Access the Security Copilot audit log
In today's stringent regulatory environment, it is important for organizations to monitor and analyze how users interact with security products. Organizations may need to keep track of actions, transactions, and configuration settings on a platform to ensure that they are meeting compliance regulations and regulatory standards.
Security Copilot provides access to audit logs through Microsoft Purview and the Office Management API to help you satisfy compliance and regulatory requirements. The audit log gives you visibility into information such as admin events and activity metadata.
Admin events - Privileged actions such as changes to tenant-level settings or administrative changes (for example, data sharing, plugin and promptbook configurations).
Activity metadata - Logs of user interactions within the Security Copilot platform (for example, a user asked a prompt at a specific time with information on the activity type).
Note
This does not include customer content such as the actual prompt and response.
By keeping track of these interactions, you can potentially identify risks and protect production data.
Enable the audit log capability in Security Copilot
During the first run experience, a Security Administrator is given the option of opting into allowing Microsoft Purview to access, process, copy and store admin actions, user actions, and Copilot responses. For more information, see Get started with Security Copilot.
Security Administrators can also access this option through the Owner settings page. For more information, see Understand authentication.
In most scenarios, logs are available within 24 hours in Microsoft Purview after enabling the capability.
Use the following steps to update the audit log settings:
Sign in to Security Copilot (https://securitycopilot.microsoft.com).
Select the home menu icon.
Navigate to the Owner settings > Logging audit data in Microsoft Purview.
Important
Microsoft Purview will store your Customer Data in the region where your Microsoft 365 data is stored. For more information, see, Privacy and data security. The default retention period for audit logs is 180 days, but can be extended using audit log retention policies. For more information, see Manage audit log retention policies.
You can turn the toggle on or off.
Access the audit log in Microsoft Purview for Security Copilot
Before you begin
This section gives an overview of the prerequisites to access the audit log.
You'll need to:
- Verify that you have opted in to allowing Microsoft Purview access inside Security Copilot. For more information, see Enable the audit log capability.
- Verify that the audit log feature is turned on in Microsoft Purview. For more information, see Before you search the audit log.
Note
You'll need to have the right permissions to access the audit log in Microsoft Purview. For more information, see Permissions in the Microsoft Purview portal. Note that these access rights might be different from those in Security Copilot.
Options to access the audit log
You can take the following actions to access the audit log in Microsoft Purview:
- Search the audit log - Article that provides instructions on how to you can access and search through the audit log event data to gain insight and further investigate user activities.
- Search through the audit log activities - Article that describes the activities that are captured in the audit log.
- Search the audit log using a PowerShell script - Article that provides instructions on how you can run a PowerShell script to search the audit log to help you investigate security incidents and compliance issues.
- Monitor user activities and system events with Security Copilot and Microsoft Sentinel - Blog that provides insight on how to leverage sending Security Copilot audit logs to your cloud native SIEM to gain deeper insights into usage and take proactive measures to mitigate risks.