Control 4.11: Microsoft Sentinel Integration for Copilot Events

Control ID: 4.11 Pillar: Operations & Monitoring Regulatory Reference: FFIEC IT Examination Handbook (Information Security), Sarbanes-Oxley §§302/404, NYDFS Part 500, GLBA §501(b) Last Verified: 2026-06-05 Governance Levels: Baseline / Recommended / Regulated

Objective

Establish Microsoft Sentinel integration for Microsoft 365 Copilot security events, including data connector configuration, KQL-based detection queries for Copilot audit events, automated alert rules, monitoring workbooks, and SOAR playbooks for Copilot-related security incidents, to support compliance with security monitoring requirements and provide centralized visibility into AI-related security events.

Copilot Data Connector (Preview)

As of February 2026, Microsoft offers a dedicated "Microsoft Copilot" data connector (public preview) that ingests into a CopilotActivity table with richer Copilot-specific fields. Consider enabling this alongside the M365 connector for enhanced monitoring.

Sentinel Azure Portal Retirement — March 31, 2027

After March 31, 2027, Microsoft Sentinel will no longer be supported in the Azure portal. Sentinel will be available exclusively in the Microsoft Defender portal. All customers currently using Microsoft Sentinel in the Azure portal will be redirected to the Defender portal. FSI teams should begin planning their transition now to avoid disruption to monitoring and detection workflows. See Microsoft Sentinel in the Microsoft Defender portal and the transition guide for migration steps. Organizations should verify that all Sentinel workbooks, analytics rules, SOAR playbooks, and data connectors described in this control are accessible and operational in the Defender portal before the retirement date.

Why This Matters for FSI

Financial institutions are expected to maintain security monitoring capabilities proportional to their technology risk profile. Deploying AI tools like Microsoft 365 Copilot without corresponding security monitoring creates a visibility gap that regulators may identify as a control deficiency.

FFIEC IT Examination Handbook: The Information Security booklet expects institutions to implement monitoring systems that detect unauthorized access, suspicious activity patterns, and policy violations. Copilot interactions that access sensitive data, cross information barriers, or trigger DLP policies generate security events that should be captured and analyzed centrally.

Sarbanes-Oxley §§302/404: For public financial institutions, security monitoring of AI tools that process financial data supports the assertion that IT general controls are operating effectively. Sentinel integration provides the evidence trail that auditors expect.

NYDFS Part 500: Requires covered entities to implement monitoring systems capable of detecting cybersecurity events. Copilot-related security events -- unauthorized data access, anomalous usage patterns, policy violations -- fall within this scope.

GLBA §501(b): Requires administrative, technical, and physical safeguards that include monitoring for unauthorized access to customer information. Copilot can surface customer information across the M365 environment, making monitoring of Copilot interactions essential for safeguard compliance.

Microsoft Sentinel, as a cloud-native SIEM/SOAR platform, provides the natural integration point for Copilot security monitoring within the Microsoft 365 ecosystem. It can ingest Copilot audit events, correlate them with other security signals, and automate response actions.

Disclaimer

This control is provided for informational purposes only and does not constitute legal, regulatory, or compliance advice. See full disclaimer.

Control Description

Sentinel Data Connectors for Copilot Events

Copilot security events are captured through multiple data sources that can be connected to Sentinel:

Data Connector	Events Captured	Configuration
Microsoft 365	Exchange, SharePoint, and Teams audit events (OfficeActivity table); does not deliver CopilotInteraction records — those require the dedicated Copilot connector below	Enable Office 365 connector in Sentinel
Microsoft Copilot (Preview)	M365 Copilot interaction events — CopilotInteraction, MicrosoftCopilot, SearchQueryPerformed, and AI-specific records — in the CopilotActivity table	Enable the dedicated "Microsoft Copilot" data connector (public preview) in Sentinel; see note on line 16
Microsoft Purview	DLP policy matches involving Copilot, sensitivity label events	Enable Purview connector
Microsoft Entra ID	Authentication events, conditional access for Copilot sessions	Enable Entra connector
Microsoft Defender for Cloud Apps	Shadow IT, session controls, Copilot app governance	Enable Defender connector
Microsoft Purview Insider Risk	Insider risk signals from Copilot usage patterns	Enable Insider Risk connector
Microsoft Defender XDR	Threat signals correlated with Copilot usage	Enable Microsoft Defender XDR connector

