Merge pull request #49952 from riswinto/main

update audit ai unit

Author: JillGrant615

learn-pr/paths/purview-protect-ai/index.yml

@@ -1,13 +1,13 @@
 ### YamlMime:LearningPath
 uid: learn.wwl.purview-protect-ai
 metadata:
-  title: 'Protect data in AI environments (SC-401)'
+  title: 'Protect data in AI environments with Microsoft Purview (SC-401)'
   description: 'AI tools like Microsoft Copilot are changing the way people work, but they also increase the risk of oversharing and accidental data exposure. Microsoft Purview helps organizations apply the right controls to keep sensitive data protected across AI-enabled environments. This learning path aligns with exam SC-401: Microsoft Information Security Administrator.'
-  ms.date: 03/25/2025
+  ms.date: 04/10/2025
   author: wwlpublish
   ms.author: riswinto
   ms.topic: learning-path
-title: 'Protect data in AI environments'
+title: 'Protect data in AI environments with Microsoft Purview'
 prerequisites: |
   - Foundational knowledge of Microsoft security and compliance technologies
   - Basic knowledge of information protection concepts
@@ -25,9 +25,11 @@ products:
 subjects:
 - security
 modules:
-- learn-m365.wwl.purview-ai-data-security
-- learn-m365.wwl.purview-ai-data-compliance
-- learn.wwl.purview-identify-mitigate-ai-risks
+- learn.wwl.purview-ai-discover-data
+- learn.wwl.purview-ai-protect-sensitive-data
+- learn.wwl.purview-ai-govern-usage
+- learn.wwl.purview-ai-assess-mitigate-risks
+
 
 trophy:
   uid: learn.wwl.purview-protect-ai.trophy

learn-pr/wwl-sci/purview-ai-discover-data/audit-copilot.yml

@@ -1,15 +1,15 @@
 ### YamlMime:ModuleUnit
 uid: learn.wwl.purview-ai-discover-data.audit-copilot
-title: Audit Microsoft 365 Copilot interactions with Microsoft Purview
+title: Audit Microsoft 365 Copilot activities and AI interactions with Microsoft Purview
 metadata:
-  title: Audit Microsoft 365 Copilot interactions with Microsoft Purview
-  description: "Audit Microsoft 365 Copilot interactions with Microsoft Purview"
+  title: Audit Microsoft 365 Copilot activities and AI interactions with Microsoft Purview
+  description: "Audit Microsoft 365 Copilot activities and AI interactions with Microsoft Purview"
   ms.date: 04/10/2025
   author: wwlpublish
   ms.author: riswinto
   ms.topic: unit
 azureSandbox: false
 labModal: false
-durationInMinutes: 6
+durationInMinutes: 9
 content: |
   [!include[](includes/audit-copilot.md)]

learn-pr/wwl-sci/purview-ai-discover-data/includes/audit-copilot.md

@@ -1,77 +1,98 @@
-Microsoft 365 Copilot integrates with apps like Word, Excel, Outlook, and Teams to help users generate content, summarize information, and automate everyday tasks. These capabilities rely on large language models, including GPT-4, and use data from emails, chats, documents, and calendars to provide context-based assistance.
+Microsoft 365 Copilot integrates with apps like Word, Excel, Outlook, and Teams to help users generate content, summarize information, and automate tasks. These tools use large language models, including GPT-4, and access data from emails, chats, documents, and calendars to generate helpful, context-aware responses.
 
-Because of how Copilot works, with access to sensitive content across Microsoft 365, it's important to have visibility into how it's being used. Microsoft Purview Audit helps organizations track Copilot usage to support security, compliance, and organizational policy enforcement.
+Because Copilot can access sensitive data, organizations need a way to understand how it's used. Microsoft Purview Audit supports this by capturing logs of user interactions and administrator activity related to Copilot and AI applications. These audit logs help support internal policies, security controls, and compliance requirements.
 
