Security teams must ingest Copilot audit events into their SIEM to monitor data access and user actions. Without a clear schema reference, parsing Copilot audit logs becomes guesswork. The Unified Audit Log exposes specific fields for Copilot interactions including grounding data retrieval and response generation. This article documents the key schema fields, their data types, and how they map to SIEM normalization standards.
Key Takeaways: Copilot Audit Schema for SIEM Ingestion
- AuditLog.Query property: Contains the raw user prompt sent to Copilot for analysis and threat detection.
- AuditLog.GroundingDataSources: Lists the Microsoft Graph data sources accessed by Copilot to generate a response.
- AuditLog.UserId and AuditLog.CopilotSessionId: Primary correlation keys for linking queries to sessions and user accounts.
Copilot Audit Log Schema Overview
Microsoft 365 generates audit records for every Copilot interaction. These records appear in the Unified Audit Log and contain a JSON payload with structured fields. The schema includes user identity, session context, the user query, the data sources Copilot accessed, and the response content metadata. Security teams use these fields to build detection rules, investigate suspicious activity, and meet compliance requirements.
The audit schema follows the Microsoft 365 Compliance Center audit log schema. All Copilot events use the CopilotInteraction audit type. The AuditData property contains the nested JSON object with Copilot-specific fields. Each event record also includes standard audit fields such as CreationTime, UserId, ClientIP, and Workload.
Prerequisites for Audit Log Access
Before you can ingest Copilot audit data into a SIEM, you must meet these requirements:
- A Microsoft 365 E5 license or an E5 Compliance add-on license for the organization
- Audit logging enabled in the Microsoft 365 admin center
- An Azure app registration with the
AuditLog.Read.Allpermission for API-based ingestion - A SIEM platform that supports the Office 365 Management Activity API
Core Schema Fields for Copilot Audit Events
The following table lists the essential fields in the AuditData JSON object for Copilot interactions. Use these fields to map Copilot events to your SIEM’s Common Event Format or custom schema.
| Field Name | Data Type | Description |
|---|---|---|
| Query | String | The exact text of the user prompt sent to Copilot |
| Response | String | The text response generated by Copilot |
| GroundingDataSources | Array of Strings | List of Microsoft Graph data sources accessed, such as Mail, Files, or Calendar |
| CopilotSessionId | GUID | Unique identifier for the entire Copilot session |
| ConversationId | GUID | Identifier for a single query-response pair within a session |
| ApplicationId | GUID | Identifier of the Microsoft 365 app hosting Copilot, such as Word or Teams |
| TenantId | GUID | Microsoft 365 tenant identifier |
| UserId | String | User principal name of the person who sent the query |
| CreationTime | DateTime | UTC timestamp of when the audit event was generated |
| Operation | String | Value is always CopilotInteraction |
| ClientIP | String | IP address of the user’s device |
| Workload | String | Microsoft 365 service hosting the interaction, such as MicrosoftTeams or WordOnline |
Field Details for SIEM Correlation
The GroundingDataSources array is critical for security monitoring. Each entry describes a data source Copilot queried to generate the response. Common values include Mail for email, Files for SharePoint and OneDrive documents, Calendar for calendar events, and Chat for Teams chat history. If this field is empty, Copilot did not access any organizational data for the query.
The Query field contains the raw user prompt. This field may include sensitive information. Treat it as confidential data in your SIEM. Apply data masking or access controls based on your organization’s data classification policy.
Mapping Copilot Audit Fields to Common SIEM Formats
To integrate Copilot audit events into your SIEM, map the Microsoft 365 fields to your SIEM’s standard schema. The table below provides mappings for three common SIEM platforms.
| Microsoft 365 Field | Splunk Field | Azure Sentinel Field | QRadar Field |
|---|---|---|---|
| Query | copilot_query | Query | message |
| Response | copilot_response | Response | payload |
| GroundingDataSources | copilot_sources | GroundingDataSources | customProperty |
| CopilotSessionId | copilot_session_id | CopilotSessionId | sessionid |
| UserId | user | UserId | username |
| CreationTime | _time | TimeGenerated | startTime |
| ClientIP | src_ip | ClientIP | sourceIP |
| Workload | app | Workload | applicationName |
Common Issues with Copilot Audit Schema Ingestion
Copilot Audit Events Missing from the Unified Audit Log
If Copilot interactions do not appear in the audit log, check that audit logging is enabled for the organization. Go to the Microsoft 365 admin center, select Audit under Security & Compliance, and confirm that auditing is turned on. Also verify that users have the required E5 license. Without the license, Copilot interactions are not audited.
GroundingDataSources Field is Empty
An empty GroundingDataSources field means Copilot did not access any Microsoft Graph data for the query. This occurs when the user asks a general knowledge question that does not require organizational data. It can also happen if the Copilot plugin for Microsoft Graph is disabled. Check the Copilot settings in the Microsoft 365 admin center under Copilot > Data sources to confirm that Microsoft Graph data access is enabled.
SIEM Ingestion Fails Due to Schema Changes
Microsoft may add or rename fields in the Copilot audit schema as the service evolves. Monitor the Microsoft 365 compliance documentation for schema updates. Build your SIEM ingestion pipeline to handle unknown fields gracefully. Use a dynamic field parser that does not break when new fields appear.
Copilot Audit Schema vs Standard Microsoft 365 Audit Schema
| Feature | Copilot Audit Schema | Standard Audit Schema |
|---|---|---|
| Event type | CopilotInteraction | Varies by operation |
| User query field | AuditData.Query | Not present |
| Data sources field | AuditData.GroundingDataSources | Not present |
| Session tracking | AuditData.CopilotSessionId | Not present |
| Response content | AuditData.Response | Not present |
| Standard fields | UserId, ClientIP, CreationTime, Workload | UserId, ClientIP, CreationTime, Workload |
The Copilot schema extends the standard audit schema with fields specific to generative AI interactions. Standard audit events do not contain the Query, Response, or GroundingDataSources fields. Security teams must update their SIEM parsing rules to extract these new fields from the AuditData JSON object.
Conclusion
You can now map Copilot audit fields to your SIEM using the field names and data types documented in this reference. The Query and GroundingDataSources fields are the primary sources for detecting unauthorized data access. Start by configuring the Office 365 Management Activity API in your SIEM to pull CopilotInteraction events. For advanced monitoring, create correlation rules that trigger when Copilot accesses sensitive data sources like Mail or Files from a user outside their regular work pattern.