Key Copilot Audit Events

The Unified Audit Log captures the following Copilot-relevant events:

Event Type	Description	KQL Table
CopilotInteraction	User interaction with Copilot across M365 apps	CopilotActivity
MicrosoftCopilot	Copilot-specific operations and responses	CopilotActivity
SearchQueryPerformed	Copilot search queries against organizational data	CopilotActivity
FileAccessed	Files accessed by Copilot during grounding	CopilotActivity
DLPRuleMatch	DLP policy triggered during Copilot interaction	SecurityAlert
SensitivityLabelApplied	Label applied to Copilot-generated content	CopilotActivity
InformationBarrierPolicyApplication	IB enforcement during Copilot interaction	CopilotActivity

KQL Detection Queries

Essential KQL queries for Copilot security monitoring:

Query 1: High-Volume Copilot Access to Sensitive Files

Requires Microsoft Copilot Connector (Preview)

CopilotInteraction and related Copilot audit records are not delivered to the OfficeActivity table by the Microsoft 365 (Exchange/SharePoint/Teams) data connector. Queries targeting Copilot interactions must use the CopilotActivity table, populated by the dedicated "Microsoft Copilot" data connector (public preview). Without that connector, these queries return zero rows. The SensitivityLabel column schema should be verified against your tenant's CopilotActivity table — if unavailable, correlate with the InformationProtectionLabelAction table.

CopilotActivity
| where TimeGenerated > ago(24h)
| where Operation contains "Copilot" or Operation contains "FileAccessed"
| where SensitivityLabel in ("Highly Confidential", "Restricted", "MNPI")
| summarize AccessCount = count() by UserId, SensitivityLabel
| where AccessCount > 50
| sort by AccessCount desc

Query 2: Copilot Usage Outside Business Hours

CopilotActivity
| where TimeGenerated > ago(7d)
| where Operation contains "Copilot"
| extend HourOfDay = hourofday(TimeGenerated)
| where HourOfDay < 6 or HourOfDay > 22
| summarize AfterHoursCount = count() by UserId, bin(TimeGenerated, 1d)
| where AfterHoursCount > 20

Query 3: Copilot DLP Policy Matches

SecurityAlert
| where TimeGenerated > ago(24h)
| where AlertType contains "DLP"
| where Description contains "Copilot" or AdditionalData contains "Copilot"
| project TimeGenerated, AlertName, Description, Entities
| sort by TimeGenerated desc

Query 4: Copilot Information Barrier Enforcement Events

CopilotActivity
| where TimeGenerated > ago(7d)
| where Operation contains "InformationBarrier"
| where ResultStatus == "Failed" or ResultStatus == "Blocked"
| project TimeGenerated, UserId, Operation, ResultStatus, ClientIP
| sort by TimeGenerated desc

Query 5: Anomalous Copilot Usage Volume

let baseline = CopilotActivity
| where TimeGenerated between(ago(30d) .. ago(1d))
| where Operation contains "Copilot"
| summarize AvgDaily = count() / 30 by UserId;
CopilotActivity
| where TimeGenerated > ago(1d)
| where Operation contains "Copilot"
| summarize TodayCount = count() by UserId
| join kind=inner baseline on UserId
| where TodayCount > AvgDaily * 3
| project UserId, TodayCount, AvgDaily, Ratio = TodayCount / AvgDaily

Query 6: Agent 365 and Copilot Studio Agent Activity

Requires Microsoft Copilot Connector (Preview)

Agent 365 and Copilot Studio invocation events are Copilot-interaction records delivered to the CopilotActivity table via the dedicated "Microsoft Copilot" data connector. If that connector is not enabled, these records will not appear in OfficeActivity either — the fallback query below will return zero rows for CopilotInteraction-type events and should be treated as a gap indicator only.

