M365 Copilot Chat Safe Link Monitoring
Query
// M365 Copilot Chat SafeLink Monitoring
// https://admin.microsoft.com/AdminPortal/home?#/MessageCenter/:/messages/MC1013453
let M365CopilotChatURL =
CloudAppEvents
| where Timestamp > ago(1h)
| where ActionType == @"CopilotInteraction"
| extend UserID = tostring(RawEventData.UserId)
| extend CopilotData = todynamic(RawEventData.CopilotEventData)
| extend CopilotAccessResources = (CopilotData.AccessedResources)
| extend CopilotAppHost = tostring(CopilotData.AppHost)
| extend CopilotContexts = tostring(CopilotData.Contexts)
| extend CopilotType = tostring(CopilotData.Type)
| extend CopilotMessageIds = tostring(CopilotData.MessageIds)
| extend CopilotThreadId = tostring(CopilotData.ThreadId)
| mv-expand CopilotAccessResources
| where CopilotAppHost == "Bing" and isnotempty(CopilotAccessResources.SiteUrl)
| project CopilotAccessResources.SiteUrl;
UrlClickEvents
| where Timestamp > ago(1h)
| where ActionType == "ClickBlocked"
| where Url has_any(M365CopilotChatURL)Explanation
This query is designed to monitor and analyze interactions with the Microsoft 365 Copilot feature, specifically focusing on SafeLink monitoring within the past hour. Here's a simplified breakdown:
-
Data Source: The query pulls data from two sources:
CloudAppEventsandUrlClickEvents. -
Time Frame: It looks at events that occurred within the last hour.
-
Copilot Interactions:
- It filters for events where the action type is "CopilotInteraction".
- It extracts and processes various pieces of data related to the Copilot interaction, such as user ID, accessed resources, app host, contexts, type, message IDs, and thread ID.
- It specifically focuses on interactions where the Copilot app host is "Bing" and there is a non-empty site URL in the accessed resources.
-
URL Monitoring:
- It collects the URLs accessed by Copilot interactions that meet the above criteria.
- It then checks the
UrlClickEventsfor any "ClickBlocked" actions, indicating that a URL click was blocked. - It matches these blocked URL clicks against the list of URLs accessed by Copilot interactions.
In essence, the query is used to identify and monitor any URLs accessed by Microsoft 365 Copilot interactions that were subsequently blocked by SafeLink within the last hour.
Details

Steven Lim
Released: February 22, 2025
Tables
CloudAppEventsUrlClickEvents
Keywords
CloudAppEventsUrlClickEventsTimestampActionTypeUserIDCopilotDataCopilotAccessResourcesCopilotAppHostCopilotContextsCopilotTypeCopilotMessageIdsCopilotThreadIdSiteUrl
Operators
let|where>ago()==extend=tostring()todynamic()mv-expandandisnotempty()projecthas_any()