cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Runtime transformation in Sentinel

securityxpert1122
Copper Contributor

‎Jul 27 2023 10:10 AM

‎Jul 27 2023 10:10 AM

Runtime transformation in Sentinel

I want to exclude windows EventID 4663 and ObjectType =file using runtime transformation. I applied below:

 

| where EventID != 4663 and ObjectType != "File"

 

but it removes all 4663 events rather removing based on objecttype which I made combination with eventid. please help. Thanks 

Labels:
483 Views
0 Likes
2 Replies
Reply
2 Replies
KubaTom

‎Jul 28 2023 03:53 AM

‎Jul 28 2023 03:53 AM

Re: Runtime transformation in Sentinel

@securityxpert1122 

 

You want this 

 

| where not(EventID == 4663 and ObjectType == "File")

0 Likes
Reply
best response confirmed by securityxpert1122 (Copper Contributor)
securityxpert1122

‎Jul 28 2023 06:01 AM - edited ‎Jul 28 2023 06:02 AM

‎Jul 28 2023 06:01 AM - edited ‎Jul 28 2023 06:02 AM

Solution

Re: Runtime transformation in Sentinel

yes, thats exactly I wanted. Thank you so much for your help.

1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by securityxpert1122 (Copper Contributor)
securityxpert1122

‎Jul 28 2023 06:01 AM - edited ‎Jul 28 2023 06:02 AM

‎Jul 28 2023 06:01 AM - edited ‎Jul 28 2023 06:02 AM

Solution

Re: Runtime transformation in Sentinel

yes, thats exactly I wanted. Thank you so much for your help.

View solution in original post

1 Like
Reply