CopilotActivity
| where TimeGenerated > ago(24h)
| where Operation in ("AgentInvoked", "AgentPublished", "AgentSessionStarted",
    "CopilotStudioInteraction") or Operation contains "Agent"
| summarize SessionCount = count(), DistinctAgents = dcount(tostring(AdditionalData))
    by UserId, Operation
| sort by SessionCount desc

Fallback (if Copilot connector is not enabled — will NOT contain CopilotInteraction records):

OfficeActivity
| where TimeGenerated > ago(24h)
| where Operation in ("AgentInvoked", "AgentPublished", "AgentSessionStarted",
    "CopilotStudioInteraction") or Operation contains "Agent"
| summarize SessionCount = count(), DistinctAgents = dcount(tostring(AdditionalData))
    by UserId, Operation
| sort by SessionCount desc

Query 7: Scheduled Prompt and Automated Copilot Invocations

CopilotActivity
| where TimeGenerated > ago(7d)
| where Operation contains "Copilot" or Operation contains "ScheduledPrompt"
| where tostring(AdditionalData) contains "scheduled" or
    tostring(AdditionalData) contains "automated" or
    tostring(AdditionalData) contains "flow"
| summarize AutomatedCount = count() by UserId, bin(TimeGenerated, 1d)
| where AutomatedCount > 10
| sort by AutomatedCount desc

Query 8: Third-Party AI Application Activity

CloudAppEvents
| where TimeGenerated > ago(7d)
| where AppId in ("third-party-ai-app-ids") or
    Application has_any ("ChatGPT", "Gemini", "Claude", "Perplexity")
| summarize EventCount = count() by UserId, Application, ActionType
| sort by EventCount desc

Customize Third-Party AI Detection

Replace placeholder app IDs and names with the third-party AI applications relevant to your organization. Use Defender for Cloud Apps to discover shadow AI usage and populate the detection list.

Query 9: Security Copilot Autonomous Agent Actions

Note: Security Copilot (Microsoft Defender / Sentinel AI agent) is a distinct product from M365 Copilot. Its events are NOT ingested into the CopilotActivity table. Verify with your Defender XDR connector which table captures Security Copilot autonomous agent activity in your tenant. The query below uses OfficeActivity as a starting point but may return zero rows pending Microsoft's connector documentation for Security Copilot events.

OfficeActivity
| where TimeGenerated > ago(24h)
| where Operation contains "SecurityCopilot" or
    tostring(AdditionalData) contains "SecurityCopilot"
| where tostring(AdditionalData) contains "autonomous" or
    tostring(AdditionalData) contains "agent"
| project TimeGenerated, UserId, Operation, ResultStatus, AdditionalData
| sort by TimeGenerated desc

Query 10: Sentinel Data Lake and Archive Tier Copilot Event Coverage

Usage
| where TimeGenerated > ago(30d)
| where DataType in ("OfficeActivity", "CopilotActivity", "CloudAppEvents")
| summarize TotalGB = sum(Quantity) / 1024 by DataType, IsBillable, bin(TimeGenerated, 1d)
| sort by TimeGenerated desc

Use this query to monitor ingestion volume and identify whether Copilot event data is being ingested into the analytics (hot) tier, basic logs, or archive tier. High-volume tenants should evaluate whether low-priority Copilot event types can be routed to basic logs or auxiliary tables to manage ingestion costs while maintaining searchability for investigations.

