Merge branch 'main' into repo_sync_working_branch

Author: Stacyrch140

copilot/microsoft-365-copilot-privacy.md

@@ -3,14 +3,13 @@ title: "Data, Privacy, and Security for Microsoft Copilot for Microsoft 365"
 ms.author: danbrown
 author: DHB-MSFT
 manager: laurawi
-audience: ITPro
-ms.topic: article
+ms.topic: conceptual
 ms.service: microsoft-365-copilot
 ms.localizationpriority: medium
-ms.collection: Tier1
+ms.collection: privacy-microsoft365
 description: "Learn how Microsoft Copilot for Microsoft 365 uses data and how it stores and protects that data."
 hideEdit: true
-ms.date: 12/15/2023
+ms.date: 01/16/2024
 ---
 
 # Data, Privacy, and Security for Microsoft Copilot for Microsoft 365
@@ -57,7 +56,7 @@ When you enter prompts using Microsoft Copilot for Microsoft 365, the informatio
 > [!NOTE]
 > When using Microsoft Copilot for Microsoft 365, your organization’s data might leave the Microsoft 365 service boundary under the following circumstances:
 >
-> - When you allow Microsoft Copilot for Microsoft 365 chat experiences to reference public web content. The query sent to Bing might include your organization’s data. For more information, see [Microsoft Copilot for Microsoft 365 and public web content](#microsoft-copilot-for-microsoft-365-and-public-web-content).
+> - When you allow Microsoft Copilot with Graph-grounded chat to reference public web content. The query sent to Bing might include your organization’s data. For more information, see [Microsoft Copilot for Microsoft 365 and public web content](#microsoft-copilot-for-microsoft-365-and-public-web-content).
 > - When you’re using plugins to help Microsoft Copilot for Microsoft 365 to provide more relevant information. Check the privacy statement and terms of use of the plugin to determine how it will handle your organization’s data. For information, see [Extensibility of Microsoft Copilot for Microsoft 365](#extensibility-of-microsoft-copilot-for-microsoft-365).
 
 Abuse monitoring for Microsoft Copilot for Microsoft 365 occurs in real-time, without providing Microsoft any standing access to customer data, either for human or for automated review. While abuse moderation, which includes human review of content, is available in Azure OpenAI, Microsoft Copilot for Microsoft 365 services have opted out of it. Microsoft 365 data isn’t collected or stored by Azure OpenAI.
@@ -67,7 +66,7 @@ Abuse monitoring for Microsoft Copilot for Microsoft 365 occurs in real-time, wi
 
 ## Data stored about user interactions with Microsoft Copilot for Microsoft 365
 
-When a user interacts with Microsoft Copilot for Microsoft 365 apps (such as Word, PowerPoint, Excel, OneNote, Loop, or Whiteboard), we store data about these interactions. The stored data includes the user's prompt, how Copilot responded, and information used to ground Copilot's response. For example, this stored data provides users with Copilot interaction history in [Microsoft 365 Chat](https://support.microsoft.com/topic/5b00a52d-7296-48ee-b938-b95b7209f737) and [meetings in Microsoft Teams](https://support.microsoft.com/office/0bf9dd3c-96f7-44e2-8bb8-790bedf066b1). This data is processed and stored in alignment with contractual commitments with your organization’s other content in Microsoft 365. The data is encrypted while it's stored and isn't used to train foundation LLMs, including those used by Microsoft Copilot for Microsoft 365.
+When a user interacts with Microsoft Copilot for Microsoft 365 apps (such as Word, PowerPoint, Excel, OneNote, Loop, or Whiteboard), we store data about these interactions. The stored data includes the user's prompt, how Copilot responded, and information used to ground Copilot's response. For example, this stored data provides users with Copilot interaction history in [Microsoft Copilot with Graph-grounded chat](https://support.microsoft.com/topic/5b00a52d-7296-48ee-b938-b95b7209f737) and [meetings in Microsoft Teams](https://support.microsoft.com/office/0bf9dd3c-96f7-44e2-8bb8-790bedf066b1). This data is processed and stored in alignment with contractual commitments with your organization’s other content in Microsoft 365. The data is encrypted while it's stored and isn't used to train foundation LLMs, including those used by Microsoft Copilot for Microsoft 365.
 
