1,299 questions
how to use data transformation on the SecurityEvent table in Sentinel to drop events
David Broggy
6,291
Reputation points MVP
Volunteer Moderator
Hi there,
I'd like to use a data transformation to filter some events entering Sentinel.
The test I'm doing is with the SecurityEvent table.
I added this transformation:
source| where EventID <> 4688
However after waiting an hour I'm still seeing 4688 events in the SecurityEvent table.
Can someone tell me if this works or if I'm doing something wrong?
Thanks!
Microsoft Security Microsoft Sentinel
{count} votes
-
David Broggy 6,291 Reputation points MVP Volunteer Moderator
2024-08-27T19:08:37.32+00:00 Hey @Clive Watson any insight on this?
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Givary-MSFT 35,621 Reputation points Microsoft Employee Moderator2024-08-28T08:35:09.6733333+00:00 @David Broggy Thank you for reaching out to us, refer to last example mentioned in this table see if it helps to achieve your ask of filtering event 4688 from entering Sentinel.
Let me know if you have any questions, feel free to post back.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 94%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
Sándor Tőkési 271 Reputation points2024-12-08T12:46:50.1966667+00:00 @David Broggy if you want to drop the logs via a transformKQL I would heavily recommend type casting the values - I encountered lots of errors and unwanted behaviors without type casting.
So, it could be
source | where tostring(EventID) != '4688'
Sign in to comment
Sign in to answer