Alert Rules

Alert Rule	Detection Logic	Severity	Action
High-sensitivity file access spike	>50 sensitive file accesses via Copilot in 24h	High	Create incident, notify SOC
After-hours Copilot usage anomaly	>20 Copilot interactions outside business hours	Medium	Create incident for review
DLP match in Copilot interaction	Any DLP policy match during Copilot session	High	Create incident, notify compliance
Information barrier enforcement failure	IB policy blocked a Copilot interaction	Critical	Create incident, notify legal
Anomalous usage volume	>3x baseline Copilot usage for any user	Medium	Create incident for investigation
Copilot access after account compromise indicator	Copilot usage following sign-in risk event	Critical	Create incident, trigger containment
Agent 365 unauthorized publish or session spike	Agent published without approval workflow, or session count exceeds threshold	High	Create incident, notify governance team
Scheduled or automated Copilot invocation anomaly	>10 automated Copilot invocations per user per day	Medium	Create incident for review
Third-party AI application usage detected	Usage of unapproved third-party AI apps via Defender for Cloud Apps	High	Create incident, notify compliance
Security Copilot autonomous action alert	Security Copilot agent takes remediation action autonomously	Medium	Create incident, notify SOC for verification

Workbooks

Sentinel workbooks provide visual dashboards for ongoing Copilot security monitoring:

Workbook	Panels	Purpose
Copilot Security Overview	Total interactions, sensitive data access, DLP matches, IB events	Daily SOC monitoring
Copilot User Behavior	Per-user activity trends, anomaly indicators, risk scores	Investigation support
Copilot Compliance Dashboard	Regulatory event tracking, policy violations, audit metrics	Compliance reporting
Copilot Data Access Patterns	File access by sensitivity, department, time-of-day	Data governance monitoring
Agent 365 and Copilot Studio	Agent session counts, publish events, exception rates, ownerless agent alerts	Agent lifecycle and governance monitoring
Third-Party AI and Shadow AI	Cloud App Events for unapproved AI tools, usage trends, user counts	Shadow AI risk visibility
Sentinel Data Lake Copilot Ingestion	Ingestion volume by data type, cost trends, archive tier coverage	Cost governance and retention planning

SOAR Playbooks

Automated response playbooks for Copilot security events:

Playbook	Trigger	Actions
Copilot IB Breach Response	Information barrier enforcement failure	1. Create incident 2. Notify legal 3. Capture audit evidence 4. Disable Copilot for affected user
Copilot DLP Escalation	High-severity DLP match in Copilot	1. Create incident 2. Notify compliance 3. Capture interaction details 4. Add to review queue
Copilot Compromised Account	Copilot usage after sign-in risk detection	1. Block user sign-in 2. Revoke sessions 3. Create incident 4. Notify security team
Copilot Sensitive Data Alert	Bulk sensitive file access via Copilot	1. Create incident 2. Capture access log 3. Notify data owner 4. Review user permissions

Copilot Surface Coverage

Surface	Sentinel Monitoring	Key Events
Microsoft 365 Copilot Chat	Full	Cross-app queries, file access, web grounding
Teams Copilot	Full	Meeting access, channel data, chat interactions
Outlook Copilot	Full	Email access, draft interactions
Word / Excel / PowerPoint	Full	Document access, content generation
SharePoint Copilot	Full	Site access, page summarization
Copilot Pages	Partial	Content creation, sharing events
Agent 365 / Copilot Studio agents	Growing	Agent invocations, publish events, session counts, exception rates
Security Copilot	Growing	Autonomous agent actions, investigation events, SCU consumption
Third-party AI apps	Via Defender for Cloud Apps	Shadow AI detection, unapproved app usage

Governance Levels

Baseline

Enable the Microsoft 365 data connector in Sentinel
Deploy at least 3 Copilot-specific analytics rules (DLP match, IB event, usage anomaly)
Configure alert notifications to the security operations team
Create a basic Copilot security workbook in Sentinel
Include Copilot events in the SOC's daily monitoring scope
Document the mapping between Copilot audit events and Sentinel tables

Deploy all 5+ KQL detection queries listed in this control
Configure SOAR playbooks for automated response to high-severity Copilot events
Create department-specific alert thresholds based on expected usage patterns
Integrate Copilot Sentinel alerts with the institution's incident management system
Deploy the full Copilot workbook suite (Security Overview, User Behavior, Compliance, Data Access)
Establish weekly review of Copilot security analytics with the SOC team
Tune alert thresholds quarterly based on observed patterns to reduce false positives

