DEV Community

Cover image for Foundry Agent DevSecOps | From Agent Discovery and Evaluation Gates to Runtime Observability and Governance | R.A.H.S.I. Framework™ Analysis
Aakash Rahsi
Aakash Rahsi

Posted on

Foundry Agent DevSecOps | From Agent Discovery and Evaluation Gates to Runtime Observability and Governance | R.A.H.S.I. Framework™ Analysis

CopilotActivity in Microsoft Sentinel

🛡️ Need implementation, not just insights? Let’s build it securely, strategically, and end-to-end.

🛡️ Read Complete Article |

Foundry Agent DevSecOps | From Agent Discovery and Evaluation Gates to Runtime Observability and Governance | R.A.H.S.I. Framework™ Analysis

Correlate CopilotActivity with sensitive data access, OfficeActivity, Sentinel UEBA and insider-risk signals for governed AI detections now.

favicon aakashrahsi.online

🛡️ Let’s Connect |

Hire Aakash Rahsi | Expert in Intune, Automation, AI, and Cloud Solutions

Hire Aakash Rahsi, a seasoned IT expert with over 13 years of experience specializing in PowerShell scripting, IT automation, cloud solutions, and cutting-edge tech consulting. Aakash offers tailored strategies and innovative solutions to help businesses streamline operations, optimize cloud infrastructure, and embrace modern technology. Perfect for organizations seeking advanced IT consulting, automation expertise, and cloud optimization to stay ahead in the tech landscape.

favicon aakashrahsi.online

Correlating AI Use, Sensitive Data Access and Insider-Risk Signals

R.A.H.S.I. Framework™ Analysis

Microsoft 365 Copilot introduces a new category of enterprise security telemetry.

Copilot interactions are not merely productivity records. When properly collected, enriched and correlated, they can reveal:

  • Which identity used Copilot
  • Which Copilot experience or agent was involved
  • Which Microsoft 365 workload supported the interaction
  • Which organizational resources were referenced
  • Whether sensitive information was involved
  • Whether policy restrictions were encountered
  • Whether the activity originated from unusual infrastructure
  • Whether the user was already associated with elevated behavioral or insider-risk signals

However, a Copilot interaction by itself does not prove malicious or risky behavior.

The real security value appears when Microsoft Sentinel correlates AI activity with:

  • Microsoft Purview Audit
  • Microsoft Purview Data Loss Prevention
  • Sensitivity labels
  • Communication Compliance
  • Insider Risk Management
  • Adaptive Protection
  • Microsoft 365 workload activity
  • Sentinel User and Entity Behavior Analytics
  • Threat intelligence
  • Entity mapping
  • Watchlists
  • Scheduled analytics rules

The objective is not to treat every Copilot interaction as suspicious. The objective is to identify when authorized AI use intersects with sensitive data, unusual behavior and elevated organizational risk.


The Copilot Security Visibility Problem

Traditional security monitoring was designed around events such as:

  • User sign-ins
  • File downloads
  • Email forwarding
  • Endpoint execution
  • Privilege changes
  • Data transfers
  • Administrative actions
  • Network connections

AI introduces a new interaction layer between the user and enterprise information.

A user may not manually browse through dozens of SharePoint files.

Instead, the user may ask Copilot to:

  • Summarize a confidential project
  • Locate sensitive financial information
  • Compare employee documents
  • Extract customer details
  • Draft content from internal records
  • Analyze merger or acquisition information
  • Find information across multiple repositories
  • Generate a response using protected organizational data

The underlying permissions may remain unchanged, but the speed and convenience of discovery increase significantly.

The monitoring question therefore changes from:

Did the user open a file?

to:

What information did the user attempt to access through AI, what enterprise resources supported the response, and what happened before and after the interaction?


The R.A.H.S.I. Copilot Correlation Architecture

The R.A.H.S.I. Framework™ treats Copilot security monitoring as a multi-signal correlation problem.

Copilot interaction
        ↓
CopilotActivity and Purview Audit
        ↓
Referenced resources and policy context
        ↓
Microsoft 365 workload activity
        ↓
Sensitivity and DLP context
        ↓
Insider-risk and communication signals
        ↓
Sentinel UEBA and anomaly context
        ↓
Business enrichment through watchlists
        ↓
Entity-mapped analytics rule
        ↓
Incident, investigation and governed response
Enter fullscreen mode Exit fullscreen mode

Each layer contributes a different part of the security story.


