Hi all,
I have a KQL query which - Detects users conducting administrative activity in Dynamics 365 where they have not had admin rights before. The issue is within Outlook we have the Sale Co-Pilot Add-on button for Dyanmics 365 CRM which when users click/sign in triggers this alert creating noise.
Normally i would add a exclusion but im unsure how to link this query with the Sale Co-Pilot Add-on button to prevent triggers.
We obviously still want to be alerted for new users/admin CRM Dynamics 365 activity but not when the add-on is clicked.
Is this possible? Hope i explained it well.
Please see KQL query-
let baseline_time = 14d;
let detection_time = 1h;
Dynamics365Activity
| where TimeGenerated between(ago(baseline_time)..ago(detection_time))
| where UserType =~ 'admin' and UserId != "email address removed for privacy reasons"
| extend Message = tostring(split(OriginalObjectId, ' ')[0])
| summarize by UserId
| join kind=rightanti
(Dynamics365Activity
| where TimeGenerated > ago(detection_time)
| where UserType =~ 'admin' and UserId != "email address removed for privacy reasons")
on UserId
| summarize Actions = make_set(Message), MostRecentAction = max(TimeGenerated), IPs=make_set(ClientIP), UserAgents = make_set(UserAgent) by UserId
| extend timestamp = MostRecentAction, AccountCustomEntity = UserId
KQL -
Thanks
