Skip to content

Control 4.11: Microsoft Sentinel Integration for Copilot Events

Control ID: 4.11 Pillar: Operations & Monitoring Regulatory Reference: FFIEC IT Examination Handbook (Information Security), SOX Section 404, NYDFS Part 500, GLBA 501(b) Last Verified: 2026-02-17 Governance Levels: Baseline / Recommended / Regulated

Objective

Establish Microsoft Sentinel integration for Microsoft 365 Copilot security events, including data connector configuration, KQL-based detection queries for Copilot audit events, automated alert rules, monitoring workbooks, and SOAR playbooks for Copilot-related security incidents, to support compliance with security monitoring requirements and provide centralized visibility into AI-related security events.

Why This Matters for FSI

Financial institutions are expected to maintain security monitoring capabilities proportional to their technology risk profile. Deploying AI tools like Microsoft 365 Copilot without corresponding security monitoring creates a visibility gap that regulators may identify as a control deficiency.

FFIEC IT Examination Handbook: The Information Security booklet expects institutions to implement monitoring systems that detect unauthorized access, suspicious activity patterns, and policy violations. Copilot interactions that access sensitive data, cross information barriers, or trigger DLP policies generate security events that should be captured and analyzed centrally.

SOX Section 404: For public financial institutions, security monitoring of AI tools that process financial data supports the assertion that IT general controls are operating effectively. Sentinel integration provides the evidence trail that auditors expect.

NYDFS Part 500: Requires covered entities to implement monitoring systems capable of detecting cybersecurity events. Copilot-related security events -- unauthorized data access, anomalous usage patterns, policy violations -- fall within this scope.

GLBA 501(b): Requires administrative, technical, and physical safeguards that include monitoring for unauthorized access to customer information. Copilot can surface customer information across the M365 environment, making monitoring of Copilot interactions essential for safeguard compliance.

Microsoft Sentinel, as a cloud-native SIEM/SOAR platform, provides the natural integration point for Copilot security monitoring within the Microsoft 365 ecosystem. It can ingest Copilot audit events, correlate them with other security signals, and automate response actions.

Disclaimer

This control is provided for informational purposes only and does not constitute legal, regulatory, or compliance advice. See full disclaimer.

Control Description

Sentinel Data Connectors for Copilot Events

Copilot security events are captured through multiple data sources that can be connected to Sentinel:

Data Connector Events Captured Configuration
Microsoft 365 Copilot audit events in Unified Audit Log Enable Microsoft 365 connector in Sentinel
Microsoft Purview DLP policy matches involving Copilot, sensitivity label events Enable Purview connector
Microsoft Entra ID Authentication events, conditional access for Copilot sessions Enable Entra connector
Microsoft Defender for Cloud Apps Shadow IT, session controls, Copilot app governance Enable Defender connector
Microsoft Purview Insider Risk Insider risk signals from Copilot usage patterns Enable Insider Risk connector
Microsoft Defender XDR Threat signals correlated with Copilot usage Enable Microsoft Defender XDR connector

Key Copilot Audit Events

The Unified Audit Log captures the following Copilot-relevant events:

Event Type Description KQL Table
CopilotInteraction User interaction with Copilot across M365 apps OfficeActivity
MicrosoftCopilot Copilot-specific operations and responses OfficeActivity
SearchQueryPerformed Copilot search queries against organizational data OfficeActivity
FileAccessed Files accessed by Copilot during grounding OfficeActivity
DLPRuleMatch DLP policy triggered during Copilot interaction SecurityAlert
SensitivityLabelApplied Label applied to Copilot-generated content OfficeActivity
InformationBarrierPolicyApplication IB enforcement during Copilot interaction OfficeActivity

KQL Detection Queries

Essential KQL queries for Copilot security monitoring:

Query 1: High-Volume Copilot Access to Sensitive Files 

OfficeActivity
| where TimeGenerated > ago(24h)
| where Operation contains "Copilot" or Operation contains "FileAccessed"
| where SensitivityLabel in ("Highly Confidential", "Restricted", "MNPI")
| summarize AccessCount = count() by UserId, SensitivityLabel
| where AccessCount > 50
| sort by AccessCount desc

Query 2: Copilot Usage Outside Business Hours 

OfficeActivity
| where TimeGenerated > ago(7d)
| where Operation contains "Copilot"
| extend HourOfDay = hourofday(TimeGenerated)
| where HourOfDay < 6 or HourOfDay > 22
| summarize AfterHoursCount = count() by UserId, bin(TimeGenerated, 1d)
| where AfterHoursCount > 20

Query 3: Copilot DLP Policy Matches 

SecurityAlert
| where TimeGenerated > ago(24h)
| where AlertType contains "DLP"
| where Description contains "Copilot" or AdditionalData contains "Copilot"
| project TimeGenerated, AlertName, Description, Entities
| sort by TimeGenerated desc