-## How Microsoft Purview Audit helps review Copilot usage
+## How Microsoft Purview Audit captures Copilot and AI activity
 
-As users interact with Microsoft 365 Copilot across apps like Word, Excel, and Teams, it's important to verify that those interactions meet organizational and regulatory expectations. Microsoft Purview Audit supports this by recording user and admin activity across Microsoft 365, including Copilot usage.
+Audit logging for Copilot and AI applications is included with Microsoft Purview Audit (Standard). If auditing is enabled in your Microsoft 365 tenant, no extra configuration is required to begin capturing these activities.
 
-These actions are stored in a unified audit log, which you can search in the Microsoft Purview portal or by using PowerShell. Audit logs help answer key questions such as:
+Audit logs include both user interactions with Copilot and administrator actions that affect how Copilot is deployed or configured. These logs are available through the Microsoft Purview portal or PowerShell and can be searched using filters based on activity type, app, or user.
 
-- Who used Copilot and when?
-- In which application was it used?
-- Did the interaction involve labeled or sensitive content?
+Examples of the types of questions audit logs can help answer:
 
-These insights give security and compliance teams the visibility they need to ensure Copilot usage aligns with policy.
+- Which users interacted with Copilot?
+- When and where did these interactions occur?
+- Which apps or services were involved?
+- Was labeled or sensitive content referenced?
+- Did Copilot use external sources like the public web
 
-## Search the audit log for Copilot interactions
+## Key fields in Copilot and AI audit records
 
-Microsoft Purview Audit supports compliance management by capturing Copilot interactions across applications like Word, Excel, PowerPoint, Teams, Loop, Whiteboard, OneNote, and Microsoft 365 Chat. The audit records identify Copilot interactions by the app in which they occur, providing detailed insights into Copilot usage across different contexts.
+Audit records contain structured fields to help you interpret each interaction or activity. Some of the most important fields include:
 
-### Prerequisites for using Microsoft Purview Audit to search Microsoft 365 Copilot interactions
+- **Operation**: Describes the type of action, such as CopilotInteraction or AINotesUpdate.
+- **RecordType**: Identifies the category of application:
+  - `CopilotInteraction`: User interacted with a Microsoft Copilot app
+  - `ConnectedAIAppInteraction`: User interacted with a deployed non-Microsoft or custom Copilot app
+  - `AIAppInteraction`: User interacted with a non-Microsoft AI app not deployed in the tenant
+- **Workload**: Describes the app category (such as `Copilot`, `ConnectedAIApp`, or `AIApp`)
+- **AppIdentity**: Identifies the specific app in the format `workloadName.appGroup.appName`
+- **AppHost**: Indicates which host application was used during the interaction, such as:
+  - `Word`, `Excel`, `PowerPoint`, `Outlook`
+  - `BizChat` (for Microsoft 365 Chat)
+  - `Teams`, `Loop`, `Whiteboard`, `OneNote`
+  - `Defender` (for Security Copilot)
 
-Before you search and analyze Copilot interactions using Microsoft Purview Audit, there are a few steps to ensure your environment is ready. Follow these prerequisites to set up your Microsoft 365 and Purview Audit configurations:
+To determine if the public web was used in a Copilot interaction, check if `AISystemPlugin.Id` equals `BingWebSearch`.
 
-| **Step** | **Description** | **Learn more** |
-|------|-------------|------------|
-| Verify prerequisites for Copilot | Ensure your IT infrastructure is ready for Copilot and Audit, including necessary network configurations and software updates. | - [Microsoft 365 Copilot requirements](/microsoft-365-copilot/microsoft-365-copilot-requirements?azure-portal=true) |
-| Understand searching with Audit | Understand the search functionalities in Microsoft Purview Audit to effectively analyze activities within Microsoft 365. | - [Audit New Search](/purview/audit-new-search?azure-portal=true) |
-| Check licensing requirements | Confirm that you have the appropriate Microsoft 365 E3/E5 licenses for Copilot and Microsoft Purview Audit. | - [Microsoft 365 Copilot service description](/office365/servicedescriptions/office-365-platform-service-description/microsoft-365-copilot?azure-portal=true#available-plan) <br> - [Microsoft Purview Audit service description](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-purview-audit?azure-portal=true) |
+> [!NOTE]
+> `AppIdentity` and `AppHost` aren't shown in the Microsoft Purview portal interface. To view these fields, export the audit logs or use **PowerShell** or the **Office 365 Management Activity API**.
 
