![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 15%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
Microsoft Copilot | Microsoft Security Copilot
AI-powered assistant that helps security teams detect, investigate, and respond to threats
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Microsoft Security Copilot is licensed as a standalone, capacity-based add-on rather than being bundled into an existing Microsoft 365 or Azure security license. To use it, you must have an eligible Azure subscription where Security Copilot capacity is provisioned, and your tenant must already use supported Microsoft security services such as Microsoft Defender, Microsoft Sentinel, Entra ID, or Intune so Copilot has data to reason over. There is no per-user license; instead, you purchase Security Copilot capacity units through Azure, and access is then granted to users via role assignment in the tenant.
Security Copilot does generate audit logs. User interactions, prompts, responses, and administrative actions are audited through Microsoft Purview Audit (Standard or Premium, depending on your tenant licensing). These logs allow you to track who accessed Security Copilot, when it was used, and what type of actions were performed, which supports security investigations and compliance requirements.
Security Copilot is treated as a separate workload in Microsoft Purview auditing. It does not fall under existing workloads like Exchange, SharePoint, or Defender; instead, it has its own dedicated workload classification so that Copilot-specific activity can be filtered, searched, and retained independently.
Within the Security Copilot workload, the audit logs include record types that capture Copilot interaction and management activity. These include events for Copilot prompt submission, Copilot response generation, Copilot session start and end, plugin or data connector usage, and administrative configuration or access changes related to Security Copilot. The exact record type names may evolve, but they are exposed under the Security Copilot workload and are searchable through the unified audit log in Purview.
For more, refer to https://learn.microsoft.com/security-copilot/overview
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin