Microsoft 365 Audit Pipeline: Two New CCF Connectors Fill Copilot, DLP, and Specialty Workload Visibility Gap

What Changed

Microsoft 365 Audit General & DLP Solution v3.0.0 introduces two CCF data connectors that establish comprehensive Microsoft 365 audit visibility previously missing from Sentinel:

Microsoft 365 Audit.General connector: Ingests 29 specialty workloads via Office 365 Management Activity API
Microsoft 365 Audit.DLP connector: Dedicated DLP event ingestion across all Microsoft 365 workloads

Both connectors share infrastructure (DCE/DCR/table) and ingest into the same M365AuditGeneral_CL custom table with 321 structured columns covering 30 workload schemas.

Data Source Coverage

Audit.General Connector (29 Workload Types)

High-value security visibility unlocked:

Microsoft 365 Copilot: Copilot interactions, AI Agent operations, scheduled prompts
Security & Compliance tooling: Defender for Office 365, Attack Simulation Training, User Submissions, Automated Investigation & Response (AIR), Hygiene Events, Quarantine operations
Microsoft Sentinel platform: Data Lake operations (Notebooks, Jobs, KQL queries, AI Tools, Graph operations)
Information Protection: MIP labeling, Encrypted Message Portal
eDiscovery operations: Case management, searches, holds, review sets, exports
Power Platform: Power BI (dashboards, datasets, reports), Microsoft Forms
Viva Suite: Viva Engage (Yammer), Viva Insights, Viva Goals, Viva Glint, Viva Pulse
Cloud Infrastructure: Backup/Restore operations, Data Center Security events
Edge Security: WebContentFiltering events

Intelligent filtering excludes Microsoft Teams (RecordType 25), Dynamics 365 (RecordTypes 21, 278), and Microsoft Purview Information Protection (RecordTypes 71,72,75,82,83,84,93,94,95,96,97) to avoid duplication with existing dedicated connectors.

Audit.DLP Connector (8 DLP RecordTypes)

ComplianceDLPSharePoint (RecordType 11): SharePoint/OneDrive DLP events
ComplianceDLPExchange (RecordType 13): Exchange DLP via Unified DLP Policy
DLPEndpoint (RecordType 63): Endpoint DLP events
PowerPlatformAdminDlp (RecordType 187): Power Platform DLP (Preview)
Additional DLP classification and scanning events for SharePoint and file shares

Detection Surface Impact

New Attack Visibility

This solution addresses significant Microsoft 365 audit blind spots:

Copilot & AI Security: Previously unavailable visibility into Copilot interactions, AI agent operations, and automated prompt executions enables detection of:

Unauthorized AI agent usage
Sensitive data exposure via Copilot queries
Abnormal AI interaction patterns

DLP Event Consolidation: Unified DLP event stream across Exchange Online, SharePoint/OneDrive, Endpoint devices, and Power Platform enables cross-workload DLP policy violation correlation.

Microsoft Sentinel Platform Monitoring: Native Sentinel audit events (Data Lake operations, Notebook executions, KQL query patterns) enable insider threat detection within the SOC platform itself.

Security Tooling Oversight: Comprehensive audit trail for Defender for Office 365 operations, Attack Simulation campaigns, User Submissions, and AIR investigations provides security tool usage accountability.

Schema Architecture

321 total columns utilizing 64% of Azure table capacity (500 column limit)
Shared table design: Both connectors populate M365AuditGeneral_CL
Type-safe ingestion: DCR handles automatic type conversion per workload schema
Workload isolation: DLP events identifiable via RecordType filtering

Ingestion Mechanism

CCF with OAuth 2.0: Dual RestApiPoller configuration with 5-minute polling interval Nested API pattern: First call retrieves content blob metadata, second calls fetch actual audit records from dynamic URLs Data transformation: DCR applies intelligent filtering and projects to 321 structured columns Shared infrastructure: Single DCE/DCR serves both connectors, differing only in API contentType parameter (Audit.General vs DLP.All)

Affected Files

Solutions/Microsoft 365 Audit General and DLP/Data Connectors/M365AuditDLP_CCF/M365AuditDLP_ConnectorDefinition.json
Solutions/Microsoft 365 Audit General and DLP/Data Connectors/M365AuditDLP_CCF/M365AuditDLP_PollerConfig.json
Solutions/Microsoft 365 Audit General and DLP/Data Connectors/M365AuditDLP_CCF/M365Audit_DCR.json
Solutions/Microsoft 365 Audit General and DLP/Data Connectors/M365AuditDLP_CCF/M365Audit_Table.json
Solutions/Microsoft 365 Audit General and DLP/Data Connectors/M365AuditGeneral_CCF/M365AuditGeneral_ConnectorDefinition.json
Solutions/Microsoft 365 Audit General and DLP/Data Connectors/M365AuditGeneral_CCF/M365AuditGeneral_PollerConfig.json
Solutions/Microsoft 365 Audit General and DLP/Data Connectors/M365AuditGeneral_CCF/M365Audit_DCR.json
Solutions/Microsoft 365 Audit General and DLP/Data Connectors/M365AuditGeneral_CCF/M365Audit_Table.json
Solutions/Microsoft 365 Audit General and DLP/README.md
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Microsoft365AuditGeneralAndDLP.json, createUIDefinition.json, mainTemplate.json)

What Changed#

Data Source Coverage#

Audit.General Connector (29 Workload Types)#

Audit.DLP Connector (8 DLP RecordTypes)#

Detection Surface Impact#

New Attack Visibility#

Schema Architecture#

Ingestion Mechanism#

Affected Files#