-Note: Microsoft Purview Audit logging is turned on by default, but when setting up a new Microsoft 365 organization, you should verify the auditing status for your organization. If auditing isn't turned on for your organization, you can turn it on in the Microsoft Purview portal or by using Exchange Online PowerShell. For more information on verifying that auditing is enabled and enabling the audit sign in Microsoft Purview, see [Turn auditing on or off](/purview/audit-log-enable-disable?azure-portal=true).
+## Administrator activity logging
 
-### Search the audit log for Copilot interactions in Microsoft Purview
+Microsoft Purview Audit also captures administrator actions related to Copilot settings, plugins, promptbooks, and workspaces. These logs provide a record of configuration changes and help trace how Copilot capabilities are managed within the organization.
 
-Microsoft Purview Audit captures user activity across Microsoft 365, including when users interact with Microsoft 365 Copilot. These interactions are recorded based on the application where they occurred, such as Word, Excel, or Teams, and can include details about referenced files, including whether sensitivity labels were applied.
+You can search for these actions in the audit log using operation names listed in the [Copilot activities reference](/purview/audit-log-activities#copilot-activities?azure-portal=true).
 
-You can search for these events in the Microsoft Purview portal using filters that help narrow your results to Copilot-specific activity.
+## Search the audit log for Copilot activity
 
-1. Sign into the [Microsoft Purview portal](https://purview.microsoft.com?azure-portal=true).
-1. In the left navigation pane, select **Solutions** > **Audit**.
-1. Select **New Search** tab at the top of the **Audit** page.
-1. Configure your search on the **New Search** tab:
-   1. Set the **Start date** and **End date** for your search, with the last seven days selected by default.
-   1. Enter relevant keywords or phrases in the **Keyword Search**, using asterisks (*) to replace special characters.
-   1. Select administrative units from the **Admin Units** dropdown if needed.
-   1. Under **Activities - friendly names** select specific activities relevant to Copilot by navigating to **Copilot activities** and selecting **Interacted with Copilot**. You can also use the search bar to find activities related to Copilot by entering _Copilot_.
-   :::image type="content" source="../media/audit-copilot-new-search-activities.png" alt-text="Screenshot showing Interacted with Copilot selected under Activities - friendly names." lightbox="../media/audit-copilot-new-search-activities.png":::
-   1. For precise searches, use **Activities - operations names** and enter _CopilotInteraction_ as the operation name for Copilot activities.
-   1. In the **Record types** dropdown, select record types linked to Copilot activities. Enter _Copilot_ in the search box above the list for easier selection.
-   :::image type="content" source="../media/audit-copilot-new-search-record-type.png" alt-text="Screenshot showing CopilotInteraction selected under Record types." lightbox="../media/audit-copilot-new-search-record-type.png":::
-   1. Name your search in the **Search name** field for easy identification.
-   1. Enter specific users in the **Users** field or leave it blank to return entries for all users (and service accounts) in your organization.
-   1. Enter **File, folder, or site** names for targeted searches, or leave this box blank to return entries for all files and folders in your organization.
-1. Select **Search** to start your search job. A maximum of 10 search jobs can be run in parallel for one user account. If a user requires more than 10 search jobs, they must wait for an _In progress_ job to finish or delete a search job.
+The Microsoft Purview portal allows you to search audit logs by activity type, app, user, and other filters. These searches help identify when and how Copilot and AI apps were used.
 
