KQL - Sales Co-Pilot

Copper Contributor

Hi all,


I have a KQL query which - Detects users conducting administrative activity in Dynamics 365 where they have not had admin rights before. The issue is within Outlook we have the Sale Co-Pilot Add-on button for Dyanmics 365 CRM which when users click/sign in triggers this alert creating noise. 


Normally i would add a exclusion but im unsure how to link this query with the Sale Co-Pilot Add-on button to prevent triggers.


We obviously still want to be alerted for new users/admin CRM Dynamics 365 activity but not when  the add-on is clicked.


Is this possible? Hope i explained it well.


Please see KQL query-



let baseline_time = 14d;
let detection_time = 1h;
| where TimeGenerated between(ago(baseline_time)..ago(detection_time))
| where UserType =~ 'admin' and UserId != "email address removed for privacy reasons"
| extend Message = tostring(split(OriginalObjectId, ' ')[0])
| summarize by UserId
| join kind=rightanti
| where TimeGenerated > ago(detection_time)
| where UserType =~ 'admin' and UserId != "email address removed for privacy reasons")
on UserId
| summarize Actions = make_set(Message), MostRecentAction = max(TimeGenerated), IPs=make_set(ClientIP), UserAgents = make_set(UserAgent) by UserId
| extend timestamp = MostRecentAction, AccountCustomEntity = UserId

KQL - 




0 Replies