Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,123 questions
how to use data transformation on the SecurityEvent table in Sentinel to drop events
David Broggy
5,716
Reputation points MVP
Hi there,
I'd like to use a data transformation to filter some events entering Sentinel.
The test I'm doing is with the SecurityEvent table.
I added this transformation:
source| where EventID <> 4688
However after waiting an hour I'm still seeing 4688 events in the SecurityEvent table.
Can someone tell me if this works or if I'm doing something wrong?
Thanks!
{count} votes
-
David Broggy 5,716 Reputation points MVP
2024-08-27T19:08:37.32+00:00 Hey @Clive Watson any insight on this?
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Givary-MSFT 32,311 Reputation points Microsoft Employee2024-08-28T08:35:09.6733333+00:00 @David Broggy Thank you for reaching out to us, refer to last example mentioned in this table see if it helps to achieve your ask of filtering event 4688 from entering Sentinel.
Let me know if you have any questions, feel free to post back.
Sign in to comment
Sign in to answer