Regulated

Implement correlation rules that combine Copilot events with other security signals (sign-in risk, DLP, insider risk)
Maintain Sentinel log retention for Copilot events per regulatory requirements (minimum 7 years for archival)
Include Copilot Sentinel monitoring in SOX ITGC evidence packages
Present Copilot security analytics to the board risk committee quarterly
Engage internal audit to review Sentinel detection coverage for Copilot events annually
Implement UEBA (User and Entity Behavior Analytics) for Copilot interaction patterns
Conduct semi-annual purple team exercises targeting Copilot attack scenarios

Setup & Configuration

Step 1: Enable Data Connectors

In Microsoft Sentinel > Data Connectors:

Enable Microsoft 365 connector:
Select Exchange, SharePoint, and Teams data types
Note: this connector populates the OfficeActivity table for Exchange, SharePoint, and Teams events; it does not deliver CopilotInteraction records
Enable the Microsoft Copilot data connector (public preview):
This populates the CopilotActivity table with M365 Copilot interaction events
Required for all KQL queries targeting CopilotInteraction, MicrosoftCopilot, and related records
Enable Microsoft Purview Information Protection connector (if available)
Enable Microsoft Entra ID connector:
Select sign-in logs and audit logs
Enable Microsoft Defender for Cloud Apps connector
Verify data ingestion:
```
CopilotActivity
| where TimeGenerated > ago(1h)
| count
```
If the count is zero, confirm the Microsoft Copilot (Preview) connector is enabled and configured. The OfficeActivity table will not contain CopilotInteraction records regardless of the M365 connector state.

Step 2: Deploy Analytics Rules

In Microsoft Sentinel > Analytics:

Create each analytics rule from the KQL queries above
Configure rule settings:
Run frequency: Every 5-15 minutes for critical rules; hourly for medium-severity
Lookup period: Match the query's time range
Alert threshold: Configure to minimize false positives while catching true incidents
Entity mapping: Map UserId, ClientIP, and FileId entities for investigation context
Assign severity levels per the alert rules table

Step 3: Create Workbooks

In Microsoft Sentinel > Workbooks:

Create a new workbook: "Copilot Security Overview"
Add panels:
Total Copilot interactions over time (line chart)
Sensitive data access by label type (pie chart)
DLP match events (table)
Information barrier events (table)
Top users by Copilot volume (bar chart)
After-hours usage trends (heatmap)
Save and pin to the Sentinel dashboard

Step 4: Configure SOAR Playbooks

In Microsoft Sentinel > Automation:

Create Logic App playbooks for each response scenario:
IB Breach Response: Trigger on IB-related incident creation; automate evidence collection and notification
DLP Escalation: Trigger on DLP incident; route to compliance review queue
Compromised Account: Trigger on risk-correlated Copilot usage; automate account containment
Test each playbook with simulated incidents
Document playbook logic and approval workflows

Step 5: Configure Log Retention

Set Analytics Rules log retention per governance level
For regulated environments, configure long-term archival:
Hot retention: 90 days (interactive queries)
Archive retention: 7 years (for regulatory examination readiness)
Verify that archived logs are searchable for investigation and examination response

Financial Sector Considerations

SOC Integration: Financial institutions typically operate security operations centers (or outsource to managed security service providers). Copilot Sentinel alerts should be integrated into existing SOC workflows, triage procedures, and escalation paths. SOC analysts should be trained on Copilot-specific alert types and investigation procedures.

Regulatory Evidence: Sentinel workbooks and alert histories provide evidence of ongoing security monitoring for Copilot. This evidence supports SOX ITGC assertions, NYDFS Part 500 monitoring requirements, and FFIEC examination responses. Export and archive workbook snapshots as part of quarterly evidence collection.

Insider Threat Detection: Financial institutions face heightened insider threat risks. Sentinel correlation of Copilot usage patterns with other behavioral signals (email forwarding, file downloads, after-hours access) strengthens insider threat detection capabilities. This aligns with FINRA expectations for supervision of employee activities.

