I have a KQL query which - Detects users conducting administrative activity in Dynamics 365 where they have not had admin rights before. The issue is within Outlook we have the Sale Co-Pilot Add-on button for Dyanmics 365 CRM which when users click/sign in triggers this alert creating noise.
Normally i would add a exclusion but im unsure how to link this query with the Sale Co-Pilot Add-on button to prevent triggers.
We obviously still want to be alerted for new users/admin CRM Dynamics 365 activity but not when the add-on is clicked.
Is this possible? Hope i explained it well.
Please see KQL query-
let baseline_time = 14d;
let detection_time = 1h;
| where TimeGenerated between(ago(baseline_time)..ago(detection_time))
| where UserType =~ 'admin' and UserId != "email address removed for privacy reasons"