Forum Discussion

Copper Contributor

Jul 27, 2023

Solved

Runtime transformation in Sentinel

I want to exclude windows EventID 4663 and ObjectType =file using runtime transformation. I applied below: | where EventID != 4663 and ObjectType != "File" but it removes all 4663 events rath...

securityxpert1122
Jul 28, 2023
yes, thats exactly I wanted. Thank you so much for your help.

KubaTom

Brass Contributor

Jul 28, 2023

securityxpert1122

You want this

| where not(EventID == 4663 and ObjectType == "File")

securityxpert1122
Copper Contributor
Jul 28, 2023
yes, thats exactly I wanted. Thank you so much for your help.