THE article discusses the challenges of investigating AI-related activities within Microsoft 365 Copilot and Azure AI services. It highlights the necessity for a structured approach to understand and reconstruct activities, using telemetry data generated by these AI interactions. A newly published investigator playbook offers a systematic methodology that involves a sequence of scoping, contextualizing, and evaluating signals.
This structured approach enables teams to identify who interacted with AI systems, the resources accessed, and whether the activities were normal, violations, or indicators of compromise. The playbook streamlines the investigation process, providing essential tools such as configuration details, detection patterns, and queries, thus enhancing incident response capabilities as AI increasingly integrates into business workflows.