 To view and manage this stored data, admins can use Content search or Microsoft Purview. Admins can also use Microsoft Purview to set retention policies for the data related to chat interactions with Copilot. For more information, see the following articles:
 
@@ -89,11 +88,13 @@ For European Union (EU) users, we have additional safeguards to comply with the
 
 ## Microsoft Copilot for Microsoft 365 and data residency
 
-Customers with [Advanced Data Residency (ADR) in Microsoft 365](/microsoft-365/enterprise/advanced-data-residency) or [Microsoft 365 Multi-Geo](/microsoft-365/enterprise/microsoft-365-multi-geo) can purchase and enable Microsoft Copilot for Microsoft 365. At this time, Microsoft doesn't provide data residency commitments for Microsoft Copilot for Microsoft 365, beyond EU Data Boundary. When customers store data generated by Copilot in Microsoft 365 products that have data residency commitments under the Product Terms, the applicable commitments will be upheld.
+Copilot for Microsoft 365 is upholding data residency commitments as outlined in the Microsoft Product Terms and Data Protection Addendum. Copilot will be added as a covered workload in the data residency commitments in Microsoft Product Terms later in 2024.
+
+Microsoft [Advanced Data Residency (ADR)](/microsoft-365/enterprise/advanced-data-residency) and [Multi-Geo Capabilities](/microsoft-365/enterprise/microsoft-365-multi-geo) offerings will include data residency commitments for Copilot for Microsoft 365 customers later in 2024. For EU customers, Copilot for Microsoft 365 is an EU Data Boundary service. Customers outside the EU may have their queries processed in the US, EU, or other regions.
 
 ## Microsoft Copilot for Microsoft 365 and public web content
 
-Microsoft Copilot Graph-grounding chat experiences can reference public web content from the Bing search index to ground user prompts and responses. Based on the user’s prompt, Copilot for Microsoft 365 determines whether it needs to use Bing to query public web content to help provide a relevant response to the user. There are [controls available to manage the use of public web content](#controls-available-to-manage-the-use-of-public-web-content) for both admins and users.
+Microsoft Copilot with Graph-grounded chat can reference public web content from the Bing search index to ground user prompts and responses. Based on the user’s prompt, Copilot for Microsoft 365 determines whether it needs to use Bing to query public web content to help provide a relevant response to the user. There are [controls available to manage the use of public web content](#controls-available-to-manage-the-use-of-public-web-content) for both admins and users.
 
 > [!NOTE]
 > Public web content grounding in Copilot uses only the Bing Search service. Copilot with commercial data protection (previously named Bing Chat Enterprise) is a separate offering and not involved with public web content grounding.

microsoft-365/security/defender/advanced-hunting-aadsignineventsbeta-table.md

@@ -20,7 +20,7 @@ ms.collection:
 - m365-security
 - tier3
 ms.topic: reference
-ms.date: 02/16/2021
+ms.date: 01/16/2024
 ---
 
 # AADSignInEventsBeta
@@ -61,7 +61,7 @@ Use this reference to construct queries that return information from the table.
 |`ResourceTenantId`|`string`|Unique identifier of the tenant of the resource accessed|
 |`DeviceName`|`string`|Fully qualified domain name (FQDN) of the device|
 |`AadDeviceId`|`string`|Unique identifier for the device in Microsoft Entra ID|
-|`OSPlatform`|`string`|Platform of the operating system running on the machine. Indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10, and Windows 7.|
+|`OSPlatform`|`string`|Platform of the operating system running on the device. Indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10, and Windows 7.|
 |`DeviceTrustType`|`string`|Indicates the trust type of the device that signed in. For managed device scenarios only. Possible values are Workplace, AzureAd, and ServerAd.|
 |`IsManaged`|`int`|Indicates whether the device that initiated the sign-in is a managed device (1) or not a managed device (0)|
 |`IsCompliant`|`int`|Indicates whether the device that initiated the sign-in is compliant (1) or non-compliant (0)|

microsoft-365/security/defender/advanced-hunting-aadspnsignineventsbeta-table.md

@@ -19,7 +19,7 @@ ms.collection:
 - m365-security
 - tier3
 ms.topic: reference
-ms.date: 02/16/2021
+ms.date: 01/16/2024
 ---
 
 # AADSpnSignInEventsBeta
@@ -41,7 +41,7 @@ For information on other tables in the advanced hunting schema, see [the advance
 ****
 
 |Column name|Data type|Description|
-|---|---|---|
+|-----------|---------|-----------|
 |`Timestamp`|`datetime`|Date and time when the record was generated|
 |`Application`|`string`|Application that performed the recorded action|
 |`ApplicationId`|`string`|Unique identifier for the application|
@@ -61,7 +61,6 @@ For information on other tables in the advanced hunting schema, see [the advance
 |`Longitude`|`string`|The east to west coordinates of the sign-in location|
 |`RequestId`|`string`|Unique identifier of the request|
 |`ReportId`|`string`|Unique identifier for the event|
-||||
 
 ## Related articles
 

microsoft-365/security/defender/advanced-hunting-alertevidence-table.md

@@ -20,7 +20,7 @@ ms.collection:
 - m365-security
 - tier3
 ms.topic: reference
-ms.date: 02/16/2021
+ms.date: 01/16/2024
 ---
 
 # AlertEvidence
@@ -61,7 +61,7 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `AccountObjectId` | `string` | Unique identifier for the account in Microsoft Entra ID |
 | `AccountUpn` | `string` | User principal name (UPN) of the account |
 | `DeviceId` | `string` | Unique identifier for the device in the service |
-| `DeviceName` | `string` | Fully qualified domain name (FQDN) of the machine |
+| `DeviceName` | `string` | Fully qualified domain name (FQDN) of the device |
 | `LocalIP` | `string` | IP address assigned to the local device used during communication |
 | `NetworkMessageId` | `string` | Unique identifier for the email, generated by Office 365 |
 | `EmailSubject` | `string` | Subject of the email |
@@ -72,7 +72,7 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `RegistryKey` |`string` | Registry key that the recorded action was applied to |
 | `RegistryValueName` |`string` | Name of the registry value that the recorded action was applied to |
 | `RegistryValueData` |`string` | Data of the registry value that the recorded action was applied to |
-| `AdditionalFields` | `string` | Additional information about the event in JSON array format |
+| `AdditionalFields` | `string` | Additional information about the entity or event |
 | `Severity` | `string` | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert |
 | `CloudResource` | `string` | Cloud resource name |
 | `CloudPlatform` | `string` | The cloud platform that the resource belongs to, can be Azure, Amazon Web Services, or Google Cloud Platform |

microsoft-365/security/defender/advanced-hunting-alertinfo-table.md

@@ -20,7 +20,7 @@ ms.collection:
 - m365-security
 - tier3
 ms.topic: reference
-ms.date: 02/16/2021
+ms.date: 12/29/2023
 ---
 
 # AlertInfo

microsoft-365/security/defender/advanced-hunting-behaviorentities-table.md

@@ -20,7 +20,7 @@ ms.collection:
 - m365-security
 - tier3
 ms.topic: reference
-ms.date: 02/16/2021
+ms.date: 12/29/2023
 ---
 
 # BehaviorEntities

microsoft-365/security/defender/advanced-hunting-behaviorinfo-table.md

@@ -20,7 +20,7 @@ ms.collection:
 - m365-security
 - tier3
 ms.topic: reference
-ms.date: 02/16/2021
+ms.date: 12/29/2023
 ---
 
 # BehaviorInfo

microsoft-365/security/defender/advanced-hunting-cloudappevents-table.md

@@ -20,7 +20,7 @@ ms.collection:
 - m365-security
 - tier3
 ms.topic: reference
-ms.date: 10/16/2023
+ms.date: 12/29/2023
 ---
 
 # CloudAppEvents

microsoft-365/security/defender/advanced-hunting-deviceevents-table.md

@@ -20,7 +20,7 @@ ms.collection:
 - m365-security
 - tier3
 ms.topic: reference
-ms.date: 02/16/2021
+ms.date: 01/16/2024
 ---
 