-## Limitations and considerations for auditing Copilot interactions
+To search for Copilot-related activity:
 
-Microsoft Purview Audit provides useful insight into how users interact with Microsoft 365 Copilot, but there are a few limitations to be aware of. Understanding these limitations helps set accurate expectations for what can and can't be captured in the audit logs.
+1. Go to the [Microsoft Purview portal](https://purview.microsoft.com/?azure-portal=true).
+1. Select **Solutions** > **Audit**.
+1. On the **Search** page, set a **Start date** and **End date**.
+1. Under **Activities - friendly names**, enter a keyword like _Copilot_ or _AI_ to view related user and admin activities. Select the activities relevant to your investigation or review. These might include interactions with Copilot, updates to plugins or promptbooks, or actions related to AI-powered meeting notes.
+   :::image type="content" source="../media/audit-copilot-search-activities.png" alt-text="Screenshot showing Interacted with Copilot selected under Activities - friendly names." lightbox="../media/audit-copilot-search-activities.png":::
+1. For more targeted searches, use **Activities - operation names** and enter operation values such as `CopilotInteraction`, `AINotesUpdate`, or other known operation names.
+1. In the **Record types** dropdown, select types such as `CopilotInteraction`, `ConnectedAIAppInteraction`, or `AIAppInteraction` to scope the results to AI activity.
+1. (Optional) Use fields like **Users**, **AppIdentity**, or **File, folder, or site** to narrow your results based on specific criteria.
+1. Enter a name for your search and select **Search** to run it.
 
-### What's captured in the audit log
+> [!TIP]
+> You can run up to 10 searches in progress at one time. If all slots are used, wait for one to complete or remove an existing search.
 
-- Copilot activity is recorded based on the app in which it occurred (such as Word, Teams, or Excel).
-- Events typically include user IDs, time stamps, and references to accessed files.
-- If a referenced file has a sensitivity label, that label is included in the log entry.
+### Example scenarios and audit entries
 
-### What's not captured in audit logs
+The following examples show how different types of Copilot interactions appear in audit records:
 
-- **Prompts and responses**: Audit logs record that Copilot was used, but not the actual content of the prompt or the AI-generated response. For more detailed content-level review, use Microsoft Purview eDiscovery.
-- **Copilot configuration changes**: Administrative updates to Copilot settings (such as enabling or disabling features) aren't currently logged in Audit.
-- **Device details**: Device identifiers aren't included in Copilot-related audit entries.
+| Scenario | Operation | RecordType | AppIdentity | AppHost |
+|-----|-----|-----|-----|-----|
+| Microsoft 365 Copilot in Chat | CopilotInteraction | CopilotInteraction | `Copilot.MicrosoftCopilot.BizChat` | BizChat |
+| Security Copilot in Microsoft Defender | CopilotInteraction | CopilotInteraction | `Copilot.Security.SecurityCopilot` | Defender |
+| Custom Copilot Studio app in Teams | CopilotInteraction | CopilotInteraction | `Copilot.Studio.<GUID>` | Teams |
+| AI Notes or Live Notes updated in Teams | AINotesUpdate / LiveNotesUpdate | TeamCopilotInteraction | `Copilot.TeamCopilot.*` | Teams |
 
-### Application-specific considerations
+## Scope and limitations
 
-- **Copilot in Teams**: If meeting transcripts are turned off, Copilot activities in Teams aren't captured in the audit log.
-- **App identifiers**: The source app for each interaction is listed in the log, such as Copilot in Word or Copilot in Teams.
+### Included in audit logs
 
-Knowing these limitations can help you plan which tools to use for broader investigations or compliance reviews. Audit is a useful first step for visibility into Copilot activity, but might need to be paired with other solutions for full context.
+- Interactions across Microsoft 365 apps such as Word, Excel, PowerPoint, Outlook, Teams, and more
+- Application and user context for each interaction
+- References to sensitivity labels when protected content is involved
+- Indications when public web data was accessed (via AISystemPlugin.Id)
+
+### Not included in audit logs
+
+- Prompt text submitted by the user
+- AI-generated responses from Copilot
+- Device-specific details
+- Some admin configuration changes (not all are logged)
+
+### App-specific considerations
+
+- Copilot in Teams: If transcription is disabled, interactions in meetings might not be recorded
+- Logs include the host app name to clarify where the interaction occurred
+
+Microsoft Purview Audit captures and stores detailed records of activity related to Microsoft 365 Copilot and other AI applications. This logging supports your ability to search for and review how these tools are used across Microsoft 365 apps and services. While the audit log provides useful insights into app usage and file access, it doesn't include prompt or response content. For deeper investigations, use audit logs alongside other tools such as eDiscovery.