Share via

how to use data transformation on the SecurityEvent table in Sentinel to drop events

David Broggy 6,111 Reputation points MVP
Aug 23, 2024, 3:29 PM

Hi there,

I'd like to use a data transformation to filter some events entering Sentinel.

The test I'm doing is with the SecurityEvent table.

I added this transformation:

source| where EventID <> 4688

However after waiting an hour I'm still seeing 4688 events in the SecurityEvent table.

Can someone tell me if this works or if I'm doing something wrong?

Thanks!

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,250 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.