CopilotActivity

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Tables Index

Reference for CopilotActivity table in Azure Monitor Logs.

Attribute Value
Category Audit, Security
Basic Logs Eligible ✓ Yes (source)
Supports Transformations ✓ Yes (source)
Ingestion API Supported ✗ No
Lake-Only Ingestion ✓ Yes (source)
Azure Monitor Tables Reference View Documentation

Contents

Schema (24 columns)

Source: Azure Monitor documentation

Column Name Type Description
_BilledSize real The record size in bytes
_IsBillable string Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
ActorName string User principal name or email address.
ActorUserId string Internal user key or GUID.
ActorUserType string Type of user (e.g., Regular, Admin, System).
AgentId string The version number or version ID of the agent involved.
AgentName string A friendly readable name of the agent.
AIModelName string Name of the AI model used (for extensibility).
AIModelVersion string Version of the AI model used.
AppHost string Application that hosts copilot.
AppIdentity string Identity of the application hosting the copilot interaction.
ClientRegion string Region of the client.
LLMEventData dynamic Parsed LLM event data (for copilot different RecordTypes).
LogVersion string Version of the LLM log format.
OrganizationId string Organization GUID.
RecordId string Unique identifier for the audit record.
RecordType string Normalized record type name (e.g., CopilotInteraction, UpdateCopilotSettings).
SourceSystem string The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
SrcIpAddr string IP address of the client.
TenantId string The Log Analytics workspace ID
TimeGenerated datetime Timestamp of the audit event.
Type string The name of the table
Version string Version of the audit schema or event.
Workload string The workload or product (e.g., Copilot, AzureOpenAI).

Solutions (1)

This table is used by the following solutions:

Connectors (1)

This table is ingested by the following connectors:

Connector Selection Criteria
Microsoft Copilot

Content Items Using This Table (7)

Analytic Rules (4)

In solution Microsoft Copilot:

Analytic Rule Selection Criteria
Copilot - File Uploads Disabled
Copilot - Jailbreak Attempt Detected LLMEventData has "JailbreakDetected"
Copilot - Plugin Created by Non-Admin User ActorUserType != "Admin"
Copilot - Plugin Tampering (Enable and Disable Within 5 Minutes)

Hunting Queries (2)

In solution Microsoft Copilot:

Hunting Query Selection Criteria
Copilot - Access From External IP Address SrcIpAddr !startswith "10."
SrcIpAddr !startswith "172."
SrcIpAddr !startswith "192.168"
Copilot - Plugin Enabled After Being Disabled

Workbooks (1)

In solution Microsoft Copilot:

Workbook Selection Criteria
MicrosoftCopilotActivityMonitoring

Selection Criteria Summary (3 criteria, 3 total references)

References by type: 0 connectors, 3 content items, 0 ASIM parsers, 0 other parsers.

Selection Criteria Connectors Content Items ASIM Parsers Other Parsers Total
LLMEventData has "JailbreakDetected" - 1 - - 1
ActorUserType != "Admin" - 1 - - 1
SrcIpAddr !startswith "10."
SrcIpAddr !startswith "172."
SrcIpAddr !startswith "192.168"		 - 1 - - 1
Total 0 3 0 0 3

ActorUserType

Value Connectors Content Items ASIM Parsers Other Parsers Total
!= Admin - 1 - - 1

LLMEventData

Value Connectors Content Items ASIM Parsers Other Parsers Total
has JailbreakDetected - 1 - - 1

SrcIpAddr

Value Connectors Content Items ASIM Parsers Other Parsers Total
!startswith 10. - 1 - - 1
!startswith 172. - 1 - - 1
!startswith 192.168 - 1 - - 1

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Tables Index