Forum Discussion
AMA agent DCR log filtering
Hi, I have previously created KQL queries for ingestion time transformation and was filtering out certain event ids and few other logs (e.g. | where not(EventID == 4799 and CallerProcessName contai...
To filter down logs theres 2 places you could do it here, within the Sentinel Data Connector "Windows Events for AMA" or Table Transformations
To filter down logs add in only the windows events you want to see, from there apply the relevant KQL queries at the Table Transformations level...keep in mind, Table transformations can take up to 1hr to apply to your sentinel Instance.
If these steps have been applied, any chance you can share more information
To filter down logs add in only the windows events you want to see, from there apply the relevant KQL queries at the Table Transformations level...keep in mind, Table transformations can take up to 1hr to apply to your sentinel Instance.
If these steps have been applied, any chance you can share more information