1. CopilotActivity as the AI Telemetry Layer

The CopilotActivity table provides a Sentinel-facing view of supported Copilot activity.

Depending on the available schema, connector and ingestion path, records can expose information such as:

  • Event time
  • User or actor identity
  • Source IP address
  • Copilot application
  • Host application
  • Workload
  • Agent-related context
  • Record type
  • Operation
  • Interaction details
  • Extensible event properties

This information answers the first set of questions:

  • Who initiated the interaction?
  • When did it happen?
  • From where did it originate?
  • Which Copilot experience was used?
  • Which Microsoft workload was involved?
  • Was an agent involved?
  • What type of operation occurred?

Important implementation note

Microsoft table names, sample queries and available columns can vary by connector, preview status, tenant configuration and documentation version.

Before deploying production detections:

  1. Confirm which Copilot-related tables exist in the Log Analytics workspace.
  2. Inspect representative records.
  3. Validate column names and data types.
  4. Confirm retention and ingestion latency.
  5. Test whether the required Copilot workloads are represented.
  6. Validate whether nested interaction details require JSON parsing.

Do not deploy production analytics rules by copying a sample query without first validating the tenant schema.


2. Microsoft Purview Audit as the Evidence Layer

Microsoft Purview Audit provides deeper evidence for supported Copilot activities.

Copilot audit records can contain context related to:

  • User identity
  • Copilot application
  • Interaction type
  • Referenced resources
  • Accessed files or sites
  • Sensitivity labels
  • Policy restrictions
  • Action details
  • Interaction status
  • Agent information
  • Security-related indicators
  • Prompt or response processing context

This provides a more useful security question than simply asking whether Copilot was used.

Security teams can begin asking:

  • Which resources contributed to the response?
  • Was protected content referenced?
  • Did a policy prevent or restrict an action?
  • Was a sensitivity label present?
  • Did Copilot interact with an agent or extension?
  • Was unusual prompt behavior detected?
  • Did the interaction involve a resource the user rarely accesses?

Audit record versus security conclusion

Copilot audit event
≠
Confirmed security incident
Enter fullscreen mode Exit fullscreen mode

Audit records provide evidence.

Sentinel correlation provides context.

Human investigation determines meaning.


3. OfficeActivity as the Microsoft 365 Context Layer

Copilot activity should not be investigated in isolation.

The OfficeActivity table can provide related Microsoft 365 operations across supported workloads such as:

  • SharePoint Online
  • OneDrive for Business
  • Exchange Online
  • Microsoft Teams
  • Microsoft Entra-related activities
  • Administrative workloads

This makes it possible to examine what happened before and after an AI interaction.

Example behavioral sequence

User accesses Copilot
→ Copilot references a sensitive SharePoint site
→ User downloads multiple files
→ User creates an external sharing link
→ User sends information through Exchange
Enter fullscreen mode Exit fullscreen mode

Any one event may have a legitimate explanation.

The sequence is more meaningful than the individual records.

Useful correlation windows

Security teams can investigate activity occurring:

  • 15 minutes before the Copilot interaction
  • 30 minutes after the interaction
  • Several hours around the interaction
  • Across the user’s normal working session
  • Across a longer insider-risk investigation period

The correct time window depends on the use case.

A short window is useful for immediate follow-on activity.

A longer window is useful for identifying gradual collection, staging or exfiltration behavior.


4. Sensitive-Data Context Through Microsoft Purview

Copilot activity becomes more security-relevant when it involves sensitive or regulated information.

Microsoft Purview can contribute context through:

  • Sensitivity labels
  • Data Loss Prevention policies
  • Sensitive information types
  • Trainable classifiers
  • Data security posture findings
  • Policy matches
  • Restricted Copilot interactions
  • Data exposure assessments

Security teams should distinguish between:

AI interaction with ordinary information
Enter fullscreen mode Exit fullscreen mode

and:

AI interaction with highly confidential, regulated or business-critical information
Enter fullscreen mode Exit fullscreen mode

The actor and action may be identical.

The risk changes because the data classification changes.