Query 4: Copilot Information Barrier Enforcement Events 

OfficeActivity
| where TimeGenerated > ago(7d)
| where Operation contains "InformationBarrier"
| where ResultStatus == "Failed" or ResultStatus == "Blocked"
| project TimeGenerated, UserId, Operation, ResultStatus, ClientIP
| sort by TimeGenerated desc

Query 5: Anomalous Copilot Usage Volume 

let baseline = OfficeActivity
| where TimeGenerated between(ago(30d) .. ago(1d))
| where Operation contains "Copilot"
| summarize AvgDaily = count() / 30 by UserId;
OfficeActivity
| where TimeGenerated > ago(1d)
| where Operation contains "Copilot"
| summarize TodayCount = count() by UserId
| join kind=inner baseline on UserId
| where TodayCount > AvgDaily * 3
| project UserId, TodayCount, AvgDaily, Ratio = TodayCount / AvgDaily

Alert Rules

Alert Rule Detection Logic Severity Action
High-sensitivity file access spike >50 sensitive file accesses via Copilot in 24h High Create incident, notify SOC
After-hours Copilot usage anomaly >20 Copilot interactions outside business hours Medium Create incident for review
DLP match in Copilot interaction Any DLP policy match during Copilot session High Create incident, notify compliance
Information barrier enforcement failure IB policy blocked a Copilot interaction Critical Create incident, notify legal
Anomalous usage volume >3x baseline Copilot usage for any user Medium Create incident for investigation
Copilot access after account compromise indicator Copilot usage following sign-in risk event Critical Create incident, trigger containment

Workbooks

Sentinel workbooks provide visual dashboards for ongoing Copilot security monitoring:

Workbook Panels Purpose
Copilot Security Overview Total interactions, sensitive data access, DLP matches, IB events Daily SOC monitoring
Copilot User Behavior Per-user activity trends, anomaly indicators, risk scores Investigation support
Copilot Compliance Dashboard Regulatory event tracking, policy violations, audit metrics Compliance reporting
Copilot Data Access Patterns File access by sensitivity, department, time-of-day Data governance monitoring

SOAR Playbooks

Automated response playbooks for Copilot security events:

Playbook Trigger Actions
Copilot IB Breach Response Information barrier enforcement failure 1. Create incident 2. Notify legal 3. Capture audit evidence 4. Disable Copilot for affected user
Copilot DLP Escalation High-severity DLP match in Copilot 1. Create incident 2. Notify compliance 3. Capture interaction details 4. Add to review queue
Copilot Compromised Account Copilot usage after sign-in risk detection 1. Block user sign-in 2. Revoke sessions 3. Create incident 4. Notify security team
Copilot Sensitive Data Alert Bulk sensitive file access via Copilot 1. Create incident 2. Capture access log 3. Notify data owner 4. Review user permissions

Copilot Surface Coverage

Surface Sentinel Monitoring Key Events
M365 Business Chat Full Cross-app queries, file access, web grounding
Teams Copilot Full Meeting access, channel data, chat interactions
Outlook Copilot Full Email access, draft interactions
Word / Excel / PowerPoint Full Document access, content generation
SharePoint Copilot Full Site access, page summarization
Copilot Pages Partial Content creation, sharing events

Governance Levels

Baseline

  • Enable the Microsoft 365 data connector in Sentinel
  • Deploy at least 3 Copilot-specific analytics rules (DLP match, IB event, usage anomaly)
  • Configure alert notifications to the security operations team
  • Create a basic Copilot security workbook in Sentinel
  • Include Copilot events in the SOC's daily monitoring scope
  • Document the mapping between Copilot audit events and Sentinel tables
  • Deploy all 5+ KQL detection queries listed in this control
  • Configure SOAR playbooks for automated response to high-severity Copilot events
  • Create department-specific alert thresholds based on expected usage patterns
  • Integrate Copilot Sentinel alerts with the institution's incident management system
  • Deploy the full Copilot workbook suite (Security Overview, User Behavior, Compliance, Data Access)
  • Establish weekly review of Copilot security analytics with the SOC team
  • Tune alert thresholds quarterly based on observed patterns to reduce false positives

Regulated

  • Implement correlation rules that combine Copilot events with other security signals (sign-in risk, DLP, insider risk)
  • Maintain Sentinel log retention for Copilot events per regulatory requirements (minimum 7 years for archival)
  • Include Copilot Sentinel monitoring in SOX ITGC evidence packages
  • Present Copilot security analytics to the board risk committee quarterly
  • Engage internal audit to review Sentinel detection coverage for Copilot events annually
  • Implement UEBA (User and Entity Behavior Analytics) for Copilot interaction patterns
  • Conduct semi-annual purple team exercises targeting Copilot attack scenarios

