Microsoft Copilot Solution: New AI Security Monitoring with LLM Activity Telemetry

Data Source

Microsoft Copilot solution ingests AI usage and activity telemetry from Microsoft 365 Copilot experiences into the LLMActivity table for security monitoring and investigation.

Ingestion Mechanism

DCR-based connector using Microsoft-LLMActivity stream to populate the LLMActivity table in Log Analytics workspace with Copilot interaction data.

Detection Surface Unlocked

AI assistant usage pattern analysis across Microsoft 365
Unauthorized or suspicious Copilot interactions
Data exfiltration attempts through AI conversations
Compliance monitoring for AI tool usage in regulated environments
Investigation capabilities for AI-assisted activities in security incidents

Security Impact (Visibility & Fidelity)

This connector introduces visibility into Microsoft Copilot interactions, addressing a blind spot in AI-assisted activities within enterprise environments. Organizations can now monitor how users interact with AI tools, detect potential misuse, and investigate security incidents involving AI-generated content or data access patterns.

Affected Files

Solutions/Microsoft Copilot/Data Connectors/ConnectorDefinition.json
Solutions/Microsoft Copilot/Data Connectors/DCR.json
(supporting files: SolutionMetadata.json, ValidConnectorIds.json, Copilot_logo.svg)

Data Source#

Ingestion Mechanism#

Detection Surface Unlocked#

Security Impact (Visibility & Fidelity)#

Affected Files#

Data Source

Ingestion Mechanism

Detection Surface Unlocked

Security Impact (Visibility & Fidelity)

Affected Files