Redigera

Dela via


Access the Security Copilot audit log

In today's stringent regulatory environment, it is important for organizations to monitor and analyze how users interact with security products. Organizations may need to keep track of actions, transactions, and configuration settings on a platform to ensure that they are meeting compliance regulations and regulatory standards.

Security Copilot provides access to audit logs through Microsoft Purview and the Office Management API to help you satisfy compliance and regulatory requirements. The audit log gives you visibility into information such as admin events and activity metadata.

  • Admin events - Privileged actions such as changes to tenant-level settings or administrative changes (for example, data sharing, plugin and promptbook configurations).

  • Activity metadata - Logs of user interactions within the Security Copilot platform (for example, a user asked a prompt at a specific time with information on the activity type).

Note

This does not include customer content such as the actual prompt and response.

By keeping track of these interactions, you can potentially identify risks and protect production data.

Enable the audit log capability in Security Copilot

During the first run experience, a Security Administrator is given the option of opting into allowing Microsoft Purview to access, process, copy and store admin actions, user actions, and Copilot responses. For more information, see Get started with Security Copilot.

Security Administrators can also access this option through the Owner settings page. For more information, see Understand authentication.

In most scenarios, logs are available within 24 hours in Microsoft Purview after enabling the capability.

Use the following steps to update the audit log settings:

  1. Sign in to Security Copilot (https://securitycopilot.microsoft.com).

  2. Select the home menu icon.

  3. Navigate to the Owner settings > Logging audit data in Microsoft Purview.

    Image of Logging audit data in Microsoft Purview in the Owner settings page

    Important

    Microsoft Purview will store your Customer Data in the region where your Microsoft 365 data is stored. For more information, see, Privacy and data security. The default retention period for audit logs is 180 days, but can be extended using audit log retention policies. For more information, see Manage audit log retention policies.

  4. You can turn the toggle on or off.

Access the audit log in Microsoft Purview for Security Copilot

Before you begin

This section gives an overview of the prerequisites to access the audit log.

You'll need to:

Note

You'll need to have the right permissions to access the audit log in Microsoft Purview. For more information, see Permissions in the Microsoft Purview portal. Note that these access rights might be different from those in Security Copilot.

Options to access the audit log

You can take the following actions to access the audit log in Microsoft Purview: