Example how to leverage Microsoft 365 Defender Graph Threat Hunting endpoint to query for Copilot Interactions in an tenant.

Invoke-GraphThreatHuntingQuery.ps1

#requires -Modules "Microsoft.Graph.Authentication"

function Invoke-GraphThreatHuntingQuery
{
    [CmdletBinding()]
    param
    (
        [Parameter(Mandatory=$true)]
        $HuntingQuery,

        [Parameter(Mandatory=$true)]
        $StartDateTime,

        [Parameter(Mandatory=$true)]
        $EndDateTime
    )

    begin
    {
        $uri = "https://graph.microsoft.com/v1.0/security/runHuntingQuery"

        $timespan = "{0}/{1}" -f $StartDateTime.ToString("yyyy-MM-ddThh:mm:ssZ"), $EndDateTime.ToString("yyyy-MM-ddThh:mm:ssZ")
    }
    process
    {
        $object = [PSCustomObject] @{
            Query    = $HuntingQuery
            Timespan = $timespan
        }

        $body = $object | ConvertTo-Json -Depth 2 -Compress

        $response = Invoke-MgGraphRequest -Method POST -Uri $uri -Body $body -Headers @{ "Content-Type" = "application/json" } -OutputType PSObject

        $response.results
    }
    end
    {
    }
}

$clientId   = $env:CDX_CLIENTID    # requires Microsoft Graph > Application > ThreatHunting.Read.All
$thumbprint = $env:CDX_THUMBPRINT
$tenantId   = $env:CDX_TENANTID

$startDateTime = [DateTime]::Today.AddDays( -30 )
$endDateTime   = [DateTime]::Today
$query         = "CloudAppEvents | where ActionType == 'CopilotInteraction' | project Timestamp, AccountObjectId, RawEventData"

Connect-MgGraph -ClientId $clientId -CertificateThumbprint $thumbprint -TenantId $tenantId -ErrorAction Stop

$copilotInteractions = Invoke-GraphThreatHuntingQuery -HuntingQuery $query -StartDateTime $startDateTime -EndDateTime $endDateTime

$copilotInteractions | Select-Object Timestamp, AccountObjectId, RawEventData | Export-Csv -Path "CopilotInteractions.csv" -NoTypeInformation