Visualization Copilot Models Used

# Copilot Models Used ## Query Information #### Description This query renders a Piechart based on the models used by Copilot interactions in your environment. ## Defender XDR ```KQL CloudAppEvents | where ActionType =~ "CopilotInteraction" | extend WorkLoad = tostring(parse_json(RawEventData).Workload) | where WorkLoad =~ "Copilot" | extend CopilotModel = tostring(parse_json(RawEventData).CopilotEventData.ModelTransparencyDetails[0].ModelName) | summarize Total = count() by CopilotModel | render piechart ``` ## Sentinel ```KQL CloudAppEvents | where ActionType =~ "CopilotInteraction" | extend WorkLoad = tostring(parse_json(RawEventData).Workload) | where WorkLoad =~ "Copilot" | extend CopilotModel = tostring(parse_json(RawEventData).CopilotEventData.ModelTransparencyDetails[0].ModelName) | summarize Total = count() by CopilotModel | render piechart ```

Explanation

This query is designed to create a pie chart that visualizes the different models used by Copilot interactions within your environment. Here's a simple breakdown of what the query does:

Data Source: It starts by looking at events in the CloudAppEvents table.
Filter Events: It filters these events to only include those where the action type is "CopilotInteraction," meaning it focuses on interactions involving Copilot.
Extract Workload: It extracts the workload information from the event data to ensure it specifically relates to "Copilot."
Identify Copilot Model: It further extracts the model name used in these interactions from the event data.
Count Models: It counts how many times each Copilot model is used.
Visualize Data: Finally, it renders this information as a pie chart, showing the distribution of different Copilot models used in the interactions.

Both the Defender XDR and Sentinel queries perform the same operations to achieve this visualization.

KQL Search

Visualization Copilot Models Used

Query

Explanation

Details

Actions