5. Purview DLP as the Runtime Policy Layer

Microsoft Purview Data Loss Prevention can help govern supported Copilot interactions and connected Microsoft 365 data.

Depending on policy capabilities and workload support, DLP may help:

  • Detect sensitive information
  • Apply policy restrictions
  • Prevent certain protected content from contributing to Copilot responses
  • Restrict sensitive information in supported AI interactions
  • Generate alerts
  • Produce investigation evidence
  • Support adaptive protection scenarios

DLP should not be treated as a replacement for permissions governance.

DLP enforcement
≠
Permission remediation
Enter fullscreen mode Exit fullscreen mode

A user may still possess excessive access even when a DLP policy blocks a particular interaction.

A mature program should address both:

  1. Why the user had access
  2. Whether the data was protected during use

6. Communication Compliance Context

Communication Compliance can add context when Copilot-generated or Copilot-assisted content intersects with communication risks.

Potential areas of concern can include:

  • Regulatory language
  • Harassment
  • Threatening content
  • Inappropriate communication
  • Sensitive information disclosure
  • Policy violations
  • Risky external communication

The presence of a Communication Compliance signal does not automatically mean that Copilot caused the behavior.

Instead, it can help investigators determine whether AI-assisted activity formed part of a broader communication-risk pattern.

Copilot interaction
+
Communication policy signal
+
Sensitive data context
=
Higher-priority investigation candidate
Enter fullscreen mode Exit fullscreen mode

7. Insider Risk Management Context

Microsoft Purview Insider Risk Management evaluates supported user activities across defined risk scenarios.

Depending on policy configuration, relevant scenarios can include:

  • Data leakage
  • Departing users
  • Security-policy violations
  • Risky data transfers
  • Unusual file activity
  • Data access associated with elevated user risk
  • Potential misuse of sensitive information

CopilotActivity becomes more meaningful when the user is already associated with contextual risk.

Example correlation

Departing employee
+
Elevated Insider Risk score
+
Copilot access to sensitive project files
+
Unusual SharePoint downloads
+
External email activity
=
High-priority investigation
Enter fullscreen mode Exit fullscreen mode

The same Copilot interaction performed by a user with no unusual activity may have a very different risk level.

Privacy principle

Insider-risk monitoring must remain:

  • Purpose-limited
  • Role-restricted
  • Auditable
  • Proportionate
  • Consistent with organizational policy
  • Consistent with legal and regulatory requirements

The goal is evidence-based risk detection, not broad employee surveillance.


8. Adaptive Protection

Adaptive Protection can dynamically connect Insider Risk Management risk levels with Data Loss Prevention enforcement.

This creates a more contextual control model.

Instead of applying the same restriction to every user, policy behavior can respond to elevated risk.

Normal user risk
→ Standard DLP controls

Elevated user risk
→ Stronger DLP controls

High user risk
→ More restrictive protection and investigation
Enter fullscreen mode Exit fullscreen mode

When correlated with CopilotActivity, Adaptive Protection can help security teams understand:

  • Whether a user’s risk level was elevated during an interaction
  • Whether stricter DLP controls were applied
  • Whether the user attempted to access or move sensitive information
  • Whether the activity continued through another Microsoft 365 workload

This supports a transition from static AI governance to risk-adaptive AI governance.


9. Sentinel UEBA as the Behavioral Layer

Microsoft Sentinel User and Entity Behavior Analytics can help establish behavioral context for users and other entities.

UEBA can identify deviations involving:

  • Sign-in locations
  • Source IP addresses
  • Devices
  • Applications
  • Access patterns
  • Resource usage
  • Peer-group behavior
  • Historical baselines
  • Unusual activity frequency
  • Abnormal entity relationships

CopilotActivity becomes more meaningful when correlated with behavioral deviation.

Example

Copilot activity
+
Unusual IP address
+
First-time access to a sensitive site
+
Activity outside normal hours
+
Elevated user anomaly score
=
Investigatable AI-risk signal
Enter fullscreen mode Exit fullscreen mode

UEBA does not replace the original telemetry.

It enriches that telemetry with behavioral meaning.


10. Entity Mapping

Sentinel analytics rules should map relevant fields to entities whenever possible.