 # DeviceEvents
@@ -44,7 +44,7 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `Timestamp` | `datetime` | Date and time when the event was recorded |
 | `DeviceId` | `string` | Unique identifier for the device in the service |
 | `DeviceName` | `string` | Fully qualified domain name (FQDN) of the device |
-| `ActionType` | `string` | Type of activity that triggered the event. See the [in-portal schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) for details |
+| `ActionType` | `string` | Type of activity that triggered the event. See the [in-portal schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) for details. |
 | `FileName` | `string` | Name of the file that the recorded action was applied to |
 | `FolderPath` | `string` | Folder containing the file that the recorded action was applied to |
 | `SHA1` | `string` | SHA-1 of the file that the recorded action was applied to |
@@ -55,19 +55,19 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `AccountName` | `string` | User name of the account |
 | `AccountSid` | `string` | Security Identifier (SID) of the account |
 | `RemoteUrl` | `string` | URL or fully qualified domain name (FQDN) that was being connected to |
-| `RemoteDeviceName` | `string` | Name of the device that performed a remote operation on the affected device. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information |
+| `RemoteDeviceName` | `string` | Name of the device that performed a remote operation on the affected device. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information. |
 | `ProcessId` | `long` | Process ID (PID) of the newly created process |
 | `ProcessCommandLine` | `string` | Command line used to create the new process |
 | `ProcessCreationTime` | `datetime` | Date and time the process was created |
 | `ProcessTokenElevation` | `string` | Indicates the type of token elevation applied to the newly created process. Possible values: TokenElevationTypeLimited (restricted), TokenElevationTypeDefault (standard), and TokenElevationTypeFull (elevated) |
-| `LogonId` | `string` | Identifier for a logon session. This identifier is unique on the same device only between restarts |
+| `LogonId` | `long` | Identifier for a logon session. This identifier is unique on the same device only between restarts. |
 | `RegistryKey` | `string` | Registry key that the recorded action was applied to |
 | `RegistryValueName` | `string` | Name of the registry value that the recorded action was applied to |
 | `RegistryValueData` | `string` | Data of the registry value that the recorded action was applied to |
 | `RemoteIP` | `string` | IP address that was being connected to |
 | `RemotePort` | `int` | TCP port on the remote device that was being connected to |
-| `LocalIP` | `string` | IP address assigned to the local machine used during communication |
-| `LocalPort` | `int` | TCP port on the local machine used during communication |
+| `LocalIP` | `string` | IP address assigned to the local device used during communication |
+| `LocalPort` | `int` | TCP port on the local device used during communication |
 | `FileOriginUrl` | `string` | URL where the file was downloaded from |
 | `FileOriginIP` | `string` | IP address where the file was downloaded from |
 | `InitiatingProcessSHA1` | `string` | SHA-1 of the process (image file) that initiated the event |
@@ -93,7 +93,7 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `InitiatingProcessParentId` | `long` | Process ID (PID) of the parent process that spawned the process responsible for the event |
 | `InitiatingProcessParentFileName` | `string` | Name or full path of the parent process that spawned the process responsible for the event |
 | `InitiatingProcessParentCreationTime` | `datetime` | Date and time when the parent of the process responsible for the event was started |
-| `InitiatingProcessLogonId` | `long` | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same device only between restarts |
+| `InitiatingProcessLogonId` | `long` | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same device only between restarts. |
 | `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
 | `AppGuardContainerId` | `string` | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 | `AdditionalFields` | `string` | Additional information about the event in JSON array format |

microsoft-365/security/defender/advanced-hunting-devicefilecertificateinfo-table.md

@@ -20,7 +20,7 @@ ms.collection:
 - m365-security
 - tier3
 ms.topic: reference
-ms.date: 02/16/2021
+ms.date: 01/16/2024
 ---
 
 # DeviceFileCertificateInfo
@@ -42,7 +42,7 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `DeviceId` | `string` | Unique identifier for the device in the service |
 | `DeviceName` | `string` | Fully qualified domain name (FQDN) of the device |
 | `SHA1` | `string` | SHA-1 of the file that the recorded action was applied to |
-| `IsSigned` | `boolean` | Indicates whether the file is signed |
+| `IsSigned` | `bool` | Indicates whether the file is signed |
 | `SignatureType` | `string` | Indicates whether signature information was read as embedded content in the file itself or read from an external catalog file |
 | `Signer` | `string` | Information about the signer of the file |
 | `SignerHash` | `string` | Unique hash value identifying the signer |
@@ -53,7 +53,7 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `CertificateCreationTime` | `datetime` | Date and time the certificate was created |
 | `CertificateExpirationTime` | `datetime` | Date and time the certificate is set to expire |
 | `CertificateCountersignatureTime` | `datetime` | Date and time the certificate was countersigned |
-| `IsTrusted` | `boolean` | Indicates whether the file is trusted based on the results of the WinVerifyTrust function, which checks for unknown root certificate information, invalid signatures, revoked certificates, and other questionable attributes |
+| `IsTrusted` | `bool` | Indicates whether the file is trusted based on the results of the WinVerifyTrust function, which checks for unknown root certificate information, invalid signatures, revoked certificates, and other questionable attributes |
 | `IsRootSignerMicrosoft` | `boolean` | Indicates whether the signer of the root certificate is Microsoft and if the file is included in Windows operating system |
 | `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |