Microsoft Copilot Connector — Critical Table Name Update from LLMActivity to CopilotActivity

What Changed

Microsoft Copilot connector updated to use the correct official table name CopilotActivity instead of LLMActivity across all solution components, sample data, and tooling.

Security Impact (Visibility & Fidelity)

Critical Table Reference Fix:

Queries targeting wrong table: All sample queries, connectivity checks, and documentation referenced LLMActivity table which was deprecated/renamed - these queries returned zero results for deployments using the current schema
Data Collection Rule alignment: DCR now correctly outputs to Microsoft-CopilotActivity stream instead of Microsoft-LLMActivity, ensuring proper data ingestion
Sample data schema match: Sample logs now use CopilotActivity type field matching the actual ingested data format

Impact Assessment:

Deployments using the previous connector version had functional data ingestion but broken sample queries and monitoring
This fix restores proper visibility into Microsoft Copilot audit events and user activity monitoring

Affected Files

Solutions/Microsoft Copilot/Data Connectors/MicrosoftCopilot_ConnectorDefinition.json
Solutions/Microsoft Copilot/Data Connectors/MicrosoftCopilot_DCR.json
Sample Data/MicrosoftCopilot_IngestedLogs.json
Tools/Create-Azure-Sentinel-Solution/common/standardLogStreams.ps1
Tools/Solutions Analyzer/connector-docs/connectors/microsoftcopilot.md
(packaging artefacts: 3.0.1.zip, createUiDefinition.json, mainTemplate.json, etc.)

What Changed#

Security Impact (Visibility & Fidelity)#

Affected Files#

What Changed

Security Impact (Visibility & Fidelity)

Affected Files