Potential entities can include:

  • Account
  • IP address
  • Host
  • Cloud application
  • URL
  • File
  • Mailbox
  • Microsoft 365 resource

Entity mapping improves:

  • Incident investigation
  • Entity timelines
  • UEBA enrichment
  • Relationship visualization
  • Incident grouping
  • Hunting
  • Automated response
  • Cross-rule correlation

For Copilot-related detections, the most important entity is usually the account.

Other useful entities may include:

  • Source IP
  • Host device
  • Referenced URL
  • SharePoint site
  • Accessed file
  • Cloud application
  • Agent or application identity

Entity-normalization principle

Different data sources may represent the same user differently.

Examples include:

  • User principal name
  • Email address
  • Object ID
  • Account name
  • Actor ID
  • Application identity

Detection engineering should normalize these values before correlation.


11. Watchlists as the Business-Context Layer

Security telemetry rarely contains enough business context on its own.

Sentinel watchlists can enrich Copilot detections with organizational knowledge.

Useful watchlists may include:

  • Privileged users
  • Executives
  • Departing employees
  • Contractors
  • High-risk third parties
  • Break-glass accounts
  • Sensitive SharePoint sites
  • Crown-jewel applications
  • Approved AI applications
  • Approved agents
  • Restricted business units
  • Legal-hold users
  • High-value assets
  • Known corporate IP ranges

Example watchlist enrichment

CopilotActivity
→ Match user against privileged-user watchlist
→ Match resource against sensitive-site watchlist
→ Match IP against approved network ranges
→ Increase or decrease detection priority
Enter fullscreen mode Exit fullscreen mode

Watchlists should not become unmanaged shadow databases.

They require:

  • Named ownership
  • Defined update frequency
  • Schema governance
  • Data-quality validation
  • Access control
  • Expiration procedures
  • Auditability

12. Scheduled Analytics Rules

Scheduled analytics rules can correlate CopilotActivity with related signals over defined time windows.

A mature detection should avoid triggering simply because Copilot was used.

The rule should identify a meaningful combination of:

  • AI interaction
  • Sensitive data
  • Behavioral anomaly
  • Insider-risk context
  • Follow-on activity
  • Business criticality
  • Policy outcome

R.A.H.S.I. detection formula

Investigatable AI Risk =
AI Activity
× Data Sensitivity
× Behavioral Deviation
× Insider-Risk Context
× Follow-on Action
× Business Criticality
Enter fullscreen mode Exit fullscreen mode

Multiplication is used conceptually because weak or absent context in one area should reduce the final risk level.


13. High-Value Detection Scenarios

Scenario 1: Unusual Copilot access to sensitive information

Detection logic

  • Copilot interaction is recorded
  • Referenced resource has a sensitive label
  • User rarely accesses the resource
  • Source IP or location is unusual
  • Activity occurs outside normal working patterns

Investigation question

Was Copilot used to discover protected information outside the user’s normal role or behavior?


Scenario 2: Departing employee using Copilot against sensitive repositories

Detection logic

  • User appears in a departing-employee watchlist
  • Insider Risk context is elevated
  • Copilot accesses sensitive SharePoint or OneDrive resources
  • Follow-on file downloads or sharing activity occurs

Investigation question

Was AI used to accelerate information collection before departure?


Scenario 3: Copilot interaction followed by external sharing

Detection logic

  • Copilot accesses or references sensitive information
  • SharePoint or OneDrive external sharing occurs shortly afterward
  • Exchange or Teams external communication follows
  • DLP alert is generated

Investigation question

Did the AI interaction contribute to accidental or intentional data disclosure?


Scenario 4: Privileged user exhibiting abnormal AI behavior

Detection logic

  • User is present in the privileged-user watchlist
  • CopilotActivity volume exceeds the user’s baseline
  • Sensitive administrative information is referenced
  • UEBA identifies unusual IP, application or access behavior

Investigation question

Is a privileged identity being misused, compromised or operating outside its expected responsibilities?


Scenario 5: Repeated policy-restricted Copilot activity

Detection logic

  • Multiple Copilot interactions encounter policy restrictions
  • Sensitive data classifications recur
  • Attempts continue across multiple applications or sessions
  • DLP or Communication Compliance signals are present

Investigation question

Is the user repeatedly attempting to bypass or work around information-protection controls?


