovereignty

For firms operating across jurisdictions, verify that audit log data residency aligns with regulatory requirements. Microsoft 365 audit logs are stored in the tenant's primary data location. Firms with multi-geo configurations should verify Copilot audit data residency.

Verification Criteria

#	Verification Step	Expected Outcome	Governance Level
1	Search for CopilotInteraction events in Purview Audit	Events appear within 24-48 hours of Copilot usage	Baseline
2	Verify audit log shows "Recording" status	Status is active	Baseline
3	Export Copilot audit events to CSV	CSV contains valid CopilotInteraction records with expected fields including AgentId/AgentName where applicable	Baseline
4	Verify Audit (Premium) is licensed and enabled	Audit Premium features available in Purview portal	Recommended
5	Confirm custom retention policy is active	6-year retention policy shows "Enabled" status	Regulated
6	Verify Management Activity API subscription is active	API returns CopilotInteraction events in Audit.General content type	Recommended
7	Confirm Sentinel receives Copilot audit events	Copilot events appear in Sentinel logs within expected latency	Recommended
8	Run a mock examination data extraction	Complete audit data export for a specified user/date range within 4 hours	Regulated
9	Verify WORM archival integrity	Archived audit data is immutable and passes integrity verification	Regulated
10	Review audit log completeness report	No gaps in Copilot event capture for licensed users over 30-day sample	Regulated
11	Search for documented Agent 365 and Copilot Studio operations	Known agent runtime, registration/settings, publishing, and component-change events appear using `-Operations` searches	Recommended
12	Verify PAYG billing controls (if applicable)	Budget caps and spend alerts are active; monthly spend within approved limits	Regulated

Advisory: Security Copilot E5 Auto-Activation — Audit Impact

New Audit Event Source — April–June 2026

Security Copilot is being auto-enabled for M365 E5 tenants (April 20–June 30, 2026) with 400 SCUs per 1,000 users. This introduces a new category of AI-generated audit events that organizations should capture and monitor.

Audit logging implications:

New event types: Security Copilot generates its own activity records in the Purview unified audit log. These events capture AI-driven security investigations, autonomous agent actions, and Security Copilot user interactions across Defender, Entra, and Purview portals.
Retention scope: Existing Copilot audit log retention policies should be verified to confirm they cover Security Copilot activity events. Organizations subject to FINRA Rule 4511(a) or SEC Rule 17a-4 should ensure Security Copilot records are within retention scope.
SIEM forwarding: If the organization forwards Copilot audit events to Sentinel or a third-party SIEM (see Control 4.11 — Sentinel Integration), Security Copilot events should be included in the forwarding configuration.
Examination readiness: Examiners may request evidence of AI tool usage within security operations. Security Copilot audit records should be included in evidence collection procedures (see Control 3.12 — Evidence Collection).

Recommended actions:

Verify that Purview audit log retention policies cover Security Copilot activity events
Update audit log search procedures to include Security Copilot event types
Extend SIEM forwarding rules to capture Security Copilot activities
See Control 2.9 — Defender for Cloud Apps for E5 auto-activation details and opt-out path

Additional Resources

Microsoft Purview Audit documentation
Audit (Premium) in Microsoft Purview
Search the audit log in Microsoft Purview
Office 365 Management Activity API reference
Microsoft Sentinel data connector for Microsoft 365
Microsoft Open-Source Copilot Analytics Tools - Companion repositories from Analytics Hub for audit export, evidence collection, and downstream reporting
FINRA Rule 4511 (Books and Records)
SEC Rule 17a-3 / 17a-4
Control 3.2 -- Data Retention Policies
Control 3.11 -- Record Keeping and Books-and-Records Compliance
Related Controls: 3.2 Data Retention Policies, 3.11 Record Keeping, 4.5 Usage Analytics, 4.11 Sentinel Integration

FSI Copilot Governance Framework v1.4.0 - April 2026