![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 81%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHB%3C/text%3E%3C/svg%3E)
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,645 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 72%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENP%3C/text%3E%3C/svg%3E)
Hi,
Syntax like
Security!*[System[(EventID!=4624)]]
is correct.
If you already have existing data collection rule edit that rule instead of creating new one. If you create a new one to exclude event ID that is collected via another data collection rule that will not work. Also it depends what kind of configuration you are using for Windows Security events - All, Common or Minimal. If it is Common or Minimal you just need to remove the event ID that you want to exclude in the xPathQuery rather adding value for exclusion. If you use All you will need to add the xPath query to exclude the event.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.