Connect with experts and redefine what’s possible at work – join us at the Microsoft 365 Community Conference May 6-8. Learn more >

Forum Discussion

securityxpert1122

Copper Contributor

Jul 27, 2023

Solved

Runtime transformation in Sentinel

I want to exclude windows EventID 4663 and ObjectType =file using runtime transformation. I applied below:

| where EventID != 4663 and ObjectType != "File"

but it removes all 4663 events rather removing based on objecttype which I made combination with eventid. please help. Thanks

securityxpert1122
Jul 28, 2023
yes, thats exactly I wanted. Thank you so much for your help.

KubaTom
Brass Contributor
Jul 28, 2023
securityxpert1122

You want this

| where not(EventID == 4663 and ObjectType == "File")
- securityxpert1122
  Copper Contributor
  Jul 28, 2023
  yes, thats exactly I wanted. Thank you so much for your help.

Share

Resources