Setup & Configuration

Step 1: Enable Data Connectors

In Microsoft Sentinel > Data Connectors:

  1. Enable Microsoft 365 connector:
  2. Select Exchange, SharePoint, and Teams data types
  3. Confirm Copilot audit events flow through this connector
  4. Enable Microsoft Purview Information Protection connector (if available)
  5. Enable Microsoft Entra ID connector:
  6. Select sign-in logs and audit logs
  7. Enable Microsoft Defender for Cloud Apps connector
  8. Verify data ingestion: 
    OfficeActivity
| where TimeGenerated > ago(1h)
| where Operation contains "Copilot"
| count

Step 2: Deploy Analytics Rules

In Microsoft Sentinel > Analytics:

  1. Create each analytics rule from the KQL queries above
  2. Configure rule settings:
  3. Run frequency: Every 5-15 minutes for critical rules; hourly for medium-severity
  4. Lookup period: Match the query's time range
  5. Alert threshold: Configure to minimize false positives while catching true incidents
  6. Entity mapping: Map UserId, ClientIP, and FileId entities for investigation context
  7. Assign severity levels per the alert rules table

Step 3: Create Workbooks

In Microsoft Sentinel > Workbooks:

  1. Create a new workbook: "Copilot Security Overview"
  2. Add panels:
  3. Total Copilot interactions over time (line chart)
  4. Sensitive data access by label type (pie chart)
  5. DLP match events (table)
  6. Information barrier events (table)
  7. Top users by Copilot volume (bar chart)
  8. After-hours usage trends (heatmap)
  9. Save and pin to the Sentinel dashboard

Step 4: Configure SOAR Playbooks

In Microsoft Sentinel > Automation:

  1. Create Logic App playbooks for each response scenario:
  2. IB Breach Response: Trigger on IB-related incident creation; automate evidence collection and notification
  3. DLP Escalation: Trigger on DLP incident; route to compliance review queue
  4. Compromised Account: Trigger on risk-correlated Copilot usage; automate account containment
  5. Test each playbook with simulated incidents
  6. Document playbook logic and approval workflows

Step 5: Configure Log Retention

  1. Set Analytics Rules log retention per governance level
  2. For regulated environments, configure long-term archival:
  3. Hot retention: 90 days (interactive queries)
  4. Archive retention: 7 years (for regulatory examination readiness)
  5. Verify that archived logs are searchable for investigation and examination response

Financial Sector Considerations

SOC Integration: Financial institutions typically operate security operations centers (or outsource to managed security service providers). Copilot Sentinel alerts should be integrated into existing SOC workflows, triage procedures, and escalation paths. SOC analysts should be trained on Copilot-specific alert types and investigation procedures.

Regulatory Evidence: Sentinel workbooks and alert histories provide evidence of ongoing security monitoring for Copilot. This evidence supports SOX ITGC assertions, NYDFS Part 500 monitoring requirements, and FFIEC examination responses. Export and archive workbook snapshots as part of quarterly evidence collection.

Insider Threat Detection: Financial institutions face heightened insider threat risks. Sentinel correlation of Copilot usage patterns with other behavioral signals (email forwarding, file downloads, after-hours access) strengthens insider threat detection capabilities. This aligns with FINRA expectations for supervision of employee activities.

Information Barrier Monitoring: For institutions with Chinese Wall obligations, Sentinel monitoring of information barrier enforcement events is critical. Every blocked Copilot interaction at an IB boundary should be logged and reviewed. Patterns of repeated barrier enforcement for a single user may indicate an employee attempting to circumvent controls.

Cost Considerations: Sentinel data ingestion is consumption-based. Copilot events can generate significant data volumes. Institutions should estimate ingestion costs based on Copilot user count and usage patterns, and optimize by filtering low-value events at the connector level rather than ingesting everything.

Detection Engineering: The KQL queries provided in this control are starting points. Institutions should evolve their detection library based on observed incident patterns, threat intelligence, and regulatory guidance. Consider engaging a detection engineering team to develop institution-specific detections.

Verification Criteria

# Verification Step Expected Result
1 Verify Sentinel data connectors are active and ingesting Copilot events Data flowing from Microsoft 365, Entra ID, and Purview connectors
2 Run sample KQL query against Copilot events Query returns results, confirming event capture
3 Review analytics rules for Copilot detections At least 3 active analytics rules targeting Copilot events
4 Verify alert notification routing Alerts route to SOC or designated security team
5 Review Copilot security workbook Workbook displays current data with all panels populated
6 Test SOAR playbook execution (Recommended) Playbook executes correctly on test incident
7 Confirm log retention settings Retention meets regulatory requirements
8 Verify SOC coverage of Copilot alerts SOC runbook includes Copilot alert triage procedures

Additional Resources

FSI Copilot Governance Framework v1.2.1 - March 2026