Customer Data and system-generated logs
| Product family | Copilot |
|---|---|
| Document source | Copilot Security |
| Guide type | Reference Guide |
| Skill level | Intermediate to advanced |
| Time | 15 - 60 minutes depending on environment |
This page documents Customer Data and system-generated logs for engineers working with Copilot. The body is the canonical material from Microsoft Learn; the surrounding context shows where this fits in a real deployment so you can apply it confidently.
What this actually means in practice
I have spent the better part of three years helping engineering and SecOps teams make sense of copilot security customer data and system generated logs, and the honest truth is that the official wording rarely tells you what to do on a Monday morning. Short version. This sits at the intersection of Security Copilot customer data and system-generated logs and Microsoft Online Services DPA plus Security Copilot data residency commitments. My first real engagement around this exact topic was for a Bengaluru customer who had 28 days to produce a pilot pack, and the lessons from that run still shape how I approach every Security Copilot customer data and system-generated logs review I touch today. The Microsoft Learn page is the canonical source, no question - but it leaves out the awkward bits like which signals the reviewer will actually ask for, how much the rollout itself costs, and which clauses tend to get re-quoted out of context.
I will walk through this the way I would on a call with a junior engineer or a first-time admin. First the why. Then the exact commands and queries I run. Then the gotchas that cost me sleep. By the end you should be able to take this into your own tenant, point at a real workload, and not feel like you are reading a release note in a second language.
Why I keep coming back to this topic
Honestly, the first few times I touched Security Copilot customer data and system-generated logs I underestimated this exact piece. I thought it was paperwork. It is not. It is the difference between a smooth pilot and a 17-page issue tracker. For a mid-sized team paying around Rs 32,500 per month (roughly US$390) for the Microsoft surface that anchors this, missing a step can mean a five-figure cleanup bill, two weeks of war-room calls, and a painful conversation with the security committee.
Here is what I have seen go wrong when teams skim the official guidance. A Bengaluru-based team I worked with last quarter set the controls up once, never reviewed them, and discovered six months later that their evidence had drifted out of alignment with GDPR plus DPDP Act 2023 plus the Online Services DPA. The fix took 41 hours of work across three people, plus an emergency review with their external partner that cost roughly Rs 12,500 in extra fees. None of that would have happened if the original owner had spent 30 minutes walking through the Security Copilot data handling addendum plus the diagnostic settings export the way I am about to.
My step-by-step walkthrough
I work the Microsoft admin portals and the command line side by side. Portal for the first pass when I am orienting in a new tenant. CLI when I am scripting the same setup across five subscriptions because my fingers stop trusting GUIs after the third repetition. Here is the order I actually run.
- I confirm I am in the right tenant. Sounds obvious. I have pulled data from the wrong subscription once and had to throw away two hours of work.
az account showfirst, every single time. - I list the resources in scope so I know the baseline.
az monitor diagnostic-settings list --resourcegives me the table I paste into my notes folder.-o table - I open the PowerShell equivalent in a second window for cross-reference.
Get-AzDiagnosticSetting -ResourceId $copilotResourceId | Format-Listis the snippet I keep pinned because it surfaces the identity-side picture the CLI sometimes hides. - I read the relevant section of the Microsoft Learn page end to end. Yes, the whole thing. Yes, including the small print near the bottom that nobody reads.
- I pull the matching reference pack from the Security Copilot data handling addendum plus the diagnostic settings export. I save it with the date stamp in the filename. Reviewers care about freshness.
- I write a one-paragraph note in our team Notion. Date, tenant ID, the exact command, and the goal I am supporting. This is the muscle memory that pays off in review season.
- I schedule a 90-day review on my calendar. Security Copilot customer data and system-generated logs is not a set-and-forget topic. Microsoft updates its position regularly.
The exact commands and queries I use
I keep these in a private Gist that I update every few months. Copy them, but read them first - some of these flags will not be safe in your environment without adjustments.
# Sanity check the active subscription / tenant
az account show --query "{name:name, id:id, tenantId:tenantId}" -o table
# Baseline list for the in-scope surface
az monitor diagnostic-settings list --resource -o table
# PowerShell variant for the identity-side picture
Get-AzDiagnosticSetting -ResourceId $copilotResourceId | Format-List
# Confirm identity context (Microsoft Entra)
Get-MgContext
# Pull recent activity for the reference pack
az monitor activity-log list --offset 7d --query "[].{op:operationName.value, ts:eventTimestamp}" -o table
# A small smoke test before declaring setup done
Get-MgAuditLogDirectoryAudit -Top 5 | Format-Table ActivityDisplayName, ActivityDateTime
That last line is the one I forget to run. Every time I forget, I pay for it later when a reviewer asks for the corroborating directory audit and I do not have it. Run the smoke test. Always.
A war story from Bengaluru
Here is a real one. I've seen this fail when teams ignore the small print. A bengaluru dpo had to map exactly what security copilot logged about prompts before the legal team would sign off, and the timeline was tight. They had stood up the workload eight months earlier, never re-verified the alignment with GDPR plus DPDP Act 2023 plus the Online Services DPA, and now had to produce a coherent narrative in less than two weeks. The fix itself was 90 minutes inside the relevant admin portal. The lead time was 6 hours of cross-team scheduling. The total impact - three engineers off their normal sprint for the better part of a working week, plus a Rs 9,400 retainer they had not budgeted for. All of it was avoidable. The controls were in place. The documentation was not.
