how to use data transformation on the SecurityEvent table in Sentinel to drop events

David Broggy 6,111 MVP

Aug 23, 2024, 3:29 PM

Hi there,

I'd like to use a data transformation to filter some events entering Sentinel.

The test I'm doing is with the SecurityEvent table.

I added this transformation:

source| where EventID <> 4688

However after waiting an hour I'm still seeing 4688 events in the SecurityEvent table.

Can someone tell me if this works or if I'm doing something wrong?

Thanks!

David Broggy 6,111 Reputation points MVP

Aug 27, 2024, 7:08 PM

Hey @Clive Watson any insight on this?
Givary-MSFT 35,486 Reputation points Microsoft Employee

Aug 28, 2024, 8:35 AM

@David Broggy Thank you for reaching out to us, refer to last example mentioned in this table see if it helps to achieve your ask of filtering event 4688 from entering Sentinel.

Let me know if you have any questions, feel free to post back.
Sándor Tőkési 251 Reputation points

Dec 8, 2024, 12:46 PM

@David Broggy if you want to drop the logs via a transformKQL I would heavily recommend type casting the values - I encountered lots of errors and unwanted behaviors without type casting.

So, it could be

source | where tostring(EventID) != '4688'

Your answer