Information Barrier Monitoring: For institutions with Chinese Wall obligations, Sentinel monitoring of information barrier enforcement events is critical. Every blocked Copilot interaction at an IB boundary should be logged and reviewed. Patterns of repeated barrier enforcement for a single user may indicate an employee attempting to circumvent controls.

Cost Considerations: Sentinel data ingestion is consumption-based. Copilot events can generate significant data volumes. Institutions should estimate ingestion costs based on Copilot user count and usage patterns, and optimize by filtering low-value events at the connector level rather than ingesting everything.

Detection Engineering: The KQL queries provided in this control are starting points. Institutions should evolve their detection library based on observed incident patterns, threat intelligence, and regulatory guidance. Consider engaging a detection engineering team to develop institution-specific detections.

Sentinel Data Lake and Archive Tier Considerations: Copilot and AI events can generate significant data volumes. Microsoft Sentinel supports multiple ingestion tiers — analytics (hot), basic logs, and archive — that institutions can use to balance cost against query performance:

Analytics tier (hot): Full KQL query support, interactive dashboards, and real-time alerting. Use for high-priority detection queries (DLP matches, IB events, anomalous usage).
Basic logs tier: Reduced-cost ingestion with limited KQL functionality (no joins, limited aggregation). Suitable for low-priority Copilot event types that are retained for investigation but do not drive real-time alerts.
Archive tier: Long-term retention at minimal cost. Use for regulatory retention periods (7+ years). Archived logs can be restored to the analytics tier for investigation when needed, but restoration takes time.
Auxiliary tables: For very high-volume data sources (such as verbose Copilot interaction telemetry), auxiliary tables provide cost-effective ingestion with schema flexibility.

Institutions should map each Copilot event type to an ingestion tier based on governance priority: high-priority events (DLP, IB, compromised account) in analytics tier; medium-priority events (general usage, agent sessions) in basic logs; and low-priority events (verbose telemetry, debug-level data) in archive or auxiliary tables.

Verification Criteria

#	Verification Step	Expected Result
1	Verify Sentinel data connectors are active and ingesting Copilot events	Data flowing from Microsoft 365, Entra ID, and Purview connectors
2	Run sample KQL query against Copilot events	Query returns results, confirming event capture
3	Review analytics rules for Copilot detections	At least 3 active analytics rules targeting Copilot events
4	Verify alert notification routing	Alerts route to SOC or designated security team
5	Review Copilot security workbook	Workbook displays current data with all panels populated
6	Test SOAR playbook execution (Recommended)	Playbook executes correctly on test incident
7	Confirm log retention settings	Retention meets regulatory requirements
8	Verify SOC coverage of Copilot alerts	SOC runbook includes Copilot alert triage procedures

Advisory: Security Copilot E5 Auto-Activation — Sentinel Impact

Sentinel Configuration Update — April–June 2026

Security Copilot is being auto-enabled for M365 E5 tenants (April 20–June 30, 2026). Security Copilot agents now operate autonomously within Defender, Entra, and Purview — generating new event types that Sentinel deployments should capture.

Sentinel integration considerations:

New data sources: Security Copilot generates activity records that should be ingested via Sentinel data connectors. Organizations should verify that existing Microsoft 365 and Defender connectors capture Security Copilot events.
Analytics rules: Existing Sentinel analytics rules may not detect Security Copilot-specific alert patterns. Organizations should evaluate whether new detection rules are needed for autonomous Security Copilot agent activities.
Autonomous agent monitoring: Security Copilot agents can autonomously investigate and take actions within Defender XDR. Sentinel should be configured to monitor these autonomous actions and alert on unexpected agent behavior.
SCU consumption alerts: Organizations may want to create Sentinel workbook panels or alert rules to track Security Copilot SCU consumption alongside other Copilot usage metrics.

Recommended actions:

Verify Sentinel data connectors capture Security Copilot activity events
Create or import analytics rules for Security Copilot agent-specific detections
Add Security Copilot panels to existing Copilot security workbooks
See Control 2.9 — Defender for Cloud Apps for opt-out path and broader E5 auto-activation details

Additional Resources

FSI Copilot Governance Framework v1.4.0 - April 2026