That is the thing about Microsoft documentation around Security Copilot customer data and system-generated logs. The answer is almost always there. The issue is that the answer is on page 9 of a 14-page concept doc, and your review is happening on Friday. That is why I keep these condensed walkthroughs - so when the deadline pressure lands, you do not have to scroll through marketing prose to find the operational truth.
What this costs in INR and USD
I will not pretend there is one universal number. There is not. But for a small in-scope tenant I help maintain, the monthly cost for Security Copilot customer data and system-generated logs plus the licensing that supports it lands at around Rs 32,500 (roughly US$390) at current exchange rates. Add about 9-14% on top if you turn on the optional audit log retention and diagnostic settings I recommend below. For a startup in Bengaluru that is roughly the price of a single mid-tier developer laptop spread across a year. For an enterprise it is a rounding error. Either way, do not skip this to save Rs 1,500 per month. The next surprise will cost 40 times that.
Gotchas I have collected the hard way
- Region drift. Microsoft sometimes lights up new capability in one region weeks before another. I have been bitten twice. Check region availability against your GDPR plus DPDP Act 2023 plus the Online Services DPA scope before you commit.
- Document version mismatch. The Microsoft Learn page usually carries the latest guidance, but customers sometimes archive an older PDF in their own runbook. I always re-pull on the day I respond.
- Scope creep. Security Copilot customer data and system-generated logs is often described in concept docs that reference adjacent capabilities. Read the scope statement carefully and underline every product name. Anything not on that list is out of scope.
- Soft-delete windows. Microsoft 365 audit logs and many cloud resources have 7 to 90 day retention defaults. Plan for it. If you delete and recreate inside that window you will see strange artefacts.
- Diagnostic log cost. Sending audit logs to a Log Analytics workspace is cheap per row but adds up if you forget to set retention. I cap mine at 30 days unless review requires more.
- Clause cherry-picking. Reviewers sometimes quote a single sentence from Microsoft Online Services DPA plus Security Copilot data residency commitments without context. Keep the surrounding paragraph in your reference pack so you can defend the meaning.
How I verify the change actually worked
Verification is where most teams cut corners. I do not. Here is my checklist.
- Re-run the same query from a different machine. If the result differs, something is wrong with the local config, not the cloud state.
- Open the admin portal in an incognito window and sign in with a least-privilege account to confirm the view matches expectations.
- Check the Microsoft Entra audit log for the past 15 minutes. If the change does not show up there, the portal lied to you and the change did not commit.
- Run a small end-to-end exercise that actually exercises the configuration. For agent flows that means a real prompt. For policy alignment that means a Microsoft Purview Compliance Manager score refresh. For MSVC features that means rebuilding a known-good repro and checking the diagnostic output.
- Wait 5 minutes and re-check. Some Microsoft cloud surfaces take that long to propagate.
If it goes wrong, here is how I roll back
Always have a rollback plan. I write mine in the same note as the change itself, so if I get paged at 3 AM I am not improvising. For most Security Copilot customer data and system-generated logs changes the rollback is one of three patterns. Either I re-apply the previous configuration from saved JSON. Or I restore from a soft-deleted resource. Or, if it is a permission change, I revert the role assignment with az role assignment delete. None of these are dramatic. All of them need to be rehearsed before the incident, not during it.
How to apply this in your environment
- Treat this as a starting point. Your tenant is not my tenant. The SKU, region, and licence mix in your subscription will change what is sensible.
- Test in a non-production tenant first. Yes, even if you are confident. I have been surprised enough times to keep doing this.
- Pin your reference pack. Capture the Security Copilot customer data and system-generated logs version number, the Microsoft cloud region, the date, and the question it answers in your evidence folder.
- Cross-check Microsoft Learn one more time on the day you respond. Microsoft sometimes updates the canonical page between when you read it and when you ship the response.
- Schedule a 90-day review. Put it in your team calendar. Security Copilot customer data and system-generated logs changes. Your notes should too.
Caveats and what to double-check
- Microsoft renames features. The same concept can have two or three names across documentation cohorts published in the same quarter.
- Some capabilities described in the docs may still be in preview. Confirm general availability before you rely on the contractual SLA.
- Regional availability varies. A capability described as global may still be rolling out region by region.
- Pricing for the workloads that anchor Security Copilot customer data and system-generated logs changes regularly. This page does not track pricing. Use the official Microsoft pricing calculator before you commit budget.
Related work in your environment
- Document this reference in your team wiki. Note which workloads depend on it today and which are planned.
- Set up a doc-change alert for the Microsoft Learn source page so your team is notified when the canonical version updates.
- Add a quarterly review to your governance cadence. Security Copilot customer data and system-generated logs is not a set-and-forget topic.
FAQ
References
- Microsoft Learn - official documentation for Security Copilot customer data and system-generated logs
- Microsoft Tech Community - peer discussion and operational notes
- Microsoft Service Trust Portal - attestation reports where relevant
- Microsoft release notes - canonical change history for Security Copilot customer data and system-generated logs
Related fixes
Related guides worth a look while you sort this one out:
- Access and export system-generated logs by using the Azure portal
- Privacy and security of generated search queries
- Ensure that a Default Customer-managed encryption key (CMEK) is specified for all BigQuery Data Sets
- How is data retained and what customer controls are available?
- Azure SQL transparent data encryption with customer-managed key
- Customer-managed transparent data encryption - Bring Your Own Key