Scenario 6: Copilot access followed by mass file activity

Detection logic

  • Copilot interacts with a sensitive project or site
  • OfficeActivity shows bulk download, sync or access behavior
  • Activity volume deviates from the user’s baseline
  • Destination or network context is unusual

Investigation question

Was Copilot used as a discovery mechanism before large-scale data collection?


Scenario 7: Agent-related access to restricted information

Detection logic

  • Copilot interaction involves an agent
  • Agent or application identity is not present in the approved-agent watchlist
  • Sensitive organizational resources are referenced
  • Plugin, connector or external action context is present

Investigation question

Did an unapproved or overprivileged agent gain access to protected enterprise information?


14. Detection Engineering Pattern

A production analytics rule should generally follow this structure:

1. Select Copilot events
2. Normalize user identity
3. Extract application, agent and resource context
4. Enrich with sensitivity and DLP information
5. Join related Microsoft 365 activity
6. Enrich with UEBA anomalies
7. Match watchlists
8. Calculate a risk score
9. Map entities
10. Create an incident only when sufficient context exists
Enter fullscreen mode Exit fullscreen mode

Conceptual KQL pattern

The following is an architectural pattern rather than copy-ready production KQL.

let StartTime = ago(1h);
let EndTime = now();

let CopilotEvents =
    CopilotActivity
    | where TimeGenerated between (StartTime .. EndTime)
    | extend NormalizedUser = tolower(UserId)
    | project
        TimeGenerated,
        NormalizedUser,
        SourceIpAddress,
        CopilotApplication,
        Workload,
        Operation,
        AdditionalFields;

let RelatedMicrosoft365Activity =
    OfficeActivity
    | where TimeGenerated between (StartTime - 30m .. EndTime + 30m)
    | extend NormalizedUser = tolower(UserId)
    | project
        TimeGenerated,
        NormalizedUser,
        OfficeWorkload,
        Operation,
        SiteUrl,
        SourceFileName,
        ClientIP;

CopilotEvents
| join kind=leftouter RelatedMicrosoft365Activity on NormalizedUser
| where abs(datetime_diff("minute", TimeGenerated, TimeGenerated1)) <= 30
| project
    CopilotTime = TimeGenerated,
    RelatedActivityTime = TimeGenerated1,
    NormalizedUser,
    SourceIpAddress,
    CopilotApplication,
    Workload,
    CopilotOperation = Operation,
    Microsoft365Workload = OfficeWorkload,
    RelatedOperation = Operation1,
    SiteUrl,
    SourceFileName,
    ClientIP
Enter fullscreen mode Exit fullscreen mode

Column names must be validated against the actual workspace schema before use.

Production implementations should also include:

  • Null handling
  • Identity normalization
  • Dynamic JSON parsing
  • Duplicate suppression
  • Watchlist enrichment
  • UEBA enrichment
  • Sensitivity context
  • Threshold tuning
  • Incident grouping
  • Entity mapping

15. Risk Scoring

Not every detection should create an incident with the same severity.

A risk score can combine multiple factors.

Copilot AI Risk Score =
User Criticality
+ Data Sensitivity
+ Behavioral Anomaly
+ Insider-Risk Level
+ Policy Restriction
+ Follow-on Activity
+ Agent Risk
+ External Exposure
Enter fullscreen mode Exit fullscreen mode

Example weighting model

Risk factor Example weight
Highly sensitive resource 25
Elevated insider-risk context 20
UEBA anomaly 15
Privileged user 15
External sharing after Copilot use 15
Unapproved agent 10
Unusual source IP 10
Repeated DLP restrictions 10

The exact weighting should be validated against the organization’s threat model and incident history.


16. Incident Grouping

Poor incident grouping can create alert fatigue.

Copilot-related events should be grouped when they involve:

  • The same user
  • The same agent
  • The same sensitive resource
  • The same source IP
  • The same policy
  • The same investigation window
  • The same follow-on activity

A useful incident title could be:

Potential risky Copilot access by <User> involving <Sensitive Resource>
Enter fullscreen mode Exit fullscreen mode

A useful incident description should explain:

  • What Copilot activity occurred
  • Which resource was involved
  • Why the resource was considered sensitive
  • Which behavioral anomaly was present
  • Which insider-risk or policy signal contributed
  • What follow-on Microsoft 365 activity occurred
  • Which entities require investigation

17. Investigation Workflow

A human investigator should follow a consistent process.

