Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Reference for CopilotActivity table in Azure Monitor Logs.
| Attribute | Value |
|---|---|
| Category | Audit, Security |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✗ No |
| Azure Monitor Tables Reference | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable isfalseingestion isn't billed to your Azure account |
| ActorName | string | User principal name or email address. |
| ActorUserId | string | Internal user key or GUID. |
| ActorUserType | string | Type of user (e.g., Regular, Admin, System). |
| AgentId | string | The version number or version ID of the agent involved. |
| AgentName | string | A friendly readable name of the agent. |
| AIModelName | string | Name of the AI model used (for extensibility). |
| AIModelVersion | string | Version of the AI model used. |
| AppHost | string | Application that hosts copilot. |
| AppIdentity | string | Identity of the application hosting the copilot interaction. |
| ClientRegion | string | Region of the client. |
| LLMEventData | dynamic | Parsed LLM event data (for copilot different RecordTypes). |
| LogVersion | string | Version of the LLM log format. |
| OrganizationId | string | Organization GUID. |
| RecordId | string | Unique identifier for the audit record. |
| RecordType | string | Normalized record type name (e.g., CopilotInteraction, UpdateCopilotSettings). |
| SourceSystem | string | The type of agent the event was collected by. For example,OpsManagerfor Windows agent, either direct connect or Operations Manager,Linuxfor all Linux agents, orAzurefor Azure Diagnostics |
| SrcIpAddr | string | IP address of the client. |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | Timestamp of the audit event. |
| Type | string | The name of the table |
| Version | string | Version of the audit schema or event. |
| Workload | string | The workload or product (e.g., Copilot, AzureOpenAI). |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| Microsoft Copilot |
In solution Microsoft Copilot:
In solution Microsoft Copilot:
| Hunting Query | Selection Criteria |
|---|---|
| Copilot - Access From External IP Address | |
| Copilot - Plugin Enabled After Being Disabled |
In solution Microsoft Copilot:
| Workbook | Selection Criteria |
|---|---|
| MicrosoftCopilotActivityMonitoring |
GitHub Only:
| Workbook | Selection Criteria |
|---|---|
| MicrosoftCopilotActivityMonitoring |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