Step 1: Validate the identity

Confirm:

  • User principal name
  • Role
  • Department
  • Privilege level
  • Employment status
  • Manager
  • Risk status
  • Recent identity alerts

Step 2: Review the Copilot interaction

Determine:

  • Which Copilot experience was used
  • Which agent was involved
  • Which workload was accessed
  • Which resources were referenced
  • Whether policy restrictions were applied
  • Whether sensitive labels were present

Step 3: Examine surrounding Microsoft 365 activity

Review:

  • File access
  • Downloads
  • Sharing
  • Email activity
  • Teams activity
  • Administrative activity
  • Search behavior

Step 4: Review behavioral context

Investigate:

  • Source IP
  • Device
  • Location
  • Time of activity
  • Peer-group deviation
  • Historical behavior
  • Related UEBA anomalies

Step 5: Review insider-risk and compliance signals

Check:

  • Insider Risk alerts
  • Communication Compliance alerts
  • DLP alerts
  • Adaptive Protection risk level
  • Relevant investigation history

Step 6: Establish intent and impact

Determine whether the activity was:

  • Legitimate
  • Accidental
  • Policy-violating
  • Caused by poor permissions
  • Associated with a compromised identity
  • Associated with malicious insider activity
  • Caused by an unapproved agent or integration

Step 7: Apply a governed response

Possible actions include:

  • Close as expected behavior
  • Educate the user
  • Review permissions
  • Remove excessive access
  • Restrict a site from discovery
  • Strengthen DLP controls
  • Disable an unapproved agent
  • Revoke sessions
  • Escalate to Insider Risk Management
  • Escalate to incident response
  • Preserve evidence for legal or compliance review

18. Governance Boundaries

Copilot monitoring can involve sensitive employee, communication and behavioral information.

Access to this telemetry should be limited to authorized roles.

A mature governance model should define:

  • Who can view Copilot audit data
  • Who can view insider-risk data
  • Who can view communication content
  • Who can create analytics rules
  • Who can modify watchlists
  • Who can approve automated actions
  • How investigations are audited
  • How data is retained
  • How privacy is protected
  • How false accusations are prevented

R.A.H.S.I. principle

AI-security monitoring must protect the organization without converting ordinary employee productivity into indiscriminate surveillance.


19. Copilot Detection Architecture

A complete deployment can be organized into seven control planes.

Plane 1: Collection

Sources:

  • CopilotActivity
  • Purview Audit
  • OfficeActivity
  • Microsoft Sentinel connectors
  • Microsoft 365 activity APIs

Plane 2: Normalization

Functions:

  • Identity normalization
  • IP normalization
  • Application normalization
  • Resource extraction
  • Dynamic field parsing
  • Time alignment

Plane 3: Data sensitivity

Sources:

  • Sensitivity labels
  • DLP alerts
  • Sensitive information types
  • Purview policy results
  • Data-security posture findings

Plane 4: Behavioral intelligence

Sources:

  • Sentinel UEBA
  • Anomalies
  • Entity behavior
  • Peer-group comparison
  • Historical baselines

Plane 5: Business enrichment

Sources:

  • Watchlists
  • HR-approved risk indicators
  • Privileged-user lists
  • Sensitive-site inventories
  • Approved agents
  • High-value assets

Plane 6: Detection and investigation

Functions:

  • Scheduled analytics rules
  • Entity mapping
  • Incident grouping
  • Risk scoring
  • Investigation graphs
  • Hunting queries

Plane 7: Response and governance

Functions:

  • Human validation
  • Permission remediation
  • DLP enforcement
  • Identity response
  • Agent restriction
  • Evidence retention
  • Audit
  • Lessons learned

20. Implementation Checklist

Data collection

  • Confirm Copilot audit data is available.
  • Validate Copilot-related tables in Sentinel.
  • Confirm OfficeActivity ingestion.
  • Review connector health.
  • Measure ingestion latency.
  • Validate data retention.
  • Document missing workloads.

Schema validation

  • Inspect representative Copilot records.
  • Validate identity fields.
  • Validate source IP fields.
  • Extract agent information.
  • Extract referenced resources.
  • Parse dynamic data safely.
  • Document schema changes.

Purview integration

  • Confirm sensitivity labels are deployed.
  • Confirm relevant DLP policies are active.
  • Confirm Copilot-related policy coverage.
  • Validate Insider Risk policies.
  • Validate Communication Compliance requirements.
  • Review Adaptive Protection configuration.

Sentinel configuration

  • Enable UEBA.
  • Validate entity mapping.
  • Create governed watchlists.
  • Define analytics-rule schedules.
  • Configure incident grouping.
  • Establish suppression logic.
  • Tune detection thresholds.

Investigation readiness

  • Define incident owners.
  • Define investigation procedures.
  • Define privacy restrictions.
  • Define evidence-retention requirements.
  • Document escalation paths.
  • Establish rollback and containment procedures.

Continuous improvement

  • Measure false positives.
  • Measure missed detections.
  • Review rule performance.
  • Update watchlists.
  • Validate schema changes.
  • Review new Copilot agents and applications.
  • Reassess sensitive-data repositories.
  • Test detection scenarios regularly.

21. Measuring Success

The value of Copilot monitoring should not be measured only by event volume.

Useful metrics include:

  • Copilot events ingested
  • Percentage of events with normalized identities
  • Percentage of events with resource context
  • Sensitive-resource interaction rate
  • DLP-restricted interaction rate
  • UEBA-enriched event rate
  • Copilot-related incidents created
  • False-positive rate
  • Mean time to investigate
  • Permission-remediation rate
  • Unapproved-agent detection rate
  • Repeat-policy violation rate
  • Evidence completeness
  • Investigation closure quality

The strongest metric is not:

How many Copilot interactions did Sentinel collect?

It is:

How effectively did the organization distinguish normal AI-assisted work from genuinely risky AI-enabled behavior?


The R.A.H.S.I. Copilot Risk Model

The R.A.H.S.I. Framework™ expresses Copilot risk through the relationship between authorization, sensitivity, behavior and context.

Copilot Risk =
Effective Access
× Data Sensitivity
× AI Discoverability
× Behavioral Deviation
× Insider-Risk Context
× Follow-on Action
× Control Weakness
Enter fullscreen mode Exit fullscreen mode

This model avoids two dangerous extremes.

Extreme 1: Treating every Copilot interaction as suspicious

This creates alert fatigue, privacy concerns and distrust.

Extreme 2: Treating every authorized interaction as safe

Authorization alone does not prove appropriate intent, secure behavior or legitimate business purpose.

The correct approach is contextual correlation.


Critical Architectural Distinctions

Copilot use
≠
Security incident
Enter fullscreen mode Exit fullscreen mode
Authorized access
≠
Appropriate access
Enter fullscreen mode Exit fullscreen mode
Audit visibility
≠
Risk detection
Enter fullscreen mode Exit fullscreen mode
DLP restriction
≠
Permission remediation
Enter fullscreen mode Exit fullscreen mode
Behavioral anomaly
≠
Malicious intent
Enter fullscreen mode Exit fullscreen mode
Insider-risk signal
≠
Confirmed wrongdoing
Enter fullscreen mode Exit fullscreen mode
AI-generated response
≠
Data exfiltration
Enter fullscreen mode Exit fullscreen mode
Single event
≠
Behavioral story
Enter fullscreen mode Exit fullscreen mode

These distinctions are essential for accurate and defensible investigations.


CopilotActivity in Microsoft Sentinel should not be treated as an isolated AI-usage log.

Its real value appears when it is correlated with:

  • Microsoft Purview audit evidence
  • Referenced resources
  • Sensitivity labels
  • DLP restrictions
  • Microsoft 365 workload activity
  • Communication Compliance
  • Insider Risk Management
  • Adaptive Protection
  • Sentinel UEBA
  • Entity behavior
  • Watchlists
  • Scheduled analytics rules

A weak detection says:

The user accessed Copilot.

A stronger detection says:

A privileged user accessed sensitive organizational information through Copilot from an unusual source, followed by abnormal Microsoft 365 activity while behavioral and insider-risk context were elevated.

That is the transition from AI-usage monitoring to contextual AI-risk detection.

The goal is not to monitor every prompt as a threat. The goal is to identify when AI-assisted access becomes part of a meaningful and investigatable